Quick Start (5 Minutes)
Prerequisites
- Azure CLI installed (
az --versionworks) - Azure account with Global Administrator or Application Administrator role
- Supabase project linked (
npx supabase link --project-ref anuwknikgsijbameytzr) - Supabase CLI available (via
npx supabase)
Automated Setup
Windows:- Create app registration
- Add API permissions
- Generate client secret (save it when shown!)
- Store secrets in Supabase
- Generate admin consent URL
- Create setup log
Manual Setup Steps
Step 1: Login to Azure
Step 2: Create App Registration
appId (Client ID) from the output.
Step 3: Add API Permissions
df021288-bdef-4463-88db-98f22de89214= User.ReadWrite.All (Application) — also covers license assignment per Microsoft Graph (assignLicenseaccepts User.ReadWrite.All as higher-privileged alternative)
Multi-tenant SaaS: UseAzureADMultipleOrgsfor the shared Encore app. Grant admin consent per customer tenant viatenant=organizations(see Step 6). The full 18-scope catalog lives insrc/platform/integrations/entra-permissions.tsandREQUIRED_GRAPH_SCOPESinsupabase/functions/_shared/entra-client.ts.
Step 4: Create Client Secret
password value immediately - it’s only shown once!
Step 5: Store Secrets in Supabase
Step 6: Grant Admin Consent
Generate the admin consent URL:v2 admin consent (current): Encore now uses the Microsoft identity platform v2 endpoint withscope=https://graph.microsoft.com/.default:For guided setup when the tenant ID is unknown, usetenant=organizationsso a Microsoft administrator signs in and grants consent for their directory. The callback verifies consent by acquiring a Graph token (authoritativetidclaim) and caches verified domains.
Tenant admin workflow (in Encore — no Supabase access)
Organization admins complete Microsoft integration entirely in the app:- Settings → Integrations → Microsoft Entra ID → Guided setup
- Choose Encore shared app (recommended) or bring your own app registration
- Enter primary email domain
- Consent as Microsoft administrator (organization-wide admin consent)
- Run connection test — verifies Graph token, caches verified domains, and pins the client secret to your organization vault (shared app)
- Optionally enable Microsoft sign-in in the wizard or under Settings → Single Sign-On
N of 18 granted), not a static catalog. If fewer than 18 appear, the shared Entra app registration may need additional application permissions (platform operator task).
Platform operator workflow (Encore / Supabase — not shown to tenants)
Performed once per Supabase project by Encore platform operators:
Tenant admins never see Supabase Dashboard steps. The in-app SSO toggle is enabled when the tenant is connected, verified domains are cached, and
ENTRA_SSO_PLATFORM_READY is set.
Supabase Azure Provider Checklist (PF-112 Login SSO — platform operators only)
Staff Microsoft sign-in uses Supabase AuthsignInWithOAuth({ provider: 'azure' }) against the same Entra app. In addition to application permissions (Graph provisioning), configure:
1. Redirect URI on the Entra app registration
Register the Supabase Auth callback (not the edge-function consent callback):https://anuwknikgsijbameytzr.supabase.co/auth/v1/callback
Configure this in Supabase Dashboard → Authentication → Providers → Azure and on the Entra app Authentication → Redirect URIs.
2. Optional claims in the app manifest
Required for the OIDC verified-email gate (pf_sso_match_current_user rejects identities without xms_edov):
3. Delegated sign-in scopes (admin-consented)
Add and admin-consent these delegated Microsoft Graph permissions on the app registration so user sign-in works in tenants that disable user consent:
Application permissions alone (client-credentials) do not cover user OAuth sign-in.
4. Supabase Auth Azure provider tenant (multi-tenant)
Set Tenant URL toorganizations (not a single tenant GUID). This allows staff from any customer tenant that has admin-consented the shared app to complete OIDC login; pf_sso_match_current_user() still binds each session to the correct org via tid + verified domain.
5. Encore-side prerequisites
6. Gate audit markers (server-side)
Failed OIDC logins are audited without exposing details to the user:Current Configuration (NorthSight dev2 — 2026-06-18)
Retired: production project anuwknikgsijbameytzr redirect URIs remain on the Entra app for legacy reference but are superseded by dev2 URLs above.
Historical Configuration (retired dev project)
Verification Checklist
Before starting implementation, verify:- Azure CLI installed and working
- Logged in to Azure CLI
- App registration created successfully
- API permissions added (User.ReadWrite.All — 18-scope catalog on shared app)
- Client secret created and captured
- Secrets stored in Supabase
- Admin consent URL generated
- Callback handler deployed (
entra-oauthedge function) - Public access configured (
verify_jwt = falseinconfig.toml) - Admin consent granted
Troubleshooting
”Insufficient privileges”
- Solution: Ensure user has Global Administrator or Application Administrator role
”App registration not found”
- Solution: Verify APP_ID is correct, check with
az ad app list --display-name "Encore OS*"
”Permission not found”
- Solution: Verify permission IDs are correct, check Microsoft Graph API permission reference
”Client secret not shown”
- Solution: Secret is only shown once. If lost, create new secret with
az ad app credential reset
”Missing authorization header” (401 error)
- Solution: Ensure
verify_jwt = falseis set insupabase/config.tomlforentra-oauthfunction
Security Notes
- Client Secret: Only shown once during creation - save immediately
- Storage: For testing, use Supabase secrets. For production, will use per-organization Vault storage
- Documentation: Never commit client secrets to git
- Rotation: Client secrets expire in 2 years - plan rotation before expiration
Related Documentation
- Gap Analysis: archived at
docs/archive/integrations/ENTRA_ID_GAP_ANALYSIS.md(superseded by PF-63 implementation) - Research Findings: ENTRA_ID_RESEARCH_FINDINGS.md
- Overview: ENTRA_ID_OVERVIEW.md
- Specification:
specs/pf/specs/PF-63-entra-id-integration.md - Implementation Plan:
specs/pf/plans/PF-63-entra-id-integration-PLAN.md - Tasks:
specs/pf/tasks/PF-63-TASKS.md
Last Updated: 2026-06-18
Status: ✅ NorthSight dev2 end-to-end verified (provisioning + SSO config; interactive Microsoft login hand-tested separately)