Skip to main content
This manual sets up Microsoft Entra ID (formerly Azure AD) as the identity provider for two TrustGate credentials:
  1. OIDC role-based — for an LLM consumer whose routing is chosen from the token’s roles (app roles) or groups claim (roles).
  2. OAuth2 for MCP — for an MCP consumer gated by an exposed API scope.
Entra ID issues v2.0 tokens when the app registration uses the v2 endpoint. TrustGate treats an api:// resource URI and its bare identifier as the same audience, and prefers the Entra oid claim as the stable subject. Use the values below exactly.

Prerequisites

  • An Entra tenant — note your Tenant ID (Overview → Tenant ID).
  • Rights to register applications (App registrations) and manage Enterprise applications.
  • A group or set of users you can assign to an app role.

The values you will collect

The endpoints are derived from the tenant:
If your app is configured for v1.0 tokens, the issuer is instead https://sts.windows.net/{tenant_id}/ and the JWKS is https://login.microsoftonline.com/common/discovery/keys. Prefer v2.0.

1. Register the application

Steps use the Microsoft Entra admin center at https://entra.microsoft.com (the same screens exist in the Azure portal under Microsoft Entra ID). Paths below are the left-hand navigation.
1

Create the registration

In the left sidebar go to Identity → Applications → App registrations → click New registration.
  • Name: trustgate
  • Supported account types: pick the one that matches your tenant.
Click Register. On the app’s Overview page copy the Application (client) ID and the Directory (tenant) ID.
2

Add a client secret

Open the app → left menu Manage → Certificates & secretsClient secrets tab → New client secret. Set a description and expiry, click Add, then copy the secret Value immediately (it is shown only once — the Secret ID is not the value).

2. Expose an API scope (for MCP)

1

Set the Application ID URI

Open the app → left menu Manage → Expose an API. Next to Application ID URI click Add, accept the default api://{client_id}, and Save. This URI is your audience.
2

Add the scope

Still on Expose an API, click Add a scope:
  • Scope name: mcp.access
  • Who can consent: Admins and users (or Admins only) as appropriate.
  • Fill the admin/user consent display name and description.
  • State: Enabled.
Click Add scope. The full scope identifier is api://{client_id}/mcp.access.

3. Define app roles (for role-based routing)

App roles are the cleanest way to drive TrustGate roles; they arrive in the roles claim.
1

Create the app role

Open the app → left menu Manage → App rolesCreate app role:
  • Display name: Engineering
  • Allowed member types: Users/Groups (and/or Applications for M2M).
  • Value: engineering — this exact string is what appears in the roles claim.
  • Description: anything.
  • Tick Do you want to enable this app role?
Click Apply.
2

Assign users or groups to the role

Assignment happens on the enterprise application (the service principal), not the registration. In the left sidebar go to Identity → Applications → Enterprise applications → open your trustgate app → Manage → Users and groupsAdd user/group. Pick the users/groups, and under Select a role choose Engineering. Click Assign.
3

(Optional) emit a groups claim instead

To route on directory groups instead of app roles, open the app registrationManage → Token configurationAdd groups claim, pick the group types, and save. The token then carries a groups array of group object IDs (GUIDs), not names.

4. OIDC role-based credential (LLM)

Attached to a role_based LLM consumer; the roles (or groups) claim selects a role.
1

Create the auth credential

Filled example:
subject_claim: "oid" gives a stable per-tenant user id. sub in Entra is pairwise per app and changes across apps.
2

Attach to a role-based consumer

Create an LLM consumer with routing_mode: role_based, attach this credential and one or more roles. The role’s oidc_mapping matches the app role value:
To match directory groups instead, use "claim": "groups" with the group object IDs as values.

5. OAuth2 credential (MCP)

Attached to an MCP consumer; access is gated by required_scopes.
1

Choose the token flow

  • Delegated (user) token: the scope appears in the scp claim.
  • Application (client credentials) token: grant an app role (application permission) and request api://{client_id}/.default; the granted role appears in the roles claim.
TrustGate checks both scp and roles against required_scopes, so either flow works.
2

Grant and consent the permission (client credentials only)

For the application flow, open the calling app registration → Manage → API permissionsAdd a permissionMy APIs → select your trustgate API → Application permissions → tick the app role → Add permissions. Then click Grant admin consent for your tenant. Without admin consent the token carries no roles and TrustGate rejects it for missing scopes.
3

Create the auth credential

Filled example:

6. Get a test token

Client-credentials (application) flow:
Decode the access_token and confirm:
  • iss = https://login.microsoftonline.com/{tenant_id}/v2.0
  • aud = api://{client_id} (or the bare client_id)
  • roles (app permissions) or scp (delegated) contains your scope/role

Troubleshooting

Back to the Authorization overview.