-
Notifications
You must be signed in to change notification settings - Fork 1
Installation
Frode Hus edited this page Sep 16, 2025
·
6 revisions
Navigate to Entra ID app registration and create new.
Redirect URI (Web): http://localhost:5099/signin-oidc or your FQDN:port
Redirect URI (Single Page Application): http://localhost:5173/ or your FQDN:port
Expose an API: api:///entra-role-reaper with scope access_as_user
Client secret: create and store securely
Grant admin consent to API permissions required by the API to call Microsoft Graph on-behalf-of the user:
Microsoft Graph delegated scopes (admin consent):
- User.Read
- User.ReadBasic.All
- User.Read.All
- Group.Read.All
- Directory.Read.All
- AuditLog.Read.All
- RoleManagement.Read.Directory
- RoleEligibilitySchedule.Read.Directory (required to read PIM eligible roles)
- RoleAssignmentSchedule.Read.Directory (required to read PIM active assignments)
Optional:
- RoleAssignmentSchedule.ReadWrite.Directory (used by in-app PIM role activation)
- RoleManagement.ReadWrite.Directory (used for custom role creator functionality)
Note on PIM: To include Microsoft Entra PIM information in reviews (eligible and active PIM assignments), the API needs the schedule read scopes above. Without them, the app still works but won’t display PIM labels or eligibility.
- Create a
.envfile in the same directory asdocker-compose.yml
AZUREAD_TENANT_ID=<insert your tenant id here>
AZUREAD_CLIENT_ID=<insert your client id here>
AZUREAD_CLIENT_SECRET=<insert your client secret here>
AZUREAD_AUDIENCE=<insert `api://<fqdn>/entra-role-reaper` here>
AZUREAD_DOMAIN=<insert your domain name here>
# Web (SPA) MSAL settings
VITE_API_SCOPE=<insert `api://<fqdn>/entra-role-reaper/access_as_user` here>
- Run
docker compose up --build