Core API & User Portal Authentication Setup
This guide covers creating the Microsoft Entra ID app registrations for the Core API and Chat (User) Portal.
Overview
You will create two app registrations:
| App Registration | Purpose | Type |
|---|---|---|
| FoundationaLLM-User-Portal | Chat portal authentication | Client (SPA) |
| FoundationaLLM-Core-API | Core API authentication | API |
Create the Client Application (User Portal)
Step 1: Register the Application
- Sign in to Microsoft Entra admin center
- Navigate to Identity > Applications > App registrations
- Click + New registration
- Configure:
- Name:
FoundationaLLM-User-Portal - Supported account types: Accounts in this organizational directory only
- Name:
- Click Register
- Record the Application (client) ID and Directory (tenant) ID
Step 2: Configure Authentication
Under Manage, select Authentication
Click Add a platform > Single-page application
Add Redirect URIs:
Environment URI Production <CHAT_PORTAL_URL>/signin-oidcLocal Dev http://localhost:3000/signin-oidcClick Configure
Step 3: Enable Implicit Grant
Under Implicit grant and hybrid flows:
- Check Access tokens
- Check ID tokens
- Click Save
Step 4: (Optional) Add Postman Redirect
For API testing with Postman:
- Click Add a platform > Mobile and desktop applications
- Add:
https://oauth.pstmn.io/v1/callback - Click Configure
Step 5: Update Manifest
- Under Manage, select Manifest
- Find
accessTokenAcceptedVersion - Change value to
2 - Click Save
Create the API Application (Core API)
Step 1: Register the Application
- Navigate to App registrations > + New registration
- Configure:
- Name:
FoundationaLLM-Core-API - Supported account types: Accounts in this organizational directory only
- Name:
- Click Register
- Record the Application (client) ID and Directory (tenant) ID
Step 2: Configure Authentication
- Under Manage, select Authentication
- Click Add a platform > Web
- Enter Redirect URI:
http://localhost - Click Configure
Note: The localhost URI is required to enable token options but isn't used in production.
Step 3: Enable Implicit Grant
- Check Access tokens
- Check ID tokens
- Click Save
Step 4: Expose an API
Under Manage, select Expose an API
Click Add a scope
Set Application ID URI:
api://FoundationaLLM-CoreClick Save and continue
Configure scope:
Field Value Scope name Data.ReadWho can consent? Admins and users Admin consent display name Read data on behalf of users Admin consent description Allows the app to read data on behalf of the signed-in user User consent display name Read data on behalf of the user User consent description Allows the app to read data on behalf of the signed-in user State Enabled Click Add scope
Record the scope name:
api://FoundationaLLM-Core/Data.Read
Step 5: Add Authorized Client Application
- Still in Expose an API, click + Add a client application
- Paste the Application (client) ID of
FoundationaLLM-User-Portal - Check the
Data.Readscope - Click Add application
Step 6: Update Manifest
- Under Manage, select Manifest
- Find
accessTokenAcceptedVersion - Change value to
2 - Click Save
Configure API Permissions (Client App)
Add Permissions to User Portal
- Navigate to App registrations
- Select
FoundationaLLM-User-Portal - Under Manage, select API permissions
- Click + Add a permission
- Select My APIs tab
- Select
FoundationaLLM-Core-API - Check
Data.Read - Click Add permissions
Grant Admin Consent (Optional)
If required by your organization:
- Click Grant admin consent for [tenant]
- Confirm
Values to Record
Save these values for App Configuration:
| Value | App Configuration Key |
|---|---|
| User Portal Client ID | FoundationaLLM:Chat:Entra:ClientId |
| Core API Client ID | FoundationaLLM:CoreAPI:Entra:ClientId |
| Tenant ID | FoundationaLLM:Chat:Entra:TenantId, FoundationaLLM:CoreAPI:Entra:TenantId |
| Scope | FoundationaLLM:Chat:Entra:Scopes = api://FoundationaLLM-Core/Data.Read |
Next Steps
- Complete Management API & Portal Setup
- Complete Authorization API Setup
- Run deployment (
azd up) - Complete Post-Deployment Configuration