> ## Documentation Index
> Fetch the complete documentation index at: https://hoopdev-fix-add-missing-mechanic-for-session-download-button.mintlify.site/llms.txt
> Use this file to discover all available pages before exploring further.

# Azure

## Requirements

* Azure account
* `API_URL` of the Hoop gateway instance

Contact the administrator of the hoop gateway instance to retrieve the API\_URL address.

## Identity Provider Configuration

<Steps titleSize="h3">
  <Step title="Create an Application">
    Login with your account at [https://portal.azure.com/](https://portal.azure.com/)

    * Go to **Microsoft Entra ID > App Registration**.
    * Pick a name, and select the Supported account types as you see fit
    * Register the application with `{API_URL}/api/callback` as the redirect URI.

    <Note>
      We recommend using the option single tenant option for Supported account types. This will allow selecting exactly what groups to propagate to this application. This option is also required to propagate cloud-only groups as names (see more details below).
    </Note>

    Ensure default delegated permissions: `User.Read` for sign in and read user profiles and `email` to view user's email address.

    <Info>
      These attributes are typically created by default. If errors occur, ensure these options are set correctly.
    </Info>
  </Step>

  <Step title="Create the Client Credentials">
    * Go to App Registration > `{AppName}`
    * In the overview page, copy the **Application (client) ID** value. This is the Client ID.
    * Go to  Certificate & Secrets > Client Secrets > New Client Secret
    * Copy the Secret Value. This is the Client Secret
  </Step>

  <Step title="Collect Issuer and Custom Scopes Information">
    The Issuer URL

    * Go to App registration > `{AppName}` > Overview
    * Copy the tenant ID and use as the value below
    * [https://login.microsoftonline.com/\{tenant\_id}/v2.0](https://login.microsoftonline.com/\{tenant_id}/v2.0)

    The Custom Scopes

    * Use the Client ID to compose the Custom Scopes value
    * `{CLIENT_ID}/.default`
  </Step>
</Steps>

## Configuring Groups Claims

The integration relies on groups propagated in the `id_token`. By default, Azure Entra ID propagates them in the `groups` claims.

The gateway needs to be configured to match the claim name of the groups.
This configuration will ensure to sync the groups when a user authenticates on Hoop.

<Tip>
  It's possible to inspect the name of the claim that's being propagated by viewing the logs of the gateway when a user sign in.
</Tip>

<Note>
  By default the gateway uses the claim name `groups`.
  To change it, go to **Integrations** > **Authentication** and include a distinct group.
</Note>

By default, groups are propagate with their object ids. It may be cumbersome to manage groups as UUIDs on Hoop.
See the section below to propagate them with their display name instead.

<Warning>
  When you configure groups to sync, you'll lose the admin access on the next sign in.
  To prevent this issue, set the configuration `ADMIN_USERNAME` on your gateway to change the role of the admin user with a group associated with your application.
  The name of the admin group depends on whether you propagate the groups as object IDs or as group names (see below).
</Warning>

### Propagating Groups as Names

It's possible to propagate groups with their display names for cloud groups.

* Click on Manifest
* Edit the item groups under optionalClaims.idToken and optionalClaims.accessToken attributes and add the name cloud\_displayname
* Make sure that groupMembershipClaims is set to ApplicationGroup

```json theme={null}
(...)
  "groupMembershipClaims": "ApplicationGroup",
  (...)
  "optionalClaims": {
    "idToken": [
      {
        "name": "groups",
        "source": null,
        "essential": false,
        "additionalProperties": [
          "cloud_displayname"
        ]
      }
    ],
    "accessToken": [
      {
        "name": "groups",
        "source": null,
        "essential": false,
        "additionalProperties": [
          "cloud_displayname"
        ]
      }
    ],
    (...)
```

* Click on Save

This option only works when group groupMembershipClaims is set to ApplicationGroup. and after assigning the groups to this application.

<Warning>
  Be aware that names are not unique and this may cause conflict when propagating groups. Object IDs are a more safer approach to avoid such problems.
</Warning>

<Info>
  For other kind of groups it's possible to append additional `properties as sam_account_name`, `dns_domain_and_sam_account_name` or `netbios_domain_and_sam_account_name`.
</Info>

### Assign Groups to Application

* Go to Enterprise Application > `{AppName}` > User and Groups > Add user/group
* Select the desired groups and click on Select
* Click on Assign

<Info>This option requires an AD subscription that allows assigning groups to application.</Info>

References:

* [Configure Optional Claims](https://learn.microsoft.com/en-us/entra/identity-platform/optional-claims?tabs=manifest#configuring-group-optional-claims)
* [Configure group claims for applications](https://learn.microsoft.com/en-us/entra/identity/hybrid/connect/how-to-connect-fed-group-claims)

## Machine to Machine Access (M2M)

<Warning>Available on version 1.17.14+</Warning>

It is possible to access hoop by issuing access tokens using the Oauth2 Client Credentials Flow. The gateway validates and authenticates any access token generated by the app registered in Azure, provided that a service account is active on hoop. The only requirement is that the service account has the same Object ID as the application, which serves as its main identifier.

<Info>
  Authentication only occurs when a token is issued by the identity provider. The service account resource simply maps the subject to identify who is accessing the API.
</Info>

### Creating a Service Account

```sh theme={null}
hoop admin create serviceaccount <azure-app-object-id> \
  --name "My Service Account" \
  --groups admin
```

<Info>
  To obtain the Object ID of the application navigate to: Azure Portal > Microsoft Entra ID > Enterprise Applications
</Info>

### Creating an Access Token

1. Go to App Registrations > Certificate & Secrets > New Client Secret

Copy the secret value and use in the command below as the attribute for `<APP_CLIENT_SECRET>`

2. Generate an access token

```sh theme={null}
curl -XPOST -H "Content-Type: application/x-www-form-urlencoded" \
	-d client_id=<APP_CLIENT_ID> \
	-d scope=<APP_CLIENT_ID>/.default \
	-d client_secret=<APP_CLIENT_SECRET> \
	-d grant_type=client_credentials \
	https://login.microsoftonline.com/<TENANT_ID>/oauth2/v2.0/token
```

* APP\_CLIENT\_ID: the client id of the application
* APP\_CLIENT\_SECRET: the client secret generated in the step 1
* TENANT\_ID: the tenant id of you app instance

For more information, [see this guide](https://learn.microsoft.com/en-us/entra/identity-platform/v2-oauth2-client-creds-grant-flow#get-a-token).

Access the API

```sh theme={null}
export HOOP_TOKEN=eyJ0eXAiOiJKV1QiLCJhb...5Z3Be-kkXkAnAA-zIweYuqEUDA
hoop admin get userinfo
```

<Info>
  In case of receiving access denied (401), make sure that the subject of the access token matches the subject provided when creating the service account (usually matches the object id of the application)
</Info>
