Microsoft Entra Installation Guide (OIDC)
Prerequisites
Microsoft Entra Prerequisites
- Ensure you have Access to the Azure Admin Portal with the appropriate IAM permissions in Azure to register a new Enterprise Application.
Moveworks SSO Prerequisites
-
Your Moveworks organization should be initialized (verify with your account team)
-
Note the following values.
-
data_center_domain
- the data center where your organization is hosted (see table below). -
subdomain
- your organization's login subdomain. This will generally match yourcustomer_id
, but you can verify or customize it in General Information.Warning
Make sure you ONLY note your unique subdomain. For example, if you're organization's login subdomain is acme.moveworks.com, then your
subdomain
is acme and yourdata_center_domain
is moveworks.com -
[Optional]
customer_id
- unique identifier for your organization (can not be changed). This is stored as Org Name under Organization Details > General Information
-
Data Center | data_center_domain |
---|---|
United States (default) | moveworks.com |
Canada | am-ca-central.moveworks.com |
EU | am-eu-central.moveworks.com |
Australia / Asia Pacific | am-ap-southeast.moveworks.com |
Government Secure Cloud | moveworksgov.com |
Configuration Steps
Create OIDC Application
<Add a note that it's recommended that customer admins setup a new/separate app registration for this step instead of reusing the App-reg created for Teams bot setup>
-
Find the App Registrations service
-
Select New Registration
-
Register the Application
- Name:
Moveworks
- Supported account types:
Accounts in this organizational directory only
- Name:
-
Select Register
Configure Moveworks Settings
-
Go to Manage > Branding & properties and update the following:
-
Upload new logo:
-
Home Page URL:
https://{{subdomain}}.{{data_center_domain}}
-
-
Go to Manage > Authentication, Select Add a Platform and choose Web
-
Add your Redirect URI as
https://{{subdomain}}.{{data_center_domain}}/login/sso/oidc
Enable User Access
-
Go to Enterprise Applications
-
Find the application you created
-
Go to Security > Permissions and click Grant admin consent for {{your company}}.
Add OIDC Configuration in MyMoveworks
-
_
-
Go to Certificates & secrets.
-
Click New client secret.
-
Add Description and Expires. 24 months is our recommended option to go with as it is the longest time possible. You can have multiple secrets at once, so before one expires you can create another for a seamless cutover.
-
Write down the Value as your
idp_secret
-
Go to the Overview tab and note down your Application (client) ID. This is your
idp_client_id
-
Click Endpoints > OpenID Connect metadata document and paste it in your browser
-
Copy the
issuer
from the resulting JSON. This is youridp_issuer
-
Navigate to SSO Settings in MyMoveworks
-
If you already see a
studio
config, edit it. Otherwise, choose Create. -
Add your configuration using the values you've noted above
- Moveworks Product:
studio
- Select Connector:
ms_graph
- Authentication Protocol:
OIDC
- IDP Redirect URL:
https://{{subdomain}}.{{data_center_domain}}/login/sso/oidc
- IDP Issuer:
idp_issuer
(from Step 7) - IDP Client Id:
idp_client_id
(from Step 5) - IDP Client Secret:
idp_client_secret
(from Step 4)
- Moveworks Product:
-
Click Submit.
-
Wait a few minutes, then attempt to log into your instance at
https://{{subdomain}}.{{data_center_domain}}
FAQ
How do I assign users to an Entra Application?
-
Go to Enterprise Applications in Azure
-
Find the application you just registered.
-
From there, click Manage > Properties as shown below.
-
From the Properties page, toggle the Assignment required field to Yes, and Visible to users field to Yes as shown below.
-
Navigate to the Users and groups section and assign the app to all users that need access to it either directly or via a group.
-
When your users navigate to the MyApps Portal after a few minutes, they should be able to see the app and login directly from there.
Updated 5 days ago