Add Microsoft 365 Authentication¶
Register Your Application¶
Sign in to the Azure portal.
Make sure correct Azure directory is selected - swich to the correct Directory + subscription in the top right menu. This should be the same Azure Directory as where the Microsoft 365 users are managed.
Search for and select Azure Entra ID.
Under Manage, select App registrations, then New registration.
Enter a Name for the application, for example Totalview Authentication.
Under Supported account types select “Accounts in this organizational directory only”.
Under Redirect URI, select value “Web” in Platform dropdown.
Under Redirect URI, set address to the customer’s Totalview Authentication URL address, followed by “/signin-oidc” (e.g. https://example.totalview.cloud/Authentication/signin-oidc)
Select Register.
Under Manage, select Authentication.
Under Front-channel logout URL, enter the Logout URL of the customer’s Totalview Authentication URL address, followed by “/signout-oidc” (e.g. https://example.totalview.cloud/Authentication/signout-oidc)
Under Implicit grant and hybrid flows, set checkmark in ID tokens (used for implicit and hybrid flows) checkbox.
Select Save.
Note down the Application (client) ID and Directory (tenant) ID values, which can be found in the Overview page, for the App Registrations.
Troubleshooting¶
No webpage was found…¶
If, when trying to login using Microsoft 356, an error is displayed in browser like… “No webpage was found for the web address: https://example.totalview.cloud/TotalviewAuthentication/External/Challenge?provide…
This can be because the registered Tenant ID in Totalview does not match the Tenant ID in the App Registration.
This should be possible to see in Totalview Authentication server logs, on Totalview server.
HttpResponseMessage.Content: '{"error":"invalid_tenant","error_description":"AADSTS90002: Tenant 'aaaaaaaa-bbbb-cccc-dddd-eeeeeeeeeeee' not found. Check to make sure you have the correct tenant ID and are signing into the correct cloud. Check with your subscription administrator, this may happen if there are no active subscriptions for the tenant.
Double check that the value is correctly set in Totalview.
It can also be because for the Web Platform Configuration that under Implicit grant and hybrid flows, the checkmark in ID tokens (used for implicit and hybrid flows) checkbox is not set.
This should be possible to see in Totalview Authentication server logs, on Totalview server.
|ERROR|OpenIdConnectHandler|ResponseError|Message contains error: 'unsupported_response_type', error_description: 'AADSTS700054: response_type 'id_token' is not enabled for the application.
Application with identifier was not found in the directory¶
If, when trying to login using Microsoft 356, an error is displayed in browser like… AADSTS700016: Application with identifier ‘aaaaaaaa-bbbb-cccc-dddd-eeeeeeeeeeee’ was not found in the directory ….
This can be because the Client ID is not correctly set in Totalview. Try checking again that it is set correctly.
Application is configured for use by Microsoft Account users only¶
If, when trying to login using Microsoft 356, an error is displayed in browser like… AADSTS9002331: Application ‘aaaaaaaa-bbbb-cccc-dddd-eeeeeeeeeeee’(Totalview Authentication) is configured for use by Microsoft Account users only. Please use the /consumers endpoint to serve this request.
This can be because during creation Supported account types was not set correctly. Correct value is “Accounts in this organizational directory only”.
response_type ‘id_token’ is not enabled for the application¶
If, when trying to login using Microsoft 356, an error is displayed in browser like… AADSTS700054: response_type ‘id_token’ is not enabled for the application.
This can be because there has not been registered a Platform Configuration. Make sure a Platform Configuration has been done with type Web, as specified in Register Your Application section.
Also make sure that for the Web Platform Configuration that under Implicit grant and hybrid flows, the checkmark in ID tokens (used for implicit and hybrid flows) checkbox is set.
User account ‘example@example.com’ from identity provider ‘forinstance.com’ does not exist in tenant¶
If, when trying to login using Microsoft 356, an error is displayed in browser like… AADSTS50020: User account ‘example@example.com’ from identity provider ‘forinstance.com’ does not exist in tenant…
This can happen if you login with a user account that is not in the Entra ID Domain as the App Registration.
This can also happen when trying to login with a non Work or School Microsoft account. Personal Microsoft accounts are not supported with Microsoft 365 login in Totalview.
Try logging in with an account that is in same Entra ID as the App Registration, or create new App Registration in the same Entra ID Domain as where the login user is located.
No reply address is registered for the application¶
If, when trying to login using Microsoft 356, an error is displayed in browser like… AADSTS500113: No reply address is registered for the application.
This can happen if in the App Registration’s Platform configurations, that no entry has been created with “Web” platform with a valid URL.
Double check that App Registration Web Platform is configured correctly as specified under Register Your Application section above.
The redirect URI ‘https://example.totalview.cloud/TotalviewAuthentication/signin-oidc’ specified in the request does not match…¶
If, when trying to login using Microsoft 356, an error is displayed in browser like… AADSTS50011: The redirect URI ‘https://example.totalview.cloud/TotalviewAuthentication/signin-oidc’ specified in the request does not match the redirect URIs configured for the application…
This can happen if the URL for the Web Platform Configuration is not correct in the App Registration.
Double check that App Registration Web Platform is configured correctly as specified under Register Your Application section above.
Access Denied¶
If, when trying to login using Microsoft 356, an error is displayed in browser like… Access Denied
Try looking in the Totalview Authentication server logs. The problem could be that no, or multiple, Totalview users have a matching e-mail address for the user logging in.
|ERROR|ExternalController|MoveNext(ExternalController.cs:342)|Could not find any user that matches the external provider AzureAd with userId .. and userName .., preferredUserName user@example.com, and email
Try searching in Admin whether the logged in user’s e-mail address is assigned to one or multiple users. Totalview only accepts login if there is a unique match.
New user with same e-mail address as previous employee¶
Totalview saves user’s refresh token so that users don’t need to login so often.
This can cause problems if a user gets deleted in Entra ID and then a new user has been created with the same e-mail address.
Solution is then to use the “Remove Links” function in Totalview Admin for the specific user.