# Microsoft Entra ID Configuration for WorkflowGen Plus v2

{% hint style="warning" %}
Azure Active Directory (Azure AD) has been renamed to **Microsoft Entra ID** (**ME-ID**). While the WorkflowGen documentation has been updated to reflect this name change, the WorkflowGen application settings still refer to Azure AD (for example, `Azure AD SCIM v2` directory connector).&#x20;

Likewise, certain ME-ID configuration items in the Azure portal have been renamed and/or moved. The WorkflowGen documentation has been updated accordingly, but still might not be completely accurate in this regard. See the [Microsoft Entra ID](https://learn.microsoft.com/en-us/entra/identity/) documentation for more information.
{% endhint %}

## Overview

Mobile applications must use an approach similar to that of regular web applications, which is called **Authorization Code Flow with Proof Key for Code Exchange (PKCE)**. The main difference between this and the classic Authorization Code Flow is that the mobile application doesn't get a client secret, but instead exchanges a pair of codes to prove the origin of the authentication attempt. The issue is that a mobile application can't be trusted with a client secret because it's distributed directly to users and is therefore no longer under the developer's control, and the sources can be decompiled and analyzed to find secrets like this.

This section provides instructions on how to configure Microsoft Entra ID for mobile apps so that your mobile users can benefit from delegated authentication to ME-ID as well.

{% hint style="warning" %}
The **WorkflowGen Plus v2 mobile app** (available in the Apple and Google Play app stores) supports ME-ID delegated authentication with the **Microsoft Identity Platform v2.0** provider only.\
\
As well, it **will not work** with a WorkflowGen server that is configured to [call third-party APIs](https://docs.workflowgen.com/azure/8.0/azure-active-directory-authentication#calling-third-party-apis-with-the-shared-access-token) with OpenID Connect (e.g. using a custom audience and/or multi-scopes).
{% endhint %}

{% hint style="warning" %}
The **WorkflowGen Plus v1 mobile app** is no longer supported.
{% endhint %}

## Prerequisites

* Make sure to have a licensed copy of WorkflowGen installed and running on an IIS web server in **HTTPS** secure connection mode.
* Make sure to have administrative access to ME-ID to be able to configure it properly.
* Make sure to have provisioned an existing ME-ID user with which you can authenticate to WorkflowGen so that you can use the application afterwards.
* Make sure to have successfully configured delegated authentication to ME-ID with the **Microsoft Identity Platform v2.0** provider on your WorkflowGen instance following the instructions in the [Microsoft Entra ID Authentication](https://docs.workflowgen.com/azure/8.0/azure-active-directory-authentication) section with the `WorkflowGen GraphQL API` application registered as well.

## Microsoft Entra ID configuration

This configuration is done in three steps. First, you have to register a new native application in ME-ID. Then, you have to give the application the necessary permissions to access the WorkflowGen GraphQL API. Finally, you have to register the correct callback URLs that will redirect within the native application.

### Step 1: Register a new native application

1. In the Azure portal, click **App registrations** in the **Azure services** section.<br>

2. Click **New registration**, and fill in the properties:
   * **Name:** `WorkflowGen Plus`&#x20;
   * **Supported account types:** `Accounts in this organizational directory only (Default Directory only - Single tenant)`\
     ✏️ **Note:** Depending on the context, you should choose the right option for your use case for the supported account type value.
   * **Redirect URI**:
     * **Type:** `Public client/native`
     * **Value:**  `workflowgenplus://oidc`&#x20;

3. Click **Register** at the bottom of the page.

You've now successfully registered your `WorkflowGen Plus` native application in Microsoft Entra ID.

### Step 2: Grant access to WorkflowGen GraphQL API

1. Click **API permissions**.<br>
2. In the **Configured permissions** section, click **Add a permission**.<br>
3. Click **My APIs**, then select the `WorkflowGen GraphQL API` application in the list.<br>
4. Click **Delegated permissions** and check `default` under the **Permission** column.<br>
5. Click **Add permissions**.<br>
6. On the **API permissions** page, click **Grant admin consent for \<your tenant name>**, then click **Yes**.

### Review the registration

Take note of the information you'll need later on:

* A **server address**: This is your WorkflowGen application URL (e.g. `https://<workflowgen url>`).
* A **client ID**: This is the application (client) ID in the **Overview** section of your application registration.
* A **tenant ID**: This is the directory (tenant) ID in the **Overview** section of your application registration.
* An **audience**: This is the `Application ID URI` property (e.g. `https://<workflowgen url>/graphql`) in the **Expose an API** section of the `WorkflowGen GraphQL API` application registration.

You'll need to give the `server address`, `client ID`, `tenant ID` , and `audience` information to the users who will be using the WorkflowGen Plus v2 mobile application. ME-ID delegated authentication won't work unless they copy this information into the mobile app.

{% hint style="info" %}
You can also provide a universal link to your users. For instructions on how to generate a universal link to simplify the ME-ID login process for your users, see the [Generating a Universal Link for WorkflowGen Plus](https://docs.workflowgen.com/azure/8.0/generating-a-universal-link-for-workflowgen-plus) section.
{% endhint %}

{% hint style="success" %}
You've now successfully registered the **WorkflowGen Plus** mobile application in Microsoft Entra ID.
{% endhint %}