Add Microsoft 365 Authentication

Register Your Application

  • Sign in to the Azure portal.

  • Make sure correct Azure directory is selected - swich to the correct Directory + subscription in the top right menu. This should be the same Azure Directory as where the Microsoft 365 users are managed.

  • Search for and select Azure Entra ID.

  • Under Manage, select App registrations, then New registration.

  • Enter a Name for the application, for example Totalview Authentication.

  • Under Supported account types select “Accounts in this organizational directory only”.

  • Under Redirect URI, select value “Web” in Platform dropdown.

  • Under Redirect URI, set address to the customer’s Totalview Authentication URL address, followed by “/signin-oidc” (e.g. https://example.totalview.cloud/Authentication/signin-oidc)

  • Select Register.

  • Under Manage, select Authentication.

  • Under Front-channel logout URL, enter the Logout URL of the customer’s Totalview Authentication URL address, followed by “/signout-oidc” (e.g. https://example.totalview.cloud/Authentication/signout-oidc)

  • Under Implicit grant and hybrid flows, set checkmark in ID tokens (used for implicit and hybrid flows) checkbox.

  • Select Save.

  • Note down the Application (client) ID and Directory (tenant) ID values, which can be found in the Overview page, for the App Registrations.

Create Client Secret

  • In the left pane, select Certificates & secrets.

  • Under Client secrets, select New client secret

  • Add a Description for the client secret. (e.g. client secret for Totalview)

  • Set Expire, go as high as possible, this information will only be stored in the database

  • Select the Add button

  • Under Client secrets, copy the value of the client secret

Go to the Totalview Web Admin interface and click on External Authentication. Fill in the required information.

Advanced - Using PowerShell

Alternatively, it is possible to create a client secret using PowerShell. This has the advantage of being possible to make secrets last longer.

# Az PowerShell Module must be installed first
# To check whether it's installed and for which version, run the following command:
Get-InstalledModule -Name Az

# If not found, then install it:
Install-Module -Name Az -Repository PSGallery

# If already installed, then try updating the module, to make sure it's the latest:
Update-Module -Name Az

# Login to the Azure Account. Set $tenantId variable to same value as Directory (tenant) ID for the App Registration
$tenantId = "aaaaaaaa-bbbb-cccc-dddd-eeeeeeeeeeee"
Connect-AzAccount -TenantId $tenantId

# Create the secret. Set $appId variable to the same value as Application (client) ID for the App Registration
# Set $secretExpirationInYears to a value that is appropriate - there is no limitation for how high it can be.
$appId = "aaaaaaaa-bbbb-cccc-dddd-eeeeeeeeeeee"
$secretExpirationInYears = 5
$startDate = Get-Date
$endDate = (Get-Date).AddYears($secretExpirationInYears)
Get-AzADApplication -ApplicationId $appId | New-AzADAppCredential -StartDate $startDate -EndDate $endDate

The value of the secret will be shown after the last command. Make sure to copy it to a safe location, because it will not be displayed again.

Troubleshooting

No webpage was found…

If, when trying to login using Microsoft 356, an error is displayed in browser like… “No webpage was found for the web address: https://example.totalview.cloud/TotalviewAuthentication/External/Challenge?provide

This can be because the registered Tenant ID in Totalview does not match the Tenant ID in the App Registration.

This should be possible to see in Totalview Authentication server logs, on Totalview server.

HttpResponseMessage.Content: '{"error":"invalid_tenant","error_description":"AADSTS90002: Tenant 'aaaaaaaa-bbbb-cccc-dddd-eeeeeeeeeeee' not found. Check to make sure you have the correct tenant ID and are signing into the correct cloud. Check with your subscription administrator, this may happen if there are no active subscriptions for the tenant.

Double check that the value is correctly set in Totalview.

It can also be because for the Web Platform Configuration that under Implicit grant and hybrid flows, the checkmark in ID tokens (used for implicit and hybrid flows) checkbox is not set.

This should be possible to see in Totalview Authentication server logs, on Totalview server.

|ERROR|OpenIdConnectHandler|ResponseError|Message contains error: 'unsupported_response_type', error_description: 'AADSTS700054: response_type 'id_token' is not enabled for the application.

Application with identifier was not found in the directory

If, when trying to login using Microsoft 356, an error is displayed in browser like… AADSTS700016: Application with identifier ‘aaaaaaaa-bbbb-cccc-dddd-eeeeeeeeeeee’ was not found in the directory ….

This can be because the Client ID is not correctly set in Totalview. Try checking again that it is set correctly.

Application is configured for use by Microsoft Account users only

If, when trying to login using Microsoft 356, an error is displayed in browser like… AADSTS9002331: Application ‘aaaaaaaa-bbbb-cccc-dddd-eeeeeeeeeeee’(Totalview Authentication) is configured for use by Microsoft Account users only. Please use the /consumers endpoint to serve this request.

This can be because during creation Supported account types was not set correctly. Correct value is “Accounts in this organizational directory only”.

response_type ‘id_token’ is not enabled for the application

If, when trying to login using Microsoft 356, an error is displayed in browser like… AADSTS700054: response_type ‘id_token’ is not enabled for the application.

This can be because there has not been registered a Platform Configuration. Make sure a Platform Configuration has been done with type Web, as specified in Register Your Application section.

Also make sure that for the Web Platform Configuration that under Implicit grant and hybrid flows, the checkmark in ID tokens (used for implicit and hybrid flows) checkbox is set.

User account ‘example@example.com’ from identity provider ‘forinstance.com’ does not exist in tenant

If, when trying to login using Microsoft 356, an error is displayed in browser like… AADSTS50020: User account ‘example@example.com’ from identity provider ‘forinstance.com’ does not exist in tenant…

This can happen if you login with a user account that is not in the Entra ID Domain as the App Registration.

This can also happen when trying to login with a non Work or School Microsoft account. Personal Microsoft accounts are not supported with Microsoft 365 login in Totalview.

Try logging in with an account that is in same Entra ID as the App Registration, or create new App Registration in the same Entra ID Domain as where the login user is located.

No reply address is registered for the application

If, when trying to login using Microsoft 356, an error is displayed in browser like… AADSTS500113: No reply address is registered for the application.

This can happen if in the App Registration’s Platform configurations, that no entry has been created with “Web” platform with a valid URL.

Double check that App Registration Web Platform is configured correctly as specified under Register Your Application section above.

The redirect URI ‘https://example.totalview.cloud/TotalviewAuthentication/signin-oidc’ specified in the request does not match…

If, when trying to login using Microsoft 356, an error is displayed in browser like… AADSTS50011: The redirect URI ‘https://example.totalview.cloud/TotalviewAuthentication/signin-oidc’ specified in the request does not match the redirect URIs configured for the application…

This can happen if the URL for the Web Platform Configuration is not correct in the App Registration.

Double check that App Registration Web Platform is configured correctly as specified under Register Your Application section above.

Access Denied

If, when trying to login using Microsoft 356, an error is displayed in browser like… Access Denied

Try looking in the Totalview Authentication server logs. The problem could be that no, or multiple, Totalview users have a matching e-mail address for the user logging in.

|ERROR|ExternalController|MoveNext(ExternalController.cs:342)|Could not find any user that matches the external provider AzureAd with userId .. and userName .., preferredUserName user@example.com, and email

Try searching in Admin whether the logged in user’s e-mail address is assigned to one or multiple users. Totalview only accepts login if there is a unique match.

New user with same e-mail address as previous employee

Totalview saves user’s refresh token so that users don’t need to login so often.

This can cause problems if a user gets deleted in Entra ID and then a new user has been created with the same e-mail address.

Solution is then to use the “Remove Links” function in Totalview Admin for the specific user.