- OIDC role-based — for an
LLMconsumer whose routing is chosen from the token’sroles(app roles) orgroupsclaim (roles). - OAuth2 for MCP — for an
MCPconsumer gated by an exposed API scope.
Entra ID issues v2.0 tokens when the app registration uses the v2 endpoint. TrustGate
treats an
api:// resource URI and its bare identifier as the same audience, and prefers
the Entra oid claim as the stable subject. Use the values below exactly.Prerequisites
- An Entra tenant — note your Tenant ID (
Overview → Tenant ID). - Rights to register applications (App registrations) and manage Enterprise applications.
- A group or set of users you can assign to an app role.
The values you will collect
The endpoints are derived from the tenant:
1. Register the application
Steps use the Microsoft Entra admin center at
https://entra.microsoft.com (the same
screens exist in the Azure portal under Microsoft Entra ID). Paths below are the
left-hand navigation.1
Create the registration
In the left sidebar go to Identity → Applications → App registrations → click
New registration.
- Name:
trustgate - Supported account types: pick the one that matches your tenant.
2
Add a client secret
Open the app → left menu Manage → Certificates & secrets → Client secrets tab →
New client secret. Set a description and expiry, click Add, then copy the secret
Value immediately (it is shown only once — the Secret ID is not the value).
2. Expose an API scope (for MCP)
1
Set the Application ID URI
Open the app → left menu Manage → Expose an API. Next to Application ID URI click
Add, accept the default
api://{client_id}, and Save. This URI is your
audience.2
Add the scope
Still on Expose an API, click Add a scope:
- Scope name:
mcp.access - Who can consent: Admins and users (or Admins only) as appropriate.
- Fill the admin/user consent display name and description.
- State: Enabled.
api://{client_id}/mcp.access.3. Define app roles (for role-based routing)
App roles are the cleanest way to drive TrustGate roles; they arrive in theroles claim.
1
Create the app role
Open the app → left menu Manage → App roles → Create app role:
- Display name:
Engineering - Allowed member types: Users/Groups (and/or Applications for M2M).
- Value:
engineering— this exact string is what appears in therolesclaim. - Description: anything.
- Tick Do you want to enable this app role?
2
Assign users or groups to the role
Assignment happens on the enterprise application (the service principal), not the
registration. In the left sidebar go to Identity → Applications → Enterprise
applications → open your
trustgate app → Manage → Users and groups → Add
user/group. Pick the users/groups, and under Select a role choose Engineering.
Click Assign.3
(Optional) emit a groups claim instead
To route on directory groups instead of app roles, open the app registration →
Manage → Token configuration → Add groups claim, pick the group types, and save.
The token then carries a
groups array of group object IDs (GUIDs), not names.4. OIDC role-based credential (LLM)
Attached to arole_based LLM consumer; the roles (or groups) claim selects a role.
1
Create the auth credential
subject_claim: "oid" gives a stable per-tenant user id. sub in Entra is pairwise per
app and changes across apps.2
Attach to a role-based consumer
Create an To match directory groups instead, use
LLM consumer with routing_mode: role_based, attach this credential and one
or more roles. The role’s oidc_mapping matches the app
role value:"claim": "groups" with the group object
IDs as values.5. OAuth2 credential (MCP)
Attached to anMCP consumer; access is gated by required_scopes.
1
Choose the token flow
- Delegated (user) token: the scope appears in the
scpclaim. - Application (client credentials) token: grant an app role (application
permission) and request
api://{client_id}/.default; the granted role appears in therolesclaim.
scp and roles against required_scopes, so either flow works.2
Grant and consent the permission (client credentials only)
For the application flow, open the calling app registration → Manage → API
permissions → Add a permission → My APIs → select your
trustgate API →
Application permissions → tick the app role → Add permissions. Then click
Grant admin consent for your tenant. Without admin consent the token carries no
roles and TrustGate rejects it for missing scopes.3
Create the auth credential
6. Get a test token
Client-credentials (application) flow:access_token and confirm:
iss=https://login.microsoftonline.com/{tenant_id}/v2.0aud=api://{client_id}(or the bareclient_id)roles(app permissions) orscp(delegated) contains your scope/role
Troubleshooting
Back to the Authorization overview.