> ## Documentation Index > Fetch the complete documentation index at: https://docs.truu.ai/llms.txt > Use this file to discover all available pages before exploring further. # 1. Create the TOTAL Application in Azure ### 1.1 — Create the Enterprise Application 1. Sign in to the [Entra Portal](https://entra.microsoft.com/#home) 2. In the left sidebar, click **Enterprise applications** Image 3. Click **New application** (top left) Image 4. Click **Create your own application** Image 5. Give it a name — we recommend **"TOTAL"** 6. Select **"Integrate any other application you don't find in the gallery"** 7. Click **Create** Image ### 1.2 — Register the Application to Get Credentials You now need to create an App Registration, which is where Azure issues the credentials TOTAL uses to verify sign-ins. 1. In the Azure search bar, search for **App registrations** and open it Image 2. Find the app you just created and click it (it should appear under "All applications") Image 3. You are now on the app registration page. From the left sidebar: **Collect your Tenant ID and Client ID:** * Click **Overview** Image * Copy the **Application (client) ID** — enter into the TOTAL enrollment console * Copy the **Directory (tenant) ID** — enter into the TOTAL enrollment console **Create a Client Secret:** * Click **Certificates & secrets** in the left sidebar * Click **New client secret** Image * Enter a description (e.g. "TOTAL integration") and choose an expiry (24 months recommended) * Click **Add** * **Copy the secret Value immediately** — it is only shown once. If you navigate away, you must create a new one. Image * Save this value and enter it into the TOTAL enrollment console **Configure the Redirect URI (where Microsoft sends users after sign-in):** * Click **Authentication** in the left sidebar * Click **Add Redirect URI** → select **Web** Image * In the **Redirect URIs** field, enter the value given in the TOTAL Enrollment console (it will look like `https://app.yourtotal.com/auth/oidc/callback`). * Click **Configure**, then **Save** Image **Grant API permissions (required for sign-in and provisioning to work):** * Click **API permissions** in the left sidebar * Click **Add a permission** → **Microsoft Graph** Image * Click **Delegated Permissions** Image * Search for and add: `openid`, `profile`, `email` Image * Click **Add permissions** * Navigate back to the "Overview" screen and, again, click **Add a permission** → **Microsoft Graph** Image * Click **Application Permissions** Image * Search for and add: `User.ReadBasic.All, GroupMember.Read.All` Image Image * Click **Add permissions** > These scopes are required. `profile` tells Azure to include the user's Object ID (`oid`) in the sign-in token — which is how TOTAL identifies each user. `email` includes their email address. Without these, sign-in will fail. **Why these are required:** > > * `profile` / `email` / `openid` — required for sign-in. `profile` includes the user's Object ID (`oid`), which is how TOTAL identifies each user. > * `GroupMember.Read.All` — required to let TOTAL query Microsoft and see whether a user belongs to certain groups when needed to confirm access immediately. > * `User.ReadBasic.All`— required so TOTAL can query Microsoft Graph for users’ basic directory profile (for example name and UPN) when it needs to resolve or show who someone is * Click **Grant Admin Consent** to apply changes Image