Skip to main content
Browse Documentation

Register Contensis with Azure AD

Created by zengenti, last updated 26 Apr 2022


Note: this article applies to app registrations created after October 2021(see this link for further details on Azure AD changes).

To be able to register Contensis CMS with Azure, you will first need to complete the following actions on Azure:

  1. Register a new application for each CMS instance
    Register new applications for each Contensis CMS instance that will be integrated with Azure. For example, if you have a live and development instance you will need to register two applications, one for the live CMS url and one for the development CMS url.

  2. Update the application manifest
    Allows group integration and adds the application id url.

  3. Update permissions
    Allows user integration.

  4. Obtain relevant federation data for the CMS
    Obtaining credentials and discovery document data that is required to allow the Zengenti identity provider to federate with your registered Azure application.

Registering a new application

Go to the Azure portal and click ‘Azure Active Directory’ from the options in the left panel.

Azure Active Directory option in the Azure portal

You will now be taken to the ‘Azure Active Directory Overview’ screen.

Click ‘App Registrations’ from the ‘Manage’ section.

'App registrations' option in the 'Manage' section

You now have the option to add a new registration.

Click ‘+ New registration’ in the toolbar.

Adding a new registration in 'App registrations'

You’ll be presented with a form allowing you to enter initial application registration information.

This is the display name for the registration in your Azure portal,  and can be anything of your choosing.

Supported Account Types
This defines the types of accounts the application grants permissions to.

Redirect URI
This is not optional and is a requirement for the Zengenti identity provider. It should be entered in the following format:

https://<your cms domain>/authenticate/ 


After completion, the form should look similar to the following:

Completed application registration form

Click ‘Register’. The application is now registered.

Update authentication options

The application needs to be updated to include additional authentication options.

Click ‘Authentication’ from the application overview and ensure 'Access tokens' and 'ID tokens' are selected in the Implicit grant and hybrid flows section:

Edit Azure AD authentication options
Edit Azure AD authentication options

Update the application manifest

To allow the Zengenti identity provider to be able to identify itself, and process a user’s group membership, the application manifest must now be amended.

Click ‘Manifest’ from the application overview:

'Manifest' option in the application

Update the ‘groupMembershipClaims’ value to ‘SecurityGroup’.

Click ‘Save’.

Edit Azure AD manifest
Edit Azure AD manifest

A message will display confirming that the manifest has been updated successfully.

'API permissions' option

Click ‘API permissions’ and then click ‘+ Add a permission’.

'Add permissions' option in 'API permissions'

Click ‘Microsoft Graph’ from the top. 

'Microsoft Graph' option in 'Request API permissions'

Now add the following permissions: 

  1. Delegated permissions

    • Directory.Read.All

    • User.Read

    • openid

    • profile
  2. Application permissions

    • Directory.Read.All

    • User.Read.All

To add these, click on the relevant permission type and copy/paste the permission as listed above into the search field, then check the permission as shown below:

'Delegated' and 'Application' permissions in 'Request API permissions'
'Directory.Read.All' setting in 'Request API permissions'
'User.Read' setting in 'Request API permissions'
'Directory.Read.All' setting in 'Application permissions'

When the three permission options have been selected, click ‘Add permissions’.

This will take you back to the API permissions page, where a warning relating to changed permissions will be visible.

To allow the permissions to be available for the Zengenti identity provider, you must grant admin access. Click ‘Grant admin consent’ at the bottom of the page. 

Granting admin consent for API permissions

A further warning will then display - click ‘Yes’.

Clicking 'Yes' to allow 'API permissions' to be set

A success message will display, together with details of the permissions granted.

'API permissions' with all permissions successfully granted.

Setting up admin consent requests (optional)

If the user that will log in into Contensis CMS for the very first time after registration does not have Azure AD global admin permissions you need an additional step to enable admin consent requests.

Go to “Azure Active Directory” > "Enterprise applications" and on the left menu, there is a 'User settings' entry that has an Admin consent requests section. This section needs to be enabled as follows and should have a user, group or role selected that will receive notifications for admin consent via email. The admin consent needs to be granted once per lifetime of the application.

Azure AD admin consent requests
Azure AD admin consent requests

Obtain relevant federation data for the CMS

The Zengenti identity provider requires the following information to federate with your Azure instance:

  • Metadata endpoint

  • Application id

  • Tenant id

  • Tenant name

  • Application key

Metadata endpoint

Go to “Azure Active Directory” > App Registrations

e.g. Home > Zengenti Ltd > App Registrations

Click ‘Endpoints’ in the top bar.

'Endpoints' option under 'App registrations'

You will see a list of available application endpoints.

Copy the link for ‘OpenID Connect metadata document

OpenID Connect metadata document

Application id

Click ‘Overview’ in the application options pane and then copy the ‘Application (client) ID’ which will be required when configuring Contensis to use your Azure AD instance.

'Application id' in the application 'Overview' section
'Application id' in the application 'Overview' section

Tenant id

In the ‘Overview’ screen, copy the 'Directory (tenant) ID’ which will be required when configuring Contensis to use your Azure AD instance.

'Directory (tenant) ID' in the application 'Overview' section
'Directory (tenant) ID' in the application 'Overview' section

Tenant name

Select ‘Azure Active Directory’ from the panel on the left, and then ‘Custom Domain Names’. You can then copy the ‘Name’ listed as the ‘Primary’ - this is your tenant name and will be required when configuring Contensis to use your Azure AD instance.

'Tenant name' in the 'Custom Domain names' section
'Tenant name' in the 'Custom Domain names' section

Application key

In the application overview panel, click ‘Certificates & secrets’ and then click ‘+ New client secret’.

Adding a client secret in the 'Certificates & secrets' section
Adding a client secret in the 'Certificates & secrets' section

You will see a form for naming and choosing the lifespan of a key. Complete as appropriate for your requirements, then click ‘Add’.

Adding a key for a client secret
Adding a key for a client secret

You will now need to copy the key as directed before navigating away from this screen. Click the ‘Copy to clipboard’ icon. 

Important: Once you leave this screen or carry out any other action, you will no longer be able to retrieve this key value. 

Copying the key for a client secret
Copying the key for a client secret

You have now completed the registration of Contensis with Azure and are now ready to configure Contensis to use Azure AD

Necessary Cookies
These cookies are necessary for this website to function correctly. They are set when you perform certain actions on the site, such as creating an account, logging in, changing your privacy preferences or submitting a form. You can block these cookies in your browser, but this will stop parts of the site from working properly.
Functional Cookies
These cookies allow the website to provide extra functionality and more personalised experiences. They may be set by us or by third party providers whose services we have added to our pages. If you choose not to allow these cookies, these services may not work correctly.
Analytical Cookies
These cookies record anonymous data on how visitors use our website to help us monitor how well our website works. This data includes how many people have looked at specific pages, how long visitors stay on the site, and what devices they use. We use this data to identify changes that we could make to improve your experience and make our website more efficient.
Marketing Cookies
We set some cookies so you are shown more relevant marketing content. These include cookies from third-party advertising networks to show you different adverts on their services if you have previously visited our site. If you choose not to allow these cookies, you may experience less relevant advertising on other sites.