Azure AD (Microsoft Entra ID) Configuration

To configure OneStream REST API to support Azure AD (Microsoft Entra ID) authentication, follow these steps:

1. Configure the REST API Application Registration in Azure AD (Microsoft Entra ID).

2. Set Up the Web Server Configuration in OneStream.

3. Configure the User in OneStream.

To enable single sign-on with Azure AD (Microsoft Entra ID) for the OneStream Desktop application, which includes the Windows Client application and the Excel Add-In, using OIDC protocol, see the Installation and Configuration Guide.

Configure the REST API Application Registration in Azure AD (Microsoft Entra ID)

To configure the REST API application registration, you need to copy the application (client) ID from Azure AD (Microsoft Entra ID) and paste it into the Web Server Configuration in OneStream.

1. Log in to your Azure AD account.

2. On the Home screen, click the App registrations icon.

3. On the App registrations page, click the + New registration tab.

4. On the Register an application page, complete the following fields:

   1. Enter a name for the application.

   2. For Supported account types, select Accounts in this organizational directory only.

5. Click the Register button.

6. On the page for the application, in the Manage list on the left, select Authentication.

7. In the Advanced settings, under Allow public client flows, set the Enable the following mobile and desktop flows option to Yes.

8. Click the Save button.

9. In the Manage list on the left, select Certificates & secrets.

10. In the Client secrets tab, click + New client secret.

11. In the Add a client secret dialog box, enter a description and select an expiration time in the drop-down menu. Click the Add button.

12. On the Certificates & secrets page, copy the value for the client secret.

    IMPORTANT: The client secret value may only be available to copy for a limited time, so copy it immediately after it is created.

13. In the Manage list on the left, select Expose an API.

14. In Scopes defined by this API, click + Add a scope.

15. In the Add a scope dialog box, the application ID URI is automatically generated. Click the Save and continue button.

    NOTE: You can add a scope in this dialog box if needed.

16. On the Expose an API page, copy the application ID URI.

Set Up the Web Server Configuration in OneStream

1. Open the OneStream Server Configuration Utility application.

2. Go to File > New Web Server Configuration File.

   NOTE: Alternatively, you can open an existing file to edit it.

3. In the Web Server Configuration Settings section, click the ellipsis to the right of Single Sign On Identity Provider.

   

4. In the User Name Lookup field, type aud to include this claim in the ordered lookups.

   NOTE: The claim aud indicates the intended audience for the token.

   

5. Click the ellipsis to the right of Azure Identity Provider.

   

6. In the Azure Identity Provider dialog box, in the REST API Settings section, complete the following fields :

   • OneStream Web Api Client ID: Enter the application (client) ID from Azure AD. See Configure the REST API Application Registration in Azure AD (Microsoft Entra ID) step 16.

     TIP: To view the application (client) ID in Azure AD, go to the page for the application and select Overview in the list on the left.

   • OneStream Web Api App Custom Scopes: Enter custom scopes, or leave as default (blank).

   

7. Click the OK button.

8. Save changes and reset IIS.

   NOTE: Reset IIS after you save any changes to the Application Server Configuration or Web Server Configuration.

Configure the User in OneStream

1. In the OneStream Desktop application, go to System > Security > Users > <user>.

2. In the Authentication properties, complete the following fields for REST API authentication through Azure AD.

   • External Authentication Provider: In the drop-down menu, select the Azure AD configuration.

   • External Provider User Name:  Enter the application (client) ID from Azure AD. See Configure the REST API Application Registration in Azure AD (Microsoft Entra ID) step 16.

     TIP: To view the application (client) ID in Azure AD, go to the page for the application and select Overview in the list on the left.

3. Click the Save icon.

Azure AD (Microsoft Entra ID) Endpoints

We support v2.0 Azure AD endpoints.

1. On Manifest, find accessTokenAcceptedVersion.

2. Set the value to 2.

   

3. Click Save.

Set Up Postman Access Token Requests

1. Create a new POST request. Set url to https://login.microsoftonline.com/{Tenant Id}/oauth2/v2.0/token with tenant ID value.

   TIP: To view the directory (tenant) ID in Azure AD, go to the page for the application and select Overview in the list on the left.

2. In the Authorization tab, select Basic Auth for type. In the Username and Password fields, enter the client ID and client secret from the application registration, respectively. See Configure the REST API Application Registration in Azure AD (Microsoft Entra ID) step 12.

   TIP: To view the application (client) ID in Azure AD, go to the page for the application and select Overview in the list on the left.

3. In the Headers tab, enter the following keys: 

   • Accept: application/json 

   • Authorization: Basic 

   • Content-Type: application/x-www-form-urlencoded

4. In Body, enter either option 1 or option 2: 

   1. Option 1:

      1. grant_type: client_credentials 

      2. scope: {AppId Uri}/.default for machine to machine use case 

   2. Option 2:

      1. grant_type: password

      2. username: {Azure ad user name}

      3. password: {Azure ad user password}

      4. scope: {custom scope}

5. Click Send and notice the value of access_token in the response.