Webinar: Better Agents, Easier than Ever — Thursday, June 18th at 9am PT / 12pm ET. Register Now
Version 2.5
Self-host Sema4.ai
Identity providers (OIDC)
Microsoft Entra ID

Microsoft Entra ID

Configure a Microsoft Entra ID (formerly Azure AD) application so Sema4.ai can sign users in over OIDC. Follow these steps, then bring the resulting Discovery URL, Client ID, and Client Secret to your deployment.

Replace <YOUR_HOSTNAME> below with your deployment's hostname (the URL where the application is reached).

What you'll collect

By the end you'll have three values to put in your deployment's values file:

ValueWhere it comes fromValues file key
Discovery URLThe Endpoints blade (OpenID Connect metadata document)oidcServer
Client IDThe Overview blade (Application (client) ID)oidcClientId
Client SecretThe Certificates & secrets blade (secret value)oidcClientSecret

Step 1: Register the application

  1. Sign in to the Microsoft Entra admin center (opens in a new tab).
  2. Navigate to Identity > Applications > App registrations and click New registration.
  3. Provide a name for your application (for example, "Sema4.ai Agents").
  4. Under Supported account types, select Accounts in this organizational directory only (or as required by your company policy).
  5. Click Register.
Entra App registrations
Entra App registrations

You can set the initial Web redirect URI here during registration:

Register an application in Entra
Register an application in Entra

Step 2: Configure authentication settings

Open the Authentication blade and add a Web platform configuration with this redirect URI:

  • Login callback: https://<YOUR_HOSTNAME>/oidc/login/callback

That's all that's needed here — you don't need a logout callback, and you don't need to configure token types or scopes; the application requests what it needs.

Step 3: Capture the application credentials

  1. Go to Certificates & secrets, click New client secret, and copy the secret Value (this is your Client SecretoidcClientSecret). Copy the Value column, not the Secret ID.
  2. On the Overview blade, copy the Application (client) ID (your Client IDoidcClientId).
  3. Open the Endpoints blade (the Endpoints button at the top of the app registration) and copy the OpenID Connect metadata document URL. This is your Discovery URLoidcServer in the values file.
Certificates and secrets
Certificates and secrets
Client secret value
Client secret value
Application overview with the client ID
Application overview with the client ID
Entra endpoints with the OpenID Connect metadata document URL
Entra endpoints with the OpenID Connect metadata document URL

Step 4: Restrict who can sign in (optional)

By default, any user in your tenant who can complete sign-in can access the application. To limit access to specific users or groups, use the matching enterprise application:

  1. Go to Identity > Applications > Enterprise applications and open the application (same name as your registration).
  2. Under Properties, set Assignment required? to Yes and Save.
  3. Under Users and groups, click Add user/group and assign the users or groups allowed to sign in.

With assignment required, only assigned users and groups can authenticate; everyone else in the tenant is blocked at login.

Assigning individual users works on any tier; assigning a group to the application requires Microsoft Entra ID P1 or P2.

Step 5: Finalize

You now have the three values from the table at the top of this page:

  • Discovery URL (oidcServer) — e.g. https://login.microsoftonline.com/<TENANT_ID>/v2.0/.well-known/openid-configuration
  • Client ID (oidcClientId)
  • Client Secret (oidcClientSecret)

Put these in your deployment's values file when you install the application.

Identity providers (OIDC)Auth0