- 8 minutes to read

Register Nodinite Applications in Azure AD (Entra ID) with OpenID

Empower your organization with secure, modern authentication and authorization using Microsoft Entra ID (Azure AD) and Nodinite. This guide provides step-by-step instructions to register and configure the webApi, webClient, and NodiniteInstallationClient applications for seamless integration, robust security, and future-proof scalability.

  • ✅ Effortlessly register Azure AD applications for Nodinite integration
  • ✅ Enable secure OpenID Connect authentication for all Nodinite services
  • ✅ Grant delegated and application permissions with admin consent for compliance
  • ✅ Streamline token and manifest configuration for reliability
  • ✅ Capture all essential IDs and secrets for ongoing management

For details on configuring OpenID Connect and OAuth 2.0 authentication in Nodinite, see the Install Nodinite v7 – OpenID Connect (OIDC) and OAuth 2.0 guide.

Prerequisites

Before you begin, ensure you have:

  • Azure AD Administrator access – You need permissions to register applications and grant admin consent in your Azure AD tenant.
  • An active Azure subscription – Required for Microsoft Entra ID (Azure AD) services.
  • A secure location to store credentials – Keep a password manager or secure note app ready to capture sensitive values.

What You Will Create

You will register three distinct applications in Microsoft Entra ID (Azure AD), each serving a critical role in your Nodinite integration. This separation of concerns enhances security, simplifies troubleshooting, and provides granular control over permissions:

  1. webApi – The backbone of your integration. This protected API exposes delegated permission scopes (for user access) and application permission app roles (for service-to-service communication). It ensures that only authorized applications and users can interact with Nodinite resources.
  2. webClient – Your users' gateway to Nodinite. This interactive web application requests delegated permission scopes, enabling users to sign in securely and access Nodinite features with their Azure AD credentials. It leverages modern authentication protocols like Authorization Code + PKCE for maximum security.
  3. NodiniteInstallationClient – Your automation powerhouse. This background/daemon client uses application permissions to perform unattended tasks like installations, updates, and system maintenance without user interaction. It enables seamless CI/CD integration and automated operations.

You complete this setup when:

  • You configure the API to expose: nodinite_webapi_all (Scope) and AppRole_WebApi_all (App Role).
  • You grant the webClient the delegated permission (Admin consent = Granted).
  • You grant the NodiniteInstallationClient the application permission (Admin consent = Granted).
  • You have copied all IDs, secrets, and the API Application ID URI for future reference.

Tip

Keep a secure note open to capture: Tenant (Directory) ID, each Application (client) ID, each Secret Value (shown only once), and the API Application ID URI.

1. Create the API Application – webApi

💡Register the webApi — the secure, manageable API that lets you control who and what accesses Nodinite services.

1.1 Register the Application

  1. Azure Portal: Microsoft Entra ID > App registrations > + New registration.
  2. Name: webApi
  3. Supported account types: Accounts in this organizational directory only (Single tenant).
  4. Redirect URI: (leave blank)
  5. Click Register.
  6. In Overview, copy Application (client) ID and Directory (tenant) ID.

webApi Overview
The Azure Portal displays the registered webApi application overview.

1.2 Set Application ID URI & Add Scope

The Application ID URI uniquely identifies your API in your organization. Client applications use this URI to request tokens for your API.

  1. Left menu: Expose an API.
  2. If prompted, click Set for Application ID URI (accept default or confirm the value).
  3. Under Scopes defined by this API, click + Add a scope.
    • Scope name: nodinite_webapi_all
    • Who can consent: Admins only
    • Admin consent display name: Full access to Nodinite WebAPI
    • Admin consent description: Full access to Nodinite WebAPI
    • State: Enabled
    • Click Add scope.

Expose an API – Scope Added
You add a scope to the webApi application for delegated permissions.

1.3 Add App Role (Application Permission)

  1. Still on Expose an API page click Go to App roles (or left menu App roles).
  2. Click + Create app role:
    • Display name: AppRole_WebApi_all
    • Allowed member types: Users/Groups, Applications (ensure Applications is included)
    • Value: AppRole_WebApi_all
    • Description: AppRole_WebApi_all
    • State: Enabled
  3. Click Apply / Create.

App Roles
You configure app roles for application permissions in webApi.

1.4 Add Groups Claim to Tokens

Adding groups claims enables Nodinite to leverage your Azure AD security groups for role-based access control (RBAC), simplifying permission management.

  1. Left menu: Token configuration.
  2. Click + Add groups claim.
  3. Select Security groups (or required option) and ensure Group ID format is chosen for Access/ID tokens.
  4. Click Add and then Save.

Token Configuration – Groups Claim
The token configuration shows the groups claim you added for security groups.

1.5 Set Access Token Version to 2

Version 2 tokens are more secure and include enhanced claims that Nodinite requires for proper authentication and authorization. This ensures compatibility with modern identity standards.

  1. Left menu: Manifest.
  2. Locate "requestedAccessTokenVersion": 2. If missing or different, set it to 2.
  3. Click Save.

Manifest – requestedAccessTokenVersion 2
You configure the manifest with requestedAccessTokenVersion set to 2.

webApi configuration is complete. You have successfully created the core API that powers your Nodinite authentication infrastructure.

2. Create the Interactive Client – webClient

💡Register the webClient — give your users secure, single-sign-on access to Nodinite using Azure AD and modern authentication.

2.1 Register webClient

  1. App registrations > + New registration.
  2. Name: webClient
  3. Supported account types: Single tenant.
  4. Redirect URI (Platform Web): Enter the URL where your Nodinite Web Client will be hosted, followed by /signin-oidc. For example: https://nodinite.yourdomain.com:50000/signin-oidc. If you're testing locally, use http://localhost:50000/signin-oidc or your local development URL.
  5. Click Register.
  6. Copy the Application (client) ID. You will need this value when configuring Nodinite.

Web Client Overview
The Azure Portal displays the registered webClient application overview.

2.2 Configure Authentication

Secure your authentication flow by using modern protocols. The Authorization Code + PKCE flow provides superior security compared to legacy implicit grant flows.

  1. Left menu: Authentication.
  2. Confirm the redirect URI is listed.
  3. Leave Implicit grant checkboxes unchecked (modern auth uses Authorization Code + PKCE for enhanced security).
  4. Ensure Allow public client flows is No (unless specifically required for mobile/desktop scenarios).
  5. Click Save if you made any changes.

Web Client Authentication
You configure authentication settings for the webClient application.

2.3 Add API Permissions (Delegated)

  1. Left menu: API permissions > + Add a permission.
  2. Choose My APIs > select webApi.
  3. Choose Delegated permissions and tick nodinite_webapi_all.
  4. Click Add permissions.
  5. Click Grant admin consent for [Your Tenant Name] and confirm. The status should change to Granted. This step is crucial—it authorizes the webClient to access the webApi on behalf of your users.

Web Client API Permissions
You configure API permissions for delegated access to webApi.

2.4 Create Client Secret (Confidential Web App)

  1. Left menu: Certificates & secrets > + New client secret.
  2. Add a description and expiry per policy.
  3. Click Add.
  4. Copy the Value immediately (you cannot view it again); store securely.

web Client Client Secret
You create a client secret for the webClient application.

Web Client configuration is complete. Your users can now sign in to Nodinite securely using their Azure AD credentials, enabling centralized identity management and single sign-on (SSO) capabilities.

3. Create the Installation / Daemon Client – NodiniteInstallationClient

3.1 Register

💡Register the NodiniteInstallationClient — enable secure, unattended automation for installs, updates, and maintenance to streamline your DevOps workflows.

  1. App registrations > + New registration.
  2. Name: NodiniteInstallationClient
  3. Supported account types: Single tenant.
  4. Redirect URI: leave blank.
  5. Register.
  6. Copy Application (client) ID.

Installation Client Overview
The Azure Portal displays the registered NodiniteInstallationClient application overview.

3.2 Add Application Permission

Application permissions enable service-to-service authentication without user interaction—essential for automated deployments and background tasks.

  1. Left menu: API permissions > + Add a permission.
  2. My APIs > select webApi.
  3. Choose Application permissions (not Delegated).
  4. Tick AppRole_WebApi_all.
  5. Click Add permissions.
  6. Click Grant admin consent and confirm. The status should change to Granted. This authorizes the installation client to act independently without requiring a signed-in user.

Installation Client – API Permissions (Application)
You configure API permissions for the NodiniteInstallationClient application.

3.3 Create Client Secret

  1. Left menu: Certificates & secrets > + New client secret.
  2. Add description + expiry.
  3. Click Add and copy the Value immediately; store securely.

Installation Client – Client Secret
You create a client secret for the NodiniteInstallationClient application.

NodiniteInstallationClient configuration is complete. You now have a robust automation client that can perform unattended installations, updates, and maintenance tasks—perfect for DevOps workflows and CI/CD pipelines.

What You've Accomplished

Congratulations! You have successfully registered three Azure AD applications that form the security foundation of your Nodinite integration:

  • Enhanced Security – Leveraged Azure AD's enterprise-grade authentication with multi-factor authentication (MFA) support, conditional access policies, and audit logging.
  • Centralized Identity Management – Eliminated the need for separate credentials by integrating with your existing Azure AD user directory.
  • Granular Access Control – Configured delegated and application permissions that ensure users and services only access what they need.
  • Compliance Ready – Aligned with industry best practices for authentication and authorization, supporting compliance frameworks like ISO 27001, SOC 2, and GDPR.
  • Automation Enabled – Set up a dedicated installation client that streamlines deployments and reduces manual configuration errors.

Next Step

Now that you've registered your Azure AD applications, you're ready to configure Nodinite to use them:

Install Nodinite v7
Updating Nodinite v7