EntraID Tenant Setup
Use this guide to configure your Entra ID tenant so the GrantFlow Web App (SPA) and CLI can authenticate and call the GrantFlow API.
This page provides:
- A minimal, reliable setup that works across tenants
- Exact IDs for the GrantFlow API resource
- Copy‑paste scripts to automate most steps (Azure CLI required)
Before you start
- You need Azure AD (Entra) admin permissions in your tenant
- Install Azure CLI and sign in:
az login - Decide SPA redirect URIs you’ll use (for example,
https://portal.grantflow.cloudor your own custom domain)
Key identifiers (stable)
- GrantFlow API (resource):
- Application (client) ID:
06b7f2b0-c048-4243-80c4-60d0f1bce15e - Scope name:
user_impersonation - Scope ID:
f4365de7-6ca4-4619-beab-f98682a96f93 - Identifier URI:
api://06b7f2b0-c048-4243-80c4-60d0f1bce15e
- Application (client) ID:
These do not change between tenants.
What you will create in your tenant
You will create two client applications in your tenant that request delegated access to the GrantFlow API:
- A SPA client (browser app)
- A CLI client (public client for device code flow)
Why create per‑tenant client apps?
The provider’s SPA/CLI registrations are single‑tenant. Creating clients in your tenant gives you full control over consent and redirect URIs.
Option A: One‑time automated setup (recommended)
Run the scripts below to create both apps and grant admin consent.
1) Create SPA app and add API permissions
Azure CLI - Create SPA App
# --- variables ---
TENANT_ID=$(az account show --query tenantId -o tsv)
DISPLAY_NAME="GrantFlow SPA"
# Comma-separated list of redirect URIs you plan to use for SPA
echo "Enter SPA redirect URIs (comma-separated, e.g. https://portal.grantflow.cloud,https://app.example.com):"
read -r SPA_REDIRECTS
API_APP_ID="06b7f2b0-c048-4243-80c4-60d0f1bce15e"
SCOPE_ID="f4365de7-6ca4-4619-beab-f98682a96f93"
# --- create app ---
APP_JSON=$(az ad app create \
--display-name "$DISPLAY_NAME" \
--sign-in-audience AzureADMyOrg \
--only-show-errors -o json)
APP_ID=$(echo "$APP_JSON" | jq -r .appId)
OBJ_ID=$(echo "$APP_JSON" | jq -r .id)
# --- configure SPA redirect URIs ---
az ad app update \
--id "$OBJ_ID" \
--set spa.redirectUris="$(echo "$SPA_REDIRECTS" | sed 's/,/","/g')"
# --- add delegated permission to GrantFlow API ---
az ad app permission add \
--id "$OBJ_ID" \
--api "$API_APP_ID" \
--api-permissions "$SCOPE_ID=Scope"
# --- grant admin consent for the permission ---
az ad app permission admin-consent --id "$OBJ_ID"
echo "SPA app created. Client ID: $APP_ID"
2) Create CLI app and add API permissions
Azure CLI - Create CLI App
# --- variables ---
TENANT_ID=$(az account show --query tenantId -o tsv)
DISPLAY_NAME="GrantFlow CLI"
API_APP_ID="06b7f2b0-c048-4243-80c4-60d0f1bce15e"
SCOPE_ID="f4365de7-6ca4-4619-beab-f98682a96f93"
# --- create app ---
APP_JSON=$(az ad app create \
--display-name "$DISPLAY_NAME" \
--sign-in-audience AzureADMyOrg \
--is-fallback-public-client true \
--only-show-errors -o json)
APP_ID=$(echo "$APP_JSON" | jq -r .appId)
OBJ_ID=$(echo "$APP_JSON" | jq -r .id)
# --- add delegated permission to GrantFlow API ---
az ad app permission add \
--id "$OBJ_ID" \
--api "$API_APP_ID" \
--api-permissions "$SCOPE_ID=Scope"
# Optional: allow Graph User.Read for nicer account picker
az ad app permission add \
--id "$OBJ_ID" \
--api 00000003-0000-0000-c000-000000000000 \
--api-permissions e1fe6dd8-ba31-4d61-89e7-88639da4683d=Scope
# --- grant admin consent ---
az ad app permission admin-consent --id "$OBJ_ID"
echo "CLI app created. Client ID: $APP_ID"
caution
If az ad app permission admin-consent fails due to missing permissions, open the Admin Consent URL manually (below) as a Global Admin.
Admin Consent URL (manual)
Use this if you prefer a click‑through flow or need to elevate permissions:
https://login.microsoftonline.com/{TENANT_ID}/adminconsent?client_id={CLIENT_ID}&redirect_uri={ENCODED_REDIRECT_URI}
- Replace
{TENANT_ID}with your tenant ID - Use your SPA’s redirect URI as
{ENCODED_REDIRECT_URI}(URL‑encoded) - Approve the delegated permission to the GrantFlow API when prompted
Option B: Manual portal setup (summary)
SPA app (browser)
- Single‑tenant (Accounts in this organizational directory only)
- Add SPA redirect URIs (e.g.,
https://portal.grantflow.cloudor your prod URL) - API permissions → Add a permission → My APIs → GrantFlow API → Delegated → user_impersonation
- Grant admin consent
CLI app (device code)
- Single‑tenant; enable “Allow public client flows” (or set
isFallbackPublicClient: true) - API permissions → Add GrantFlow API delegated user_impersonation
- (Optional) Add Microsoft Graph → User.Read delegated
- Grant admin consent
Configure the SPA
Provide the following values to your SPA’s auth config:
- Authority (tenant):
https://login.microsoftonline.com/<YOUR_TENANT_ID> - Client ID: the SPA app’s Application (client) ID you created above
- Redirect URI(s): the URIs you configured (dev and/or prod)
- Scope:
api://06b7f2b0-c048-4243-80c4-60d0f1bce15e/user_impersonation
Configure the CLI
Provide the following values to users (or pre‑configure via config file):
- Tenant ID: your tenant ID (recommended to avoid /common loops)
- Client ID: the CLI app’s Application (client) ID you created above
- Scope:
api://06b7f2b0-c048-4243-80c4-60d0f1bce15e/.default(device code flow uses.default)
Example ~/.grantflow/config.yaml additions:
~/.grantflow/config.yaml
tenantId: <YOUR_TENANT_ID>
clientId: <CLI_APP_CLIENT_ID>
Verify
- SPA: Sign in, complete consent, and confirm API calls succeed
- CLI: Run
grantflow roles listand complete device code sign‑in; you should receive a token and data
Reference: Provider‑tenant (for comparison)
- GrantFlow API (multi‑tenant):
06b7f2b0-c048-4243-80c4-60d0f1bce15e- Scope ID:
f4365de7-6ca4-4619-beab-f98682a96f93
- Scope ID:
- Provider SPA (single‑tenant):
32654b34-df24-4a9b-9261-27f37a66bff9- Redirect URIs include
https://portal.grantflow.cloud
- Redirect URIs include
- Provider CLI (single‑tenant):
8e29ce44-70fe-405f-8604-3c70c1716d91- Public client enabled, requests GrantFlow API + optional Graph User.Read
Need to customize?
You can re‑run the scripts with different display names or redirect URIs. You can also restrict access further using Conditional Access and app roles.