Start at the Microsoft Azure Portal: Link

Application registration: Navigate to App registrations in the Azure Portal. Click on New registration to create a new application.



The Redirect URL must end with SSO_OIDC/.

    http://localhost:9090/SSO_OIDC/

or

    
    https://your.crushftp.domain.com/SSO_OIDC/
    

Secret key: A new client secret must be created. Go to Certificates & secrets, and generate a new client secret by clicking on New client secret. Ensure you copy over the value immediately!






Configure the API Permissions:

Ensure the application has the following Delegated Permissions assigned:

a.) User.Read: This permission allows an application to access basic profile information (Like: Name,Email address,User ID (object ID), User principal name (UPN), Tenant ID) of the signed-in user.

b.) GroupMember.Read.All (Optional): This permission allows the application to read the members of all groups in the directory. List the users, devices, service principals, and other groups that are members of: Microsoft 365 groups, Security groups, Distribution groups. It requires an admin to consent—ordinary users cannot approve it.



Grant Admin consent for the newly added permission.



Get Client ID and Tenant ID from App registration -> Overview.



Group info:

You can add the groups claim to the authorization token. Including group claims in tokens allows applications to determine a user’s group memberships immediately upon login, without the need for additional API calls.



Copy and securely store the Client ID and Client Secret as these will be required for the CrushOIDC plugin configuration.
!!!Continue on: CrushOIDC