Using Entra

What is Microsoft Entra

Microsoft Entra ID is a cloud-based identity and access management service that is typically used for employees. It can be used to effectively manage authentication, security and much more at an extremely scalable level.

Setup

To ensure Entra works perfectly in Rock Mobile, follow this step-by-step guide.

1. Create and configure a new App Registration in the Azure AD Portal.

2. Add permissions for our mobile application to retrieve necessary data points.

3. Ensure our authentication returns enough information to the Rock server.

4. Configure your Rock Mobile to support Entra.

1. Registering the app

a. In the Entra admin portal, navigate to Applications > App registrations > New registration.

b. Configure the Register an application screen considering the information below.

Name

Provide a name for your Rock Mobile app registration. Nothing really hinges on this.

Supported account types

This is really up to you. If you're limiting Entra login to staff, then the Accounts in this organizational directory only is likely the right choice.

Redirect URI

This is important. This needs to be formatted like <BundleId/PackageName>://entra/callback, otherwise authentication won't work. If your bundle identifier and package name differ, you'll have to add a Redirect URI for both (App Registrations > Your App > Authentication).

Ensure that the type of Redirect URI is set to Public client/native (mobile & desktop).

2. Add necessary permissions

We need to ensure that our mobile application has permission to see the necessary data of a newly authenticated user.

a. Navigate to your newly created app registration, then to API permissions > Add a permission.

b. Select Microsoft Graph.

c. Select Delgated permissions, check email, openid and profile permissions. Press Add permissions.

3. Add optional claims

Out of the box, Entra will not return the first name and last name of an authenticated person to the shell. Rock needs this information to process/person match etc., so we need to go in and add these data points.

a. Under your newly created app registration, navigate to Token configuration > Add optional claim.

b. Select ID as the Token type, and check email, family_name (last name) and given_name (first name). Press Add.

4. Configuring Rock Mobile

a. Jump into your Rock Mobile application (CMS Configuration > Mobile Applications > Your application > Edit).

b. In the Authentication Settings section, we're going to be configuring the Microsoft Entra settings.

Entra Client ID & Entra Tenant ID

To retrieve your Entra Client ID and Entra Tenant ID, jump into the Entra portal, your newly created app registration, into Overview. The values will be displayed.

Microsoft Entra Authentication Provider

Select the same authentication provider that provides Entra login on web. In almost all cases, this component is either the Triumph Tech Azure AD Sync & SSO plugin or BEMA Single Sign On plugin.

c. Configure the Login block to provide Entra as an SSO option.

Supported Claims

The following identity claims are supported and can be utilized to supply additional information about a Rock Person. Since Entra configurations can vary, we supply a few different keys that are recognized and translated accordingly.