In the Azure portal under your Microsoft Entra ID tenant, select App Registrations
Click create a new registration
Give that application a meaningful name and a Redirect URI with a type of web and the URL of your site followed by /umbraco-microsoft-signin/
Within that application registration select Authentication and ensure Access Tokens is checked
Then under Certificates and Secrets select + New client secret and create a new secret. Copy the value of the new secret and save that for inserting into the appSettings.json later. This will go into the value for ClientSecret
Under Token configuration, select Add optional claim then select ID and check email, when it asks agree to the permissions request
Then select Add groups claim and check Security groups, select NetBIOSDomain\sAMAccountName under each of ID, Access and SAML
It should now look something like this:
The API permissions tab should look like this, no changes are required
Azure AAD displays the message:
Your administrator has configured the application application name ('xxxx') to block users unless they are specifically granted ('assigned') access to the application
It is likely that the group policy is to Deny access to an application. Instructions on how to grant users or groups access to the application can be found on Microsoft at manage users and groups assignment to an application
Azure AAD returns the message:
No reply address provided.
The Redirect URI is not optional. If working with SSO in multiple environments configure multiple Redirect URIs, one for each environment, with in the App Registration. More information Redirect URIs can be found on Microsoft at Redirect URI (reply URL) outline and restrictions.