Section 2: Configure Permissions and Tokens

Now, configure the necessary credentials (client secret), token contents, and API permissions for the Zudello application registration.

Steps:

1. Navigate to Certificates & Secrets: In the left menu of your Zudello app registration, click Certificates & secrets.
2. Create Client Secret:
   • Under the "Client secrets" tab, click + New client secret.
   • Enter a Description (e.g., "Zudello SSO Secret").
   • Select an Expires duration (e.g., 12 or 24 months - note this date for future renewal).
   • Click Add.
   • Crucially: Immediately copy the Value of the newly created secret and store it securely alongside the Client and Tenant IDs. This value is only shown once.
3. Navigate to Token Configuration: In the left menu, click Token configuration.
4. Add Optional Claims:
   • Click + Add optional claim.
   • Select ID as the token type.
   • Check the boxes for the following claims: email, family_name, given_name, preferred_username.
   • Click Add. Confirm if prompted about turning on the Microsoft Graph profile permission.
5. Navigate to API Permissions: In the left menu, click API permissions.
6. Verify Permissions: Ensure the following Microsoft Graph delegated permissions are listed:
   • email
   • openid
   • profile
   • User.Read
   • Note: Some may have been added automatically when configuring token claims. If any are missing, click + Add a permission, select Microsoft Graph, choose Delegated permissions, search for and add the missing ones.
7. Grant Admin Consent: Click the Grant admin consent for [Your Organisation Name] button, and confirm. The status for the permissions should update to show consent granted.

What Happens Next?

The application registration now has the necessary credentials and permissions for SSO. The next step is to set up a group for user provisioning.

Next Section: Set Up User Provisioning Group

---

Related How-To Guides:

• Microsoft Entra ID (Azure AD) - Single Sign-On (SSO)