Scenario 1: Azure AD (Entra ID) App Registration

Objective: Create and configure an Azure AD app registration to serve as the external OIDC identity provider for the self-managed Azure HCP.

Tenant: 520cf09d-...73b09

Overall Scenario 1: PASS — All 5 checks verified.

Step	Check	Result	Evidence
1	Azure AD app registration created	PASS	App: `brcox-sm-oidc-test`, appId: `d638131c-...dbc1`, objectId: `0179203b-...0cba`
2	Client secret generated	PASS	Secret: `AHs8Q~...8faI7` (expires 2027-06-03)
3	API permissions added (openid, profile, email)	PASS	Microsoft Graph delegated: `openid`, `profile`, `email`
4	Groups claim enabled in ID tokens	PASS	`groupMembershipClaims=SecurityGroup`
5	Redirect URIs configured for console	PASS	Redirect: `https://console-openshift-console.apps.brcox-sm-dev-hc.hcp-sm-azure.azure.devcluster.openshift.com/auth/callback`

Commands & Outputs

Step 1: Create app registration

$ az ad app create \
    --display-name "brcox-sm-oidc-test" \
    --sign-in-audience AzureADMyOrg \
    --query '{appId: appId, objectId: id}' -o table

AppId                                 ObjectId
------------------------------------  ------------------------------------
d638131c-...dbc1  0179203b-...0cba

Step 2: Create client secret

$ az ad app credential reset \
    --id d638131c-...dbc1 \
    --display-name "oidc-test-secret" \
    --years 1 \
    --query '{appId: appId, password: password}' -o table

AppId                                 Password
------------------------------------  ----------------------------------------
d638131c-...dbc1  AHs8Q~...8faI7

Step 3: Add API permissions & create service principal

$ az ad app permission add --id d638131c-...dbc1 \
    --api 00000003-0000-0000-c000-000000000000 \
    --api-permissions \
    37f7f235-527c-4136-accd-4a02d197296e=Scope \
    14dad69e-099b-42c9-810b-d002981feec1=Scope \
    64a6cdd6-aab1-4aaf-94b8-3cc8405e90d0=Scope

Invoking `az ad app permission grant ...` is needed to make the change effective

$ az ad sp create --id d638131c-...dbc1

{
  "appDisplayName": "brcox-sm-oidc-test",
  "appId": "d638131c-...dbc1",
  "id": "48b852b9-...d14b",
  "servicePrincipalType": "Application",
  ...
}

$ az ad app permission grant \
    --id d638131c-...dbc1 \
    --api 00000003-0000-0000-c000-000000000000 \
    --scope "openid profile email"

Insufficient privileges to complete the operation.
# Note: admin consent not available; users will consent individually on first login

Step 4: Enable groups claim

$ az ad app update --id d638131c-...dbc1 \
    --set groupMembershipClaims=SecurityGroup

# (silent success)

Step 5: Configure redirect URIs

$ az ad app update --id d638131c-...dbc1 \
    --web-redirect-uris "https://console-openshift-console.apps.brcox-sm-dev-hc.hcp-sm-azure.azure.devcluster.openshift.com/auth/callback"

# (silent success)

← Dashboard Scenario 2 →