HowTo: Authenticate to Azure Active Directory using GAM

Official Content

This tutorial explains how to authenticate your users with Azure Active Directory using GAM.

Basically, you need to use GAM Oauth 2.0 Authentication Type and do some configurations on both sides -the Azure portal and the GAM's backend.

Configuration at the Azure portal

1. Define and register an application. See this guide from Microsoft.

2. Get the app's Application Id, since you'll need it later on:

AADClientId

3. Configure a Redirect URI. Go through the Authentication menu option (pane on the left) and create a new Web platform. Then Add a Redirect URI of the form:

http://<server>:<port>/<BackendBaseURL>/oauth/gam/callback

AADRedirectURI

4. Go through Certificates and secrets, and create a new secret. You should copy the value of the secret, as it will be needed later.

AADSecret

5. In the Permissions tab, verify that you have added the following (User.Read of Microsoft.graph):

AADPermissions

Configuration at GAM Backend

1. Create a new GAM Oauth 2.0 Authentication Type and define the basics: Name, Description, Images (optional), etc.

2. At the General tab, define the following:

AADGeneralTab

The Redirect URL is of the form:

http://<server>:<port>/<BackendBaseURL>/

Note: For the configuration of the following tabs you'll need to check the Endpoints of your application in Azure.

AADEndpoints

3. At the Authorization tab.

URL: https://login.microsoftonline.com/{tenat}/oauth2/authorize 
Response type TAG:  response_type      Value: code
Scope TAG:          scope              Value: https://graph.microsoft.com/user.read
State TAG:          state
Include ClientID and RedirectURL
Response:
Access code TAG: code
Error description TAG: error_description

In the URL, note the specification of the tenant inside the Azure Active Directory.

4. At the Token tab:

URL: https://login.microsoftonline.com/{tenat}/oauth2/token
Header Content type: Content-type      Value: application/x-www-form-urlencoded
Grant type:         grant_type        Value: authorization_code
Include = All
Aditional Parameters:  resource=https://graph.microsoft.com
Response:
Access token TAG: access_token
Token type TAG: token_type
Expires in TAG: expires_in
Scope TAG: scope
Error description TAG: error_description
Validate external token = False

5. At the User Information tab:

URL:  https://graph.microsoft.com/v1.0/me
Method: Get
Header Content type: Content-type      Value: application/json;charset=utf-8
Do not include anything
Email TAG: mail
External ID TAG: id
Name TAG:  userPrincipalName
First name TAG: givenName
Last name TAG: surname
Error description TAG: message

Note:

The login to Azure Active Directory may be done entering the user credentials in your application, not in the Azure portal. This is done by setting "Redirect to authenticate?" to FALSE.

In this case, the grant_type at the Token configuration should be set to "password".

AADGrantTypeToken