To set up an OpenID Connect (OIDC)-based application in Microsoft Azure Active Directory (AzureAD) for Single Sign On (SSO), perform the following steps.


Ensure you have an AzureAD account to sign in.


  1. Log in to your Microsoft Azure account as an Admin user.
    The Microsoft Azure home screen appears.
  2. To create a new application:
    1. Search and select the Azure Active Directory service.
    2. Go to App registration > New registration.
      The Register an application screen appears.
    3. In the Name field, enter the name for your SASE Orchestrator application.
    4. In the Redirect URL field, enter the redirect URL that your SASE Orchestrator application uses as the callback endpoint.
      In the SASE Orchestrator application, at the bottom of the Configure Authentication screen, you can find the redirect URL link. Ideally, the SASE Orchestrator redirect URL will be in this format: https://<Orchestrator URL>/login/ssologin/openidCallback.
    5. Click Register.
      Your SASE Orchestrator application will be registered and displayed in the All applications and Owned applications tabs. Make sure to note down the Client ID/Application ID to be used during the SSO configuration in SASE Orchestrator.
    6. Click Endpoints and copy the well-known OIDC configuration URL to be used during the SSO configuration in SASE Orchestrator.
    7. To create a client secret for your SASE Orchestrator application, on the Owned applications tab, click on your SASE Orchestrator application.
    8. Go to Certificates & secrets > New client secret.
      The Add a client secret screen appears.
    9. Provide details such as description and expiry value for the secret and click Add.
      The client secret is created for the application. Note down the new client secret value to be used during the SSO configuration in SASE Orchestrator.
    10. To configure permissions for your SASE Orchestrator application, click on your SASE Orchestrator application and go to API permissions > Add a permission.
      The Request API permissions screen appears.
    11. Click Microsoft Graph and select Application permissions as the type of permission for your application.
    12. Under Select permissions, from the Directory drop-down menu, select Directory.Read.All and from the User drop-down menu, select User.Read.All.
    13. Click Add permissions.
    14. To add and save roles in the manifest, click on your SASE Orchestrator application and from the application Overview screen, click Manifest.
      A web-based manifest editor opens, allowing you to edit the manifest within the portal. Optionally, you can select Download to edit the manifest locally, and then use Upload to reapply it to your application.
    15. In the manifest, search for the appRoles array and add one or more role objects as shown in the following example and click Save.
      Note: The value property from appRoles must be added to the Identity Provider Role Name column of the Role Map table, located in the Authentication tab, in order to map the roles correctly.
      Sample role objects
                  "allowedMemberTypes": [
                  "description": "Standard Administrator who will have sufficient privilege to manage resource",
                  "displayName": "Standard Admin",
                  "id": "18fcaa1a-853f-426d-9a25-ddd7ca7145c1",
                  "isEnabled": true,
                  "lang": null,
                  "origin": "Application",
                  "value": "standard"
                  "allowedMemberTypes": [
                  "description": "Super Admin who will have the full privilege on SASE Orchestrator",
                  "displayName": "Super Admin",
                  "id": "cd1d0438-56c8-4c22-adc5-2dcfbf6dee75",
                  "isEnabled": true,
                  "lang": null,
                  "origin": "Application",
                  "value": "superuser"
      Note: Make sure to set id to a newly generated Global Unique Identifier (GUID) value. You can generate GUIDs online using web-based tools (for example,, or by running the following commands:
      • Linux/OSX - uuidgen
      • Windows - powershell [guid]::NewGuid()
      Roles are manually set up in the SASE Orchestrator, and must match the ones configured in the Microsoft Azure portal.
  3. To assign groups and users to your SASE Orchestrator application:
    1. Go to Azure Active Directory > Enterprise applications.
    2. Search and select your SASE Orchestrator application.
    3. Click Users and groups and assign users and groups to the application.
    4. Click Submit.


You have completed setting up an OIDC-based application in AzureAD for SSO.

What to do next

Configure Single Sign On in SASE Orchestrator.