DocumentationAccess ControlAuthenticationProviders

Azure AD (Entra ID) Setup

View as Markdown

Complete walkthrough for connecting NeMo Platform to Azure AD (Entra ID), from app registration to first successful login.

Prerequisites: Access to Azure Portal with permission to create app registrations. Familiarity with OIDC Setup.

App Registration

  1. In Azure Portal, go to Azure Active DirectoryApp registrationsNew registration.
  2. Name the application (e.g., “NeMo Platform”).
  3. Set Supported account types to your tenant configuration.
  4. No redirect URI is needed for device flow, but setting one is good practice.
  5. Note the Application (client) ID and Directory (tenant) ID.

Enable Device Flow

  1. Go to Authentication in the app registration.
  2. Under Advanced settings, set Allow public client flows to Yes.
  3. Save.

Expose API Scopes

  1. Go to Expose an API.
  2. Set the Application ID URI (e.g., api://<client-id>).
  3. Add scopes:
  • platform:read — “Read access to NeMo Platform platform resources”
  • platform:write — “Write access to NeMo Platform platform resources”
  1. Go to API permissionsAdd a permissionMy APIs → select your app → add the scopes.
  2. Click Grant admin consent for the scopes.

Configure Group Claims (Optional)

  1. Go to Token configurationAdd groups claim.
  2. Select Security groups (or the group types your organization uses).
  3. For the Access token, select Group ID.

NeMo Platform Configuration

1auth:
2 enabled: true
3 admin_email: "platform-admin@company.com"
4 oidc:
5 enabled: true
6 issuer: "https://login.microsoftonline.com/<tenant-id>/v2.0"
7 client_id: "<client-id>"
8 audience: "api://<client-id>"
9 # Azure AD v1 tokens may have a different issuer
10 additional_issuers:
11 - "https://sts.windows.net/<tenant-id>/"
12 email_claim: "upn"
13 subject_claim: "oid"
14 groups_claim: "groups"
15 # Azure AD prefixes custom scopes with the API URI
16 scope_prefix: "api://<client-id>/"
17 default_scopes: "openid profile email offline_access api://<client-id>/platform:read api://<client-id>/platform:write"

Verification

$nemo auth login
$# Browser opens to Microsoft login page
$# Sign in and consent to the requested permissions
$
$nemo auth status
$# Expected: Logged in as user@company.com, scopes: platform:read platform:write

Common Errors

ErrorCauseFix
AADSTS70011Scope not configured or no admin consentAdd scopes in “Expose an API” and grant admin consent
AADSTS50011Reply URL mismatchNot typically needed for device flow; check Authentication settings
Audience mismatchaudience doesn’t match token’s aud claimSet audience: "api://<client-id>"
Empty email claimAzure AD didn’t populate emailUse email_claim: "upn" instead