Microsoft Entra Registered Application

Several Flowgear nodes use Microsoft OAuth authentication to connect to Microsoft cloud services on behalf of a user. Before you can authorize these connections in Flowgear, you may need to create an app registration in Microsoft Entra ID.

This article explains how to create a Microsoft Entra registered app and obtain the values required by Flowgear OAuth connection fields:

Tenant ID
Client ID
Client Secret

You will also configure the redirect URLs required for delegated Web OAuth authentication.

Prerequisites

You need access to the Microsoft Entra tenant where the app must be registered.

Your Microsoft account must have permission to register applications in the tenant. Microsoft typically requires an account with a role such as Application Developer, Application Administrator, or another administrator role with permission to manage app registrations.

Open the Microsoft Entra admin center

If you have access to more than one tenant, make sure you are working in the tenant that will be used by Flowgear.

Register a new app

In the Microsoft Entra admin center, browse to Entra ID > App registrations.
Select New registration.
Enter a name for the application, for example Flowgear OAuth.
Under Supported account types, select the option that matches your requirements.

For most Flowgear scenarios, select:

Accounts in this organizational directory only

This creates a single-tenant application for use within your Microsoft Entra tenant.
Under Redirect URI, select Web.
Add the Flowgear delegated Web redirect URLs listed below.
Select Register.

Add Flowgear delegated Web redirect URLs

In the app registration, configure the following redirect URLs as Web redirect URIs.

https://app.flowgear.net/r/auth
https://appnext.flowgear.net/r/auth

These redirect URLs allow Microsoft to return the OAuth authorization response to Flowgear after the user signs in and grants consent.

If the redirect URLs are not added exactly as required, the OAuth authorization flow may fail with a redirect URI mismatch error.

Copy the Tenant ID and Client ID

After registering the app, Microsoft displays the app registration Overview page.

Copy the following values:

Microsoft field	Flowgear field
Directory (tenant) ID	Tenant ID
Application (client) ID	Client ID

Keep these values available. You will enter them into the relevant Flowgear connection.

Create a client secret

In the app registration, open Certificates & secrets.
Select Client secrets.
Select New client secret.
Enter a description, for example Flowgear.
Select an expiry period that matches your organization's security policy.
Select Add.
Copy the generated Value immediately.

The client secret value is only shown once. If you leave the page without copying it, you must create a new client secret.

Use the copied secret value in the Flowgear Client Secret field.

Add API permissions

The required API permissions depend on the Flowgear node and the Microsoft service being accessed. For example, a node that connects to Microsoft Graph may require different permissions from a node that connects to Dynamics, SharePoint, OneDrive, or Exchange.

To add permissions:

In the app registration, open API permissions.
Select Add a permission.
Choose the API required by the Flowgear node, such as:
- Microsoft Graph
- Dynamics 365
- SharePoint
- Another Microsoft API listed by the node documentation
Choose the permission type required by the node:
- Delegated permissions are used when Flowgear connects on behalf of a signed-in user.
- Application permissions are used when the app connects without a signed-in user, if supported by the node.
Select the specific permissions required by the node.
Select Add permissions.

For delegated OAuth flows, the user may be prompted to consent when authorizing the connection in Flowgear.

If your organization requires administrator approval, an administrator must grant consent before the OAuth flow can complete successfully.

Some permissions require administrator consent.

To grant consent:

In the app registration, open API permissions.
Review the configured permissions.
Select Grant admin consent for <tenant name>.
Confirm the action.
Verify that the permission status shows consent has been granted.

If admin consent is not granted for permissions that require it, authorization may fail or Flowgear may receive an access token that does not have sufficient permissions.

Configure the Flowgear connection

In Flowgear, open the connection for the relevant Microsoft node and enter the values from the app registration:

Flowgear field	Microsoft Entra value
Tenant ID	Directory (tenant) ID
Client ID	Application (client) ID
Client Secret	Client secret Value

After saving the connection, start the OAuth authorization flow from the Flowgear connection. Microsoft will prompt the user to sign in and consent to the requested permissions.

When authorization completes successfully, Flowgear stores the OAuth tokens required by the connection.

Troubleshooting

Redirect URI mismatch

Confirm that all Flowgear delegated Web redirect URLs have been added to the app registration as Web redirect URIs.

The redirect URL must match exactly.

Invalid client secret

Confirm that the value entered in Flowgear is the client secret Value, not the secret ID.

If the secret value was not copied when it was created, create a new client secret.

Confirm that the required API permissions have been added to the app registration.

If the permission requires administrator consent, ask a Microsoft Entra administrator to grant admin consent for the tenant.

Wrong tenant

Confirm that the Tenant ID in Flowgear matches the Microsoft Entra tenant where the app registration was created.