Give Invictus access to your Azure Active Directory

To use your Azure Active Directory groups as a way of authentication and flow authorization, you need to follow these steps.

1. Register an application Invictus redirects
   • Choose the multi-tenant account type option to let Invictus be able to use the app registration.
   • Add Redirect URI`s to your Invictus pages, i.e.:

• https://your-invictusdashboard.azurewebsites.net/login
• https://your-invictusdashboard.azurewebsites.net/api/auth/callback/azure-ad

• 👉 Make sure to check the ☑️ Access tokens checkbox to issue tokens (more info)
• Add new client secret (copy value for later use)
• Linked Enterprise application:
  • Assign Owners (more info)
  • Grant Admin consent (more info)

2. Let app expose an API with scoped permissions

   • Use default Application ID URI (copy value for later use).
   • Add scope with Admin and users consent.

3. Add API permissions

   • Microsoft.Graph/
     • Directory.Read.All Delegated (looking up directory objects)
     • User.Read Delegated (looking up users)
     • User.Read.All Delegated + Application (looking up user's info)
     • Group.Read.All Application (looking up available groups)
     • Mail.Send Application (sending 'forgot password' mails)
   • My API's Delegated (the scoped API permission you've created in the previous step)

4. Pass app registration values to Invictus deployment

   • azureActiveDirectoryClientId (App registration > overview)
   • azureActiveDirectoryTenantId (App registration > overview)
   • azureActiveDirectoryClientSecret (paste from previous generation)
   • azureActiveDirectoryAudience (default Application ID URI)