How do I Setup Entra Authentication?

Setup Entra authentication to BART multi-tenant application

BART is an Entra Multitenant Application with Verified ID, where end-users will need permission to consent to the Service Principal for BART. Some tenants allow consent by users as they log in, however most will need to be pre-consented by an administrator from their Entra account. 

Provide Consent

To proceed; You will need an administrator to provide tenant-wide consent for users to authenticate.

 Please read the following documentation for an outline of the process and the permissions required to complete the steps:

https://learn.microsoft.com/en-us/entra/identity/enterprise-apps/grant-admin-consent?pivots=portal#construct-the-url-for-granting-tenant-wide-admin-consent

To provide consent please go to the BART login page here: https://bartapp.net/webapp/login and click on “Sign in with Microsoft”.

image-20240911-001849.png

Once logged in as an administrator; You will then be prompted with the screen below.

Please review the permissions carefully.

image-20240903-001641.png

If you agree with providing access to basic profile information to BART, please tick ‘Consent on behalf of your organization’ and click the ‘Accept’ button.

If you don’t have a matching login in BART, you will not be able to login to BART yet. That is ok, the Application will still have been created in your Entra account, where you can configure who has access to it.

Setup Single Sign on users in BART

Each user that uses Entra single sign on, must have a verified and primary email address that matches their Entra users UPN and Authentication mode set to: “Single Sign On (SSO)”

You can set this in the users settings under Administration > Users in the BART WebApp.

After this step is complete, please instruct registered users of BART to sign in with their SSO credentials. 

How it works

  1. Clicking the “login with Microsoft” button will redirect user to the Microsoft identity platform (OAuth 2.0 authorization endpoint) for authentication.

    1. If user already has an existing MS Session authentication occurs using the non-interactive approach and attempts to acquire a valid cached token.

    2. If no current valid MS session exists, it will prompt for input to the user.

  2. A token is acquired by exchanging the authorization code for an access token.

  3. Access token is securely passed to BART Server for re-confirming authorisation and user details server-side using the MS Graph API.

  4. Users Unique UPN (email) must match on both systems confirm user is the same.

  5. User is provided with BART access token for future in-app API calls.

 

User Login Process