Register Nodinite Applications in Azure AD (Entra ID) with OpenID

Empower your organization with secure, modern authentication and authorization using Microsoft Entra ID (Azure AD) and Nodinite. This guide provides step-by-step instructions to register and configure the webApi, webClient, and NodiniteInstallationClient applications for seamless integration, robust security, and future-proof scalability.

• ✅ Effortlessly register Azure AD applications for Nodinite integration
• ✅ Enable secure OpenID Connect authentication for all Nodinite services
• ✅ Grant delegated and application permissions with admin consent for compliance
• ✅ Streamline token and manifest configuration for reliability
• ✅ Capture all essential IDs and secrets for ongoing management

For details on configuring OpenID Connect and OAuth 2.0 authentication in Nodinite, see the Install Nodinite v7 – OpenID Connect (OIDC) and OAuth 2.0 guide.

Prerequisites

Before you begin, ensure you have:

• Azure AD Administrator access – You need permissions to register applications and grant admin consent in your Azure AD tenant.
• An active Azure subscription – Required for Microsoft Entra ID (Azure AD) services.
• A secure location to store credentials – Keep a password manager or secure note app ready to capture sensitive values.

What You Will Create

You will register three distinct applications in Microsoft Entra ID (Azure AD), each serving a critical role in your Nodinite integration. This separation of concerns enhances security, simplifies troubleshooting, and provides granular control over permissions:

1. webApi – The backbone of your integration. This protected API exposes delegated permission scopes (for user access) and application permission app roles (for service-to-service communication). It ensures that only authorized applications and users can interact with Nodinite resources.
2. webClient – Your users' gateway to Nodinite. This interactive web application requests delegated permission scopes, enabling users to sign in securely and access Nodinite features with their Azure AD credentials. It leverages modern authentication protocols like Authorization Code + PKCE for maximum security.
3. NodiniteInstallationClient – Your automation powerhouse. This background/daemon client uses application permissions to perform unattended tasks like installations, updates, and system maintenance without user interaction. It enables seamless CI/CD integration and automated operations.

You complete this setup when:

• You configure the API to expose: nodinite_webapi_all (Scope) and AppRole_WebApi_all (App Role).
• You grant the webClient the delegated permission (Admin consent = Granted).
• You grant the NodiniteInstallationClient the application permission (Admin consent = Granted).
• You have copied all IDs, secrets, and the API Application ID URI for future reference.

Tip

Keep a secure note open to capture: Tenant (Directory) ID, each Application (client) ID, each Secret Value (shown only once), and the API Application ID URI.

---

1. Create the API Application – webApi

Tip

Register the webApi — the secure, manageable API that lets you control who and what accesses Nodinite services.

1.1 Register the Application

1. Azure Portal: Microsoft Entra ID > App registrations > + New registration.
2. Name: webApi
3. Supported account types: Accounts in this organizational directory only (Single tenant).
4. Redirect URI: (leave blank)
5. Click Register.
6. In Overview, copy Application (client) ID and Directory (tenant) ID.

The Azure Portal displays the registered webApi application overview.

1.2 Set Application ID URI & Add Scope

The Application ID URI uniquely identifies your API in your organization. Client applications use this URI to request tokens for your API.

1. Left menu: Expose an API.
2. If prompted, click Set for Application ID URI (accept default or confirm the value). Copy this value—you'll need it later.
3. Under Scopes defined by this API, click + Add a scope.
   • Scope name: nodinite_webapi_all
   • Who can consent: Admins only
   • Admin consent display name: Full access to Nodinite WebAPI
   • Admin consent description: Full access to Nodinite WebAPI
   • State: Enabled
   • Click Add scope.

You add a scope to the webApi application for delegated permissions.

Important

When configuring Nodinite OpenID settings: You will use this scope in the Scopes field (OAuth Web Client settings - see section "OAuth Web Client settings" in the OpenID page) in the format: api://<webApi-client-id>/nodinite_webapi_all. Example: api://d731e991-1234-5678-90ab-cdef12345678/nodinite_webapi_all. This is the full scope identifier that grants delegated access to your webApi.

1.3 Add App Role (Application Permission)

1. Still on Expose an API page click Go to App roles (or left menu App roles).
2. Click + Create app role:
   • Display name: AppRole_WebApi_all
   • Allowed member types: Users/Groups, Applications (ensure Applications is included)
   • Value: AppRole_WebApi_all
   • Description: AppRole_WebApi_all
   • State: Enabled
3. Click Apply / Create.

You configure app roles for application permissions in webApi.

Tip

When configuring Nodinite OpenID settings: You will use this app role value in the Installation Client Claims field (OAuth General settings - see section "OAuth General settings" in the OpenID page). Use KEY: http://schemas.microsoft.com/ws/2008/06/identity/claims/role, VALUE: AppRole_WebApi_all. This enables the NodiniteInstallationClient to authenticate with application permissions.

1.4 Add Groups Claim to Tokens

Adding groups claims enables Nodinite to leverage your Azure AD security groups for role-based access control (RBAC), simplifying permission management.

1. Left menu: Token configuration.
2. Click + Add groups claim.
3. Select Security groups (or required option) and ensure Group ID format is chosen for Access/ID tokens.
4. Click Add and then Save.

The token configuration shows the groups claim you added for security groups.

Important

When configuring Nodinite OpenID settings: You will need your security group's Object ID for the Nodinite Claims field (OAuth Web Client settings - see section "OAuth Web Client settings" in the OpenID page).

To find your security group Object ID:

1. In Azure Portal, navigate to Microsoft Entra ID > Groups
2. Search for and select your Nodinite security group (e.g., "Nodinite Users" or "Nodinite Admins")
3. In the group's Overview page, copy the Object ID (a GUID like 66f862e8-1234-5678-90ab-cdef12345678)
4. Store this value securely—you'll use it as: KEY: groups, VALUE: <your-security-group-object-id>

This group ID must match a group assigned to your users in Azure AD for them to access Nodinite.

1.5 Set Access Token Version to 2

Version 2 tokens are more secure and include enhanced claims that Nodinite requires for proper authentication and authorization. This ensures compatibility with modern identity standards.

1. Left menu: Manifest.
2. Locate "requestedAccessTokenVersion": 2. If missing or different, set it to 2.
3. Click Save.

You configure the manifest with requestedAccessTokenVersion set to 2.

Tip

When configuring Nodinite OpenID settings: You will use the webApi Application (client) ID as the Audience value in the OAuth Web API settings section (see section "OAuth Web API settings" in the OpenID page).

✅ webApi configuration is complete. You have successfully created the core API that powers your Nodinite authentication infrastructure.

---

2. Create the Interactive Client – webClient

Tip

Register the webClient — give your users secure, single-sign-on access to Nodinite using Azure AD and modern authentication.

2.1 Register webClient

1. App registrations > + New registration.
2. Name: webClient
3. Supported account types: Single tenant.
4. Redirect URI (Platform Web): Enter the URL where your Nodinite Web Client will be hosted, followed by /signin-oidc. For example: https://nodinite.yourdomain.com:50000/signin-oidc. If you're testing locally, use http://localhost:50000/signin-oidc or your local development URL.
5. Click Register.
6. Copy the Application (client) ID. You will need this value when configuring Nodinite.

The Azure Portal displays the registered webClient application overview.

Tip

When configuring Nodinite OpenID settings: You will use the webClient Application (client) ID in the Client ID field (OAuth Web Client settings - see section "OAuth Web Client settings" in the OpenID page).

2.2 Configure Authentication

Secure your authentication flow by using modern protocols. The Authorization Code + PKCE flow provides superior security compared to legacy implicit grant flows.

1. Left menu: Authentication.
2. Confirm the redirect URI is listed.
3. Leave Implicit grant checkboxes unchecked (modern auth uses Authorization Code + PKCE for enhanced security).
4. Ensure Allow public client flows is No (unless specifically required for mobile/desktop scenarios).
5. Click Save if you made any changes.

You configure authentication settings for the webClient application.

Tip

When configuring Nodinite OpenID settings: The redirect URI you configured here must match the Callback Path field in the OAuth Web Client settings (see section "OAuth Web Client settings" in the OpenID page). The default callback path is /signin-oidc, so your full redirect URI should be https://your-nodinite-url:port/signin-oidc.

2.3 Add API Permissions (Delegated)

1. Left menu: API permissions > + Add a permission.
2. Choose My APIs > select webApi.
3. Choose Delegated permissions and tick nodinite_webapi_all.
4. Click Add permissions.
5. Click Grant admin consent for [Your Tenant Name] and confirm. The status should change to Granted. This step is crucial—it authorizes the webClient to access the webApi on behalf of your users.

You configure API permissions for delegated access to webApi.

Important

When configuring Nodinite OpenID settings: This delegated permission corresponds to the custom API scope you must add in the Scopes field (OAuth Web Client settings - see section "OAuth Web Client settings" in the OpenID page). You'll enter it as: api://<webApi-client-id>/nodinite_webapi_all along with the default scopes (openid, profile, email, offline_access).

2.4 Create Client Secret (Confidential Web App)

1. Left menu: Certificates & secrets > + New client secret.
2. Add a description and expiry per policy.
3. Click Add.
4. Copy the Value immediately (you cannot view it again); store securely.

You create a client secret for the webClient application.

Warning

Store this secret value securely! You will need it during Nodinite installation, but Azure AD only displays it once. If lost, you must generate a new secret. This secret is not entered in the OpenID configuration page—it's used internally by the Nodinite installation process.

✅ Web Client configuration is complete. Your users can now sign in to Nodinite securely using their Azure AD credentials, enabling centralized identity management and single sign-on (SSO) capabilities.

---

3. Create the Installation / Daemon Client – NodiniteInstallationClient

3.1 Register

Tip

Register the NodiniteInstallationClient — enable secure, unattended automation for installs, updates, and maintenance to streamline your DevOps workflows.

1. App registrations > + New registration.
2. Name: NodiniteInstallationClient
3. Supported account types: Single tenant.
4. Redirect URI: leave blank.
5. Register.
6. Copy Application (client) ID.

The Azure Portal displays the registered NodiniteInstallationClient application overview.

Tip

When configuring Nodinite OpenID settings: You will use this Application (client) ID in the Installation Client ID field (OAuth General settings - see section "OAuth General settings" in the OpenID page).

3.2 Add Application Permission

Application permissions enable service-to-service authentication without user interaction—essential for automated deployments and background tasks.

1. Left menu: API permissions > + Add a permission.
2. My APIs > select webApi.
3. Choose Application permissions (not Delegated).
4. Tick AppRole_WebApi_all.
5. Click Add permissions.
6. Click Grant admin consent and confirm. The status should change to Granted. This authorizes the installation client to act independently without requiring a signed-in user.

You configure API permissions for the NodiniteInstallationClient application.

Important

When configuring Nodinite OpenID settings: This application permission corresponds to two configuration fields in the OAuth General settings (see section "OAuth General settings" in the OpenID page):

1. Installation Client Scopes: Enter api://<webApi-client-id>/.default (the .default scope requests all application permissions granted to this client)
2. Installation Client Claims: Use KEY: http://schemas.microsoft.com/ws/2008/06/identity/claims/role, VALUE: AppRole_WebApi_all (this matches the app role value from section 1.3)

3.3 Create Client Secret

1. Left menu: Certificates & secrets > + New client secret.
2. Add description + expiry.
3. Click Add and copy the Value immediately; store securely.

You create a client secret for the NodiniteInstallationClient application.

Warning

Store this secret value securely! You will need it during Nodinite installation, but Azure AD only displays it once. If lost, you must generate a new secret. This secret is used by the installation process to authenticate the NodiniteInstallationClient.

✅ NodiniteInstallationClient configuration is complete. You now have a robust automation client that can perform unattended installations, updates, and maintenance tasks—perfect for DevOps workflows and CI/CD pipelines.

What You've Accomplished

Congratulations! You have successfully registered three Azure AD applications that form the security foundation of your Nodinite integration:

• Enhanced Security – Leveraged Azure AD's enterprise-grade authentication with multi-factor authentication (MFA) support, conditional access policies, and audit logging.
• Centralized Identity Management – Eliminated the need for separate credentials by integrating with your existing Azure AD user directory.
• Granular Access Control – Configured delegated and application permissions that ensure users and services only access what they need.
• Compliance Ready – Aligned with industry best practices for authentication and authorization, supporting compliance frameworks like ISO 27001, SOC 2, and GDPR.
• Automation Enabled – Set up a dedicated installation client that streamlines deployments and reduces manual configuration errors.

Next Step

Now that you've registered your Azure AD applications, you're ready to configure Nodinite to use them:

• Install Nodinite v7 – OpenID Connect and OAuth 2.0 – Learn how to input the IDs and secrets you captured into the Nodinite installation wizard. Each section of the OpenID configuration page references the specific values you created in this guide.

Quick Reference: What Goes Where

• Discovery URL (OAuth General settings): https://login.microsoftonline.com/<tenant-id>/v2.0/.well-known/openid-configuration
• Installation Client ID (OAuth General settings): NodiniteInstallationClient Application (client) ID from section 3.1
• Installation Client Scopes (OAuth General settings): api://<webApi-client-id>/.default using webApi client ID from section 1.1
• Installation Client Claims (OAuth General settings): KEY: http://schemas.microsoft.com/ws/2008/06/identity/claims/role, VALUE: AppRole_WebApi_all from section 1.3
• Client ID (OAuth Web Client settings): webClient Application (client) ID from section 2.1
• Scopes (OAuth Web Client settings): openid, profile, email, offline_access, and api://<webApi-client-id>/nodinite_webapi_all from section 1.2
• Nodinite Claims (OAuth Web Client settings): KEY: groups, VALUE: security group Object ID from section 1.4
• Audiences (OAuth Web API settings): webApi Application (client) ID from section 1.1

Related Topics

Install Nodinite v7
Updating Nodinite v7