Skip to content

Azure Entra ID

FeatureSupport
OAuth2/OIDC clients✅ Full
SAML clients✅ Full
Resource servers❌ Not supported
Client cloning✅ Full
  1. Register an application in Entra ID

    In the Microsoft Entra admin center, go to App registrations → New registration.

    • Name: Taco Management (or any name you prefer)
    • Supported account types: Accounts in this organizational directory only
    • Click Register

    Note the Application (client) ID and Directory (tenant) ID from the overview page.

  2. Create a client secret

    Go to the app registration → Certificates & secrets → New client secret. Enter a description and expiration period, then copy the Value immediately — it is only shown once.

  3. Grant API permissions

    Go to API permissions → Add a permission → Microsoft Graph → Application permissions and grant:

    • Application.ReadWrite.All — create, update, and delete app registrations (OAuth2/OIDC clients)
    • Application.ReadWrite.OwnedBy — alternative, narrower scope if you restrict Taco to apps it created itself

    After adding permissions, click Grant admin consent for your tenant.

  4. Set environment variables

    Terminal window
    OPENID_PROVIDER=entra
    ENTRA_TENANT_ID=your-tenant-id
    ENTRA_CLIENT_ID=your-client-id
    ENTRA_CLIENT_SECRET=your-client-secret
    # Default: AzureADMyOrg
    ENTRA_SIGN_IN_AUDIENCE=AzureADMyOrg
  • Grant types map to Entra’s OAuth2 permission grants and app manifest flags; Taco tags each client with taco:grant:* tags to track the mapping since Entra does not model grant types as a first-class field.
  • SAML clients are represented as an Entra enterprise application (service principal) linked to the app registration, using a fixed SAML gallery template (SAML_TEMPLATE_ID).
  • Resource servers are not modeled by Taco for this provider — manage API exposure (identifierUris, app roles, exposed scopes) directly in the Entra portal.

To protect the Taco dashboard with Entra ID SSO, register a separate application (web platform, authorization code flow):

Terminal window
AUTH_CLIENT_OPENID_CONFIGURATION_URL=https://login.microsoftonline.com/{tenant-id}/v2.0
AUTH_CLIENT_ID=your-oidc-app-client-id
AUTH_CLIENT_SECRET=your-oidc-app-client-secret

Add <BASE_URL>/api/auth/callback/oidc to the application’s Redirect URIs.