CONTACT USBack to MinistryPlatform Site
Your Knowledge Base is moving on 3/25/24! Our new Help Center provides all the articles you know and love (plus so much more) in a one-stop shop. Ask your SPoC for details!

Azure AD

 

 

Configuring the Azure Active Directory external login will allow your Users to log into their account, but they will not be able to create a new account via this external login.

In order to provide External Authentication, you must create and properly configure an Identity Provider. Before you get started ...

  • Confirm you have System Administrator rights to the Platform and Administrative rights to Azure Portal > Active Directory
  • Log in to the Platform and Azure. Pro tip: Stay logged in to both the Platform and Azure while you're setting up authentication.

Register Your Azure Active Directory

  1. Admin > Active Directory > App Registrations
  2. New Registration
  3. Name your Application
  4. Select Your account type. Note: You'll need to choose one of the two supported account types:
    • Option 1: Accounts in this organizational directory only (Default Directory only - single-tenant)
    • Option 2: Accounts in any organizational directory (Any Azure AD directory - multitenant) and personal Microsoft Accounts (for example, Skype or Xbox)
  5. Add your Redirect URI
    • Select "Web" from the dropdown menu
    • Add your Platform URL (for example, https://ministryplatform.com/mp)
  6. Register > Overview (you'll be redirected to a successful landing page)
  7. Copy the Application [Client] ID (you'll need this when it's time to configure the Platform)

Create an Identity Provider Record in the Platform

  1. Administration > Identity Providers.
  2. Create a New record:
    • Display Name: Azure AD
    • Provider Type: OAuth 2.0/ OpenID Connect
    • Client ID: The Application [Client] ID you copied from Azure
    • Client Secret: leave blank for now
    • Metadata Address:
      • Go back to your newly created Azure registry
      • Overview > Endpoints > OpenID Connect Metadata Document
      • Copy the URL
      • Paste the URL into the Metadata Address field
    • Is Public: Yes
  3. Save. (This will generate the Identity Provider Unique ID GUID.)
  4. Edit.
  5.  Settings: Add the Redirect URI Endpoint as shown below, using the Identity Provider Unique ID GUID that was generated when you saved the record.
  6. Save.
{"RedirectUri":"https://{your domain}/ministryplatformapi/oauth/callback/[Identity Provider Unique ID GUID]"}
    {"RedirectUri":"https://test.ministryplatform.net/ministryplatformapi/oauth/callback/2F7E65D6-080F-4ADA-96D0-5529EE8C5143"}

    Final Steps

     
    Add Your Redirect URI Endpoint to Azure
    1. Copy the Redirect URI Endpoint from the Settings field on the Identity Provider record in the Platform
    2. Default Directory > Overview > Redirect URI > Click on value to update
    3. Paste the Redirect URI Endpoint you copied from the Platform. The Redirect URI in Azure should match the Redirect URI Endpoint in the Platform.
    4. Enable Access tokens (used for implicit flows)
    5. Enable ID tokens (used for implicit and hybrid flows)
    6. Save
    Create & Add Your Client Secret
    1. Azure > Default Directory > Overview > Client Credentials
    2. Click Add a Certificate or Secret
    3. New Client Secret
      • Description: Your Church Name
      • Expires: 24 Months
    4. Add
    5. Copy the value GUID
    6. Platform > Administration > Identify Providers > Azure AD
    7. Edit
    8. Paste the Client Secret you copied from Azure into the Client Secret on the Identity Provider record.
    9. Save
    Restart the Auth App
    1. Platform > User Account (click on your picture in the upper right corner)
    2. Select Restart Auth App

    Confirm the Azure AD Option Appears

    Once complete, a button for Azure AD will appear on your Platform login page.