Integrate OIDC Support with Azure AD

This procedure provides instructions for integrating MicroStrategy applications with Azure AD using OIDC authentication.

• Create an Application
• Configure MicroStratgy Library in Workstation
• Enable OIDC Auth Mode for MicroStrategy Library
• Configure and Enable OIDC Auth Mode for MicroStrategy Web/MicroStrategy Mobile

Create an Application

1. Sign in to the Azure portal. If you have already launched Azure Active Directory, under Manage, select App registration.
2. Click New registration.
3. In Register an application, enter MicroStrategy as the application name. Choose the account type that best fits your enterprise identity access management.

4. Under Redirect URI, select Public client/native (mobile and desktop). Enter the Library URL suffixed by /auth/oidc/login as shown below.

   https://env-xxxxxx.customer.cloud.microstrategy.com/MicroStrategyLibrary/auth/oidc/login

5. Click Register.

6. In the newly created app registration screen, locate Authentication in the navigation pane and add the following mobile and desktop application URIs. Replace the environment-specific URIs with your environment name.

   • http://127.0.0.1
   • com.microstrategy.hypermobile://auth
   • com.microstrategy.dossier.mobile://auth
   • com.microstrategy.mobile://auth
   • https://env-xxxx.customer.cloud.microstrategy.com/MicroStrategyLibrary/static/oidc/success.html
   • https://env-xxxxxx.customer.cloud.microstrategy.com:443/MicroStrategy/auth/oidc/login
   • https://env-xxxxxx.customer.cloud.microstrategy.com:443/MicroStrategyMobile/auth/oidc/login
7. Click Save.

8. In the navigation pane, locate API permissions.

9. Click Add a permission > Microsoft Graph > Delegated permissions.

10. Search for Directory.Read.All, expand Directory, select Directory.Read.All, and click Add permissions.

    

11. Click Update permissions.

12. In the navigation pane, locate Manifest and download the manifest file.

13. In the navigation pane, locate Overview and take note of the Client ID for later.

14. Click Endpoints and copy the OpenID Connect metadata document field.

    

15. Add group claims by choosing Token configuration > Add group claims > ID and save the defined group claim.

    

Configure MicroStratgy Library in Workstation

1. Open Workstation and connect to the Library environment using standard authentication with an admin privilege user.

2. Right-click on the connected environment and choose Configure Enterprise Security.

3. Under MicroStrategy Configuration, upload the manifest file you downloaded earlier and provide the OpenID Connect metadata document details.



4. Click Save. For more information about enabling OpenID Connection (OIDC) authentication in Workstation, see Configure Enterprise Security.

Enable OIDC Auth Mode for MicroStrategy Library

1. Go to the Library Admin page to enable OIDC authentication as the default for MicroStrategy Library.

https://env-xxxxxx.customer.cloud.microstrategy.com/MicroStrategyLibrary/admin

2. In the navigation pane, click Library Server.
3. Under Authentication Modes, select OIDC, and click Create Trusted Relationship.
4. Log in, deselect Standard, and click Save. For more information, see Enable OIDC Authentication for MicroStrategy Library.

Configure and Enable OIDC Auth Mode for MicroStrategy Web/MicroStrategy Mobile

The procedure below refers to MicroStrategy Web. However, the same information applies to MicroStrategy Mobile unless otherwise noted.

1. Go to the MicroStrategy Web admin page.

   https://env-xxxxxx.customer.cloud.microstrategy.com/MicroStrategy/servlet/mstrWebAdmin

2. Locate the connected Intelligence server and click Modify.
3. Click Setup next to the trust relationship between the Web server and MicroStrategy Intelligence server.
4. Enter the user credentials with admin privileges and click Create Trust Relationship.
5. In the navigation pane, click Default properties and enable OIDC Authentication.

6. Under OIDC Configuration, complete the remaining fields.

   

   Click here to view details about the OIDC Configuration section.

   Client ID Enter the client ID of your Azure application.

   Client Secret This field is only required when the Azure application is a Web app. If you deployed a Public client/native app in Create an Application, you can leave this field blank.

   Issuer The OpenID Connect metadata document field in the Endpoints section is the provider's issuer URL suffixed with /.well-known/openid-configuration. You must remove this suffix from the OpenID Connect metadata document to get the Issuer information.

   

   Example: If OpenID Connect metadata document is https://login.microsoftonline.com/901c038b-xxxx-4259-b115-c1753c7735aa/v2.0/.well-known/openid-configuration, the Issuer is https://login.microsoftonline.com/901c038b-xxxx-4259-b115-c1753c7735aa/v2.0.

   Native Client ID This is the same as the client ID, unless configured otherwise.

   Redirect URI The default web redirect URI. This should not be changed unless configured otherwise.

   Scope The scopes used by MicroStrategy to authorize access to a user. This should not be changed unless configured otherwise.

   Claim Map

   • Full Name The user display name attribute. The default value for this field is name.
   • User ID The user distinguished login attribute. The default value for this field is email.
   • Email The user email address attribute. The default value for this field is email.
   • Groups The user group attribute. The default value for this field is groups.

   Admin Groups: Select admin groups whose members can access to the admin pages. You can have multiple admin groups.

   Example: ["WebAdmin","SystemAdmin"]
   Members belonging to WebAdmin and SystemAdmin can access the admin pages.

7. Click Save. For more information, see Enabling OIDC Authentication for JSP Web and Mobile