Skip to content

Azure AD Setup

This guide covers configuring Microsoft Entra ID (Azure AD) as a federated identity provider so your organization's users can sign in to N-Hub with their corporate Microsoft accounts.

Prerequisites

  • Access to the Microsoft Entra Admin Center (Azure Portal)
  • Your N-Hub environment URL: dev-au-03.nnnco.io
  • Contact with your platform administrator to complete the server-side configuration

Step 1: Register an Application

  1. Go to Azure Portal > Microsoft Entra ID > App registrations
  2. Click New registration
  3. Configure:
    • Name: N-Hub IoT Platform
    • Supported account types: Single tenant (your organization only)
    • Redirect URI:
      • Type: Web
      • URI: https://auth.dev-au-03.nnnco.io/ui/login/login/externalidp/callback
  4. Click Register

Step 2: Configure Token Claims

  1. In the app registration, go to Token configuration
  2. Click Add optional claim
  3. Select token type: ID
  4. Add these claims:
    • email
    • family_name
    • given_name
    • preferred_username
  5. Click Add

Step 3: Create a Client Secret

  1. Go to Certificates & secrets > Client secrets
  2. Click New client secret
  3. Description: N-Hub federation
  4. Expiry: 24 months (recommended)
  5. Click Add
  6. Copy the secret value immediately — it won't be shown again

Step 4: Gather Credentials

From the app registration Overview page, note:

Value Location in Azure Portal
Tenant ID Directory (tenant) ID
Client ID Application (client) ID
Client Secret The value copied in Step 3

Step 5: Send Credentials to Your Administrator

Provide the following to your platform administrator:

  1. Tenant ID
  2. Client ID
  3. Client Secret

These will be securely stored and used to configure the identity provider. Once configured, your users will see a Microsoft sign-in option on the login page.

Secret Rotation

Client secrets have an expiry date. When a secret approaches expiry, create a new one in Azure Portal and provide the updated value to your administrator. The old secret continues to work until it expires, so there is no downtime during rotation.

Verification

  1. Navigate to https://dev-au-03.nnnco.io
  2. Click Sign In
  3. You should see a Microsoft sign-in option
  4. Click it and authenticate with your corporate Microsoft account
  5. On first login, an account is automatically created and linked to your organization

Troubleshooting

The redirect URI does not match (AADSTS50011)

The redirect URI in Azure doesn't match what the platform expects. Verify it is exactly: 

https://auth.dev-au-03.nnnco.io/ui/login/login/externalidp/callback

User info not populated (missing name, email)

Ensure the optional claims (email, family_name, given_name, preferred_username) are added to the ID token in Step 2.

Microsoft sign-in option not appearing

The server-side configuration may not be complete. Contact your platform administrator to verify the identity provider is enabled.