> For the complete documentation index, see [llms.txt](https://docs.catalyx.solutions/llms.txt). Markdown versions of documentation pages are available by appending `.md` to page URLs; this page is available as [Markdown](https://docs.catalyx.solutions/catalyx-blockchain-manager/canton-network/version-1.11/installation-instructions-canton/external-identity-provider-configuration-optional/microsoft-entraid-setup-guide.md).

# Microsoft EntraID Setup Guide

## 1 — Catalyst Client Setup

### 1.1 — UI Client

Create a new App Registration for the UI:

* **Name:** `canton-ui`
* **Supported account types:** Single tenant (My organization only)
* **Platform:** Single-Page Application (SPA)

After creation, go to **Authentication → Add Redirect URI** and add the following URLs:

* `<UI url>`
* `<UI url>/domains`
* `<UI url>/participants`
* `<UI url>/validators`

**CORS origins:**

* `<UI url>`

**Front-channel logout URL:**

* `<UI url>`

{% hint style="info" %}
Redirect URIs, CORS origins, and the logout URL will be known after installation on a fresh environment.
{% endhint %}

### 1.2 — API Client

Create a second App Registration for the API:

* **Name:** `catalyst-api`
* **Supported account types:** Single tenant

After creation:

{% stepper %}
{% step %}

#### Create a Client Secret

Go to **Certificates & Secrets → New client secret** and save the secret **value** immediately — it will not be shown again. Do not save the secret ID.
{% endstep %}

{% step %}

#### Expose an API

Go to **Expose an API → Add** next to Application ID URI and accept the default value `api://<client-id>`.
{% endstep %}

{% step %}

#### Add a Scope

Click **Add a scope** and fill in:

* **Scope name:** `access`
* **Who can consent:** Admins and users
* **Admin consent display name:** `Catalyst API access`
* **Admin consent description:** `Catalyst API access`
  {% endstep %}

{% step %}

#### Grant API Permissions

Go to the **UI App Registration → API permissions → Add a permission → My APIs → catalyst-api**, select the `access` scope, and click **Add permissions**.

Then click **Grant admin consent for \[tenant]**.
{% endstep %}
{% endstepper %}

| Client               | Platform Type           | Grant Types                                             | Has Client Secret |
| -------------------- | ----------------------- | ------------------------------------------------------- | ----------------- |
| UI (`canton-ui`)     | Single-Page Application | Authorization Code (PKCE) + Refresh Token               | No                |
| API (`catalyst-api`) | Web                     | Client Credentials + Authorization Code + Refresh Token | Yes               |

### 1.3 — User Setup

Create a new user in **Entra ID → Users → New user → Create new user**:

* **Username:** e.g. `canton-admin@<tenant>.onmicrosoft.com`
* **Display name:** e.g. `Canton Admin`
* **Password:** set a temporary password — the user will be prompted to change it on first login

Assign the user to both Enterprise Applications:

* **Entra ID → Enterprise Applications → `canton-ui` → Users and Groups → Add user/group**
* **Entra ID → Enterprise Applications → `catalyst-api` → Users and Groups → Add user/group**

### 1.4 — Fields Required by IntellectEU

After completing the Entra ID setup, provide the following values to IntellectEU:

| Field             | Where to find it                                                                          |
| ----------------- | ----------------------------------------------------------------------------------------- |
| UI Client ID      | App Registrations → `canton-ui` → Overview → Application (client) ID                      |
| API Client ID     | App Registrations → `catalyst-api` → Overview → Application (client) ID                   |
| API Client Secret | App Registrations → `catalyst-api` → Certificates & Secrets → value saved during creation |
| Tenant ID         | Entra ID → Overview → Tenant ID                                                           |
| Auth URL          | `https://login.microsoftonline.com/<tenant-id>/v2.0`                                      |
| User Username     | Entra ID → Users → \[user] → User principal name                                          |
| User Password     | Set during user creation in step 1.3                                                      |


---

# Agent Instructions
This documentation is published with GitBook. GitBook is the documentation platform designed so that both humans and AI agents can read, navigate, and reason over technical content effectively. Learn more at gitbook.com.

## Querying This Documentation
If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter:

```
GET https://docs.catalyx.solutions/catalyx-blockchain-manager/canton-network/version-1.11/installation-instructions-canton/external-identity-provider-configuration-optional/microsoft-entraid-setup-guide.md?ask=<question>
```

The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.