Using Entra
Provide Microsoft Entra (formerly Azure AD) as an authentication provider within your Rock Mobile application.
Last updated
Provide Microsoft Entra (formerly Azure AD) as an authentication provider within your Rock Mobile application.
Last updated
If you are building your app utilizing the orange/blue Rock Mobile application and would like to test Entra, you should coordinate your efforts with the App Factory publishing service.
Microsoft Entra ID is a cloud-based identity and access management service that is typically used for employees. It can be used to effectively manage authentication, security and much more at an extremely scalable level.
To ensure Entra works perfectly in Rock Mobile, follow this step-by-step guide.
Create and configure a new App Registration in the Azure AD Portal.
Add permissions for our mobile application to retrieve necessary data points.
Ensure our authentication returns enough information to the Rock server.
Configure your Rock Mobile to support Entra.
a. In the Entra admin portal, navigate to Applications > App registrations > New registration.
b. Configure the Register an application screen considering the information below.
Provide a name for your Rock Mobile app registration. Nothing really hinges on this.
This is really up to you. If you're limiting Entra login to staff, then the Accounts in this organizational directory only is likely the right choice.
If you need assistance acquiring the <BundleId/PackageName> please reach out to the App Factory team.
This is important. This needs to be formatted like <BundleId/PackageName>://entra/callback, otherwise authentication won't work. If your bundle identifier and package name differ, you'll have to add a Redirect URI for both (App Registrations > Your App > Authentication).
Ensure that the type of Redirect URI is set to Public client/native (mobile & desktop).
We need to ensure that our mobile application has permission to see the necessary data of a newly authenticated user.
a. Navigate to your newly created app registration, then to API permissions > Add a permission.
b. Select Microsoft Graph.
c. Select Delgated permissions, check email, openid and profile permissions. Press Add permissions.
Rock requires a First Name, Last Name and either a valid Phone Number or Email to process external authentication. You should take steps to ensure that those specific data points are always returned from Auth0 authentication.
Out of the box, Entra will not return the first name and last name of an authenticated person to the shell. Rock needs this information to process/person match etc., so we need to go in and add these data points.
a. Under your newly created app registration, navigate to Token configuration > Add optional claim.
b. Select ID as the Token type, and check email, family_name (last name) and given_name (first name). Press Add.
a. Jump into your Rock Mobile application (CMS Configuration > Mobile Applications > Your application > Edit).
b. In the Authentication Settings section, we're going to be configuring the Microsoft Entra settings.
Entra Client ID & Entra Tenant ID
To retrieve your Entra Client ID and Entra Tenant ID, jump into the Entra portal, your newly created app registration, into Overview. The values will be displayed.
Microsoft Entra Authentication Provider
Select the same authentication provider that provides Entra login on web. In almost all cases, this component is either the Triumph Tech Azure AD Sync & SSO plugin or BEMA Single Sign On plugin.
c. Configure the Login block to provide Entra as an SSO option.
The following identity claims are supported and can be utilized to supply additional information about a Rock Person. Since Entra configurations can vary, we supply a few different keys that are recognized and translated accordingly.
firstname, first_name, given_name
string
The FirstName of the Person.
lastname, last_name, family_name
string
The LastName of the Person.
phone, phonenumber, phone_number
string
The PhoneNumber of the Person.
campus, campus_guid
Guid
The Guid of the Person campus.
photo, picure, profile_image, avatar
string
The source of the Person profile image.
nickname
string
The nickname of the Person.
birthday, birth_date, birthdate, date_of_birth
DateTime
TheDateTime representation of the Person date of birth.
gender
string
The Gender representation of the Person. Can be interpreted as the enum integer or corresponding string value.
Add a permission button.Microsoft Graph as the API.Add Optional Claim button.email, family_name & given_name claims.Entra app registration.
