Skip to main content

1.1 — Create the Enterprise Application

  1. Sign in to the Entra Portal
  2. In the left sidebar, click Enterprise applications
    Image
  3. Click New application (top left)
    Image
  4. Click Create your own application
    Image
  5. Give it a name — we recommend “TOTAL”
  6. Select “Integrate any other application you don’t find in the gallery”
  7. Click Create
    Image

1.2 — Register the Application to Get Credentials

You now need to create an App Registration, which is where Azure issues the credentials TOTAL uses to verify sign-ins.
  1. In the Azure search bar, search for App registrations and open it
    Image
  2. Find the app you just created and click it (it should appear under “All applications”)
    Image
  3. You are now on the app registration page. From the left sidebar:
Collect your Tenant ID and Client ID:
  • Click Overview
    Image
  • Copy the Application (client) ID — enter into the TOTAL enrollment console
  • Copy the Directory (tenant) ID — enter into the TOTAL enrollment console
Create a Client Secret:
  • Click Certificates & secrets in the left sidebar
  • Click New client secret
    Image
  • Enter a description (e.g. “TOTAL integration”) and choose an expiry (24 months recommended)
  • Click Add
  • Copy the secret Value immediately — it is only shown once. If you navigate away, you must create a new one.
    Image
  • Save this value and enter it into the TOTAL enrollment console
Configure the Redirect URI (where Microsoft sends users after sign-in):
  • Click Authentication in the left sidebar
  • Click Add Redirect URI → select Web
    Image
  • In the Redirect URIs field, enter the value given in the TOTAL Enrollment console (it will look like https://app.yourtotal.com/auth/oidc/callback).
  • Click Configure, then Save
    Image
Grant API permissions (required for sign-in and provisioning to work):
  • Click API permissions in the left sidebar
  • Click Add a permissionMicrosoft Graph
    Image
  • Click Delegated Permissions
    Image
  • Search for and add: openid, profile, email, GroupMember.Read.All
    Image
    Image
  • Click Add permissions
These scopes are required. profile tells Azure to include the user’s Object ID (oid) in the sign-in token — which is how TOTAL identifies each user. email includes their email address. Without these, sign-in will fail. Why these are required:
  • profile / email / openid — required for sign-in. profile includes the user’s Object ID (oid), which is how TOTAL identifies each user.
  • GroupMember.Read.All — required to let TOTAL query Microsoft and see whether a user belongs to certain groups when needed to confirm access immediately.