Entra ID
Overview
Section titled “Overview”ProvEn 2.0 uses a multi-tenant Entra ID app registration for authentication. This is installed into each target tenant as an Enterprise app. Details on this can be found here.
| Name | Environment | App ID | Base scope |
|---|---|---|---|
| ProvEn2.0-DEV | Development | 8dab6874-b988-4958-b6d1-106fb6ef250e | api://ProvEn2_dev/.default |
| ProvEn2.0-TEST | Test (UAT) | 803f9c45-7c92-40bd-8fb1-23b88e77ab55 | api://ProvEn2_test/.default |
| ProvEn2.0 | Production | 52253a1a-406a-43b9-857c-5837ae6a80e3 | api://ProvEn2/.default |
| Name | Environment | App ID |
|---|---|---|
| ProvEn2.0 API-DEV | Development | 27267ce8-ed81-4354-94d9-ea685862ff9c |
| ProvEn2.0 API-TEST | Test (UAT) | 30226a11-cd41-46c0-9b01-6f07b51976f8 |
| ProvEn2.0 API | Production | 88808195-75e8-4fe3-a18d-37cdf9c36a88 |
Authentication
Section titled “Authentication”Each of the main app registrations include callback URLs for the following:
http://localhost- This is mainly a placeholder used for authentication/admin consent to ensure a valid redirect URL exists.- A callback on
/.auth/login/aad/callbackfor the Durable Functions Monitor and INI Audit Log Search apps. Both of these make use of Azure’s built-in authentication system.
Certificates & secrets
Section titled “Certificates & secrets”Certificate-based authentication is preferred over secrets for a few reasons:
- Certificates are more secure than secrets.
- Certificates can have longer lifespans than secrets where necessary, and can be automatically renewed via Key Vault.
- SharePoint Online authentication does not support secrets.
There is a separate certificate per app, as well as for some integrations. These are named accordingly.
Two secrets exist, connected to the Azure authentication configuration for the Durable Functions Monitor and INI Audit Log Search apps.
API Permissions
Section titled “API Permissions”This is the list of permissions that the engine (and main integrations) are permitted to use. Changes to permissions here must be tightly controlled, as they will affect the engine immediately. Permissions will only take effect in target tenants once admin consent is re-granted.
App Roles
Section titled “App Roles”The main app registrations include app roles designed to be granted to an application consuming the ProvEn 2.0 REST API. Roles defined here can be added as API permissions to any other app registration.
Changes to these app roles will take affect in target tenants immediately – no consent is required.
These roles are additionally configured in the App Configuration instance to control which role can be used for which route.