OAuth support for Microsoft Entra using Private Key JWT

In the Manage > OAuth connections page we support Private Key JWT .

Prerequisites

After you have configured IDP for Microsoft Entra and have the base64url-encoded SHA-1 thumbprint ready, you must create a Microsoft Entra connection in the Control Room.

Procedure

  1. Navigate to Manage > OAuth connections.
  2. Click Create connection.
    The Connection settings screen appears.
  3. Select a Provider type as Microsoft Entra.
    Note: The Callback URL is used in your enterprise application configuration settings to connect to the Control Room.
  4. Enter a unique Connection name to identify the connection.
  5. Optional: Enter a Description for the connection.
  6. Click Next.
    The Authentication details screen appears.
  7. Select a Grant type. See OAuth client credentials flow and OAuth authorization code flow.
  8. Select the Client authentication method as Client Authentication Private Key JWT.
  9. Enter the Client ID that is provided by the provider for your account.
  10. Enter the Authorization URL used to obtain an authorization code for your account.
  11. Enter the Token URL used to exchange an authorization code for an access token.
  12. Optional: Enter Scope.
    OAuth-authentication-details
    This information is used as claims (information about the user) in an access token and forwarded to the resource server to limit access.
    Note: If you are adding more than one scope, ensure that you separate the scopes using commas or space separated delimiter.
  13. Click Next.
    The Test connection and save credentials screen appears.
  14. Optional: Select the Save login credentials.
  15. Optional: Click Save changes and test connection.
  16. Click Next.
    The Invite roles screen appears.
  17. Select the roles that you want to invite to use this connection. Only invited roles can use the token in a bot, whether it is private, shared, or both.
    The Invite Roles action is mandatory when a Bot uses the OAuth Connection. This step is not required when used by an external connection.
    Image displaying the OAuth invite roles page
    Note: Only custom roles are displayed in the list of Available roles.
  18. Click Create connection. An OAuth connection is created.