To set up an OpenID Connect (OIDC)-based application in Microsoft Azure Active Directory (AzureAD) for Single Sign On (SSO), perform the steps on this procedure.


Ensure you have an AzureAD account to sign in.


  1. Log in to your Microsoft Azure account as an Admin user.
    The Microsoft Azure home screen appears.
  2. To create a new application:
    1. Search and select the Azure Active Directory service.
    2. Go to App registration > New registration.
      The Register an application screen appears.
    3. In the Name field, enter the name for your VeloCloud Orchestrator (VCO) application.
    4. In the Redirect URL field, enter the redirect URL that your VCO application uses as the callback endpoint.
      In the VCO application, at the bottom of the Configure Authentication screen, you can find the redirect URL link. Ideally, the VCO redirect URL will be in this format: https://<VCO URL>/login/ssologin/openidCallback.
    5. Click Register.
      Your VCO application will be registered and displayed in the All applications and Owned applications tabs. Make sure to note down the Client ID/Application ID to be used during the SSO configuration in VCO.
    6. Click Endpoints and copy the well-known OIDC configuration URL to be used during the SSO configuration in VCO.
    7. To create a client secret for your VCO application, on the Owned applications tab, click on your VCO application.
    8. Go to Certificates & secrets > New client secret.
      The Add a client secret screen appears.
    9. Provide details such as description and expiry value for the secret and click Add.
      The client secret will be created for the application. Note down the new client secret value to be used during the SSO configuration in VCO.
    10. To configure permissions for your VCO application, click on your VCO application and go to API permissions > Add a permission.
      The Request API permissions screen appears.
    11. Click Microsoft Graph and select Application permissions as the type of permission for your application.
    12. Under Select permissions, from the Directory drop-down menu, select Directory.Read.All and from the User drop-down menu, select User.Read.All.
    13. Click Add permissions.
    14. To add and save roles in the manifest, click on your VCO application and from the application Overview screen, click Manifest.
      A web-based manifest editor opens, allowing you to edit the manifest within the portal. Optionally, you can select Download to edit the manifest locally, and then use Upload to reapply it to your application.
    15. In the manifest, search for the appRoles array and add one or more role objects as shown in the following example and click Save.
      Sample role objects
                  "allowedMemberTypes": [
                  "description": "Standard Admininstrator who will have sufficient privilege to manage resource",
                  "displayName": "Standard Admin",
                  "id": "18fcaa1a-853f-426d-9a25-ddd7ca7145c1",
                  "isEnabled": true,
                  "lang": null,
                  "origin": "Application",
                  "value": "standard"
                  "allowedMemberTypes": [
                  "description": "Super Admin who will have the full privilege on VCO",
                  "displayName": "Super Admin",
                  "id": "cd1d0438-56c8-4c22-adc5-2dcfbf6dee75",
                  "isEnabled": true,
                  "lang": null,
                  "origin": "Application",
                  "value": "superuser"
      Note: Make sure to set id to a newly generated GUID value.
  3. To assign groups and users to your VCO application:
    1. Go to Azure Active Directory > Enterprise applications.
    2. Search and select your VCO application.
    3. Click Users and groups and assign users and groups to the application.
    4. Click Submit.


You have completed setting up an OIDC-based application in AzureAD for SSO.

What to do next

Configure Single Sign On in VCO.