From 863846a5b1622e1a0de85607612eca286b73c8be Mon Sep 17 00:00:00 2001 From: Malte Sander Date: Wed, 15 Jul 2026 13:24:27 +0200 Subject: [PATCH 1/2] docs: improve uif entra docs --- .../opa/pages/usage-guide/user-info-fetcher.adoc | 12 +++++++++++- 1 file changed, 11 insertions(+), 1 deletion(-) diff --git a/docs/modules/opa/pages/usage-guide/user-info-fetcher.adoc b/docs/modules/opa/pages/usage-guide/user-info-fetcher.adoc index 6f4eb5c0..07b99140 100644 --- a/docs/modules/opa/pages/usage-guide/user-info-fetcher.adoc +++ b/docs/modules/opa/pages/usage-guide/user-info-fetcher.adoc @@ -191,7 +191,17 @@ NOTE: The Entra backend was marked as non-experimental in SDP 26.3.0. Fetch groups but not roles for a user from Entra. -NOTE: The client in Entra must use the `client_credentials` flow and requires the `User.ReadAll` and `GroupMemberShip.ReadAll` permissions. +The client in Entra must use the `client_credentials` flow and requires the `User.Read.All` and `GroupMember.Read.All` permissions. +To grant these, open your app registration in the Entra portal and, under menu:API permissions[Add a permission > Microsoft Graph], select *Application permissions* (not *Delegated permissions*). +Add `User.Read.All` and `GroupMember.Read.All`. + +IMPORTANT: Application permissions require administrator consent. After adding the permissions, click btn:[Grant admin consent for ]. Without this, the `client_credentials` flow fails with an authorization error even though the permissions are listed. + +The values used in the configuration below can be found in the Entra portal as follows: + +* `tenantId`: the *Directory (tenant) ID* on the app registration's *Overview* page. +* `clientId`: the *Application (client) ID* on the app registration's *Overview* page. +* `clientSecret`: create one under menu:Certificates & secrets[Client secrets > New client secret] and copy its *Value* (not the *Secret ID*). [source,yaml] ---- From 0d299e3c0924d72c619d8f77135f4364de1d0bc2 Mon Sep 17 00:00:00 2001 From: Malte Sander Date: Wed, 15 Jul 2026 13:30:36 +0200 Subject: [PATCH 2/2] fix: replace macros with bold text for UI labels --- docs/modules/opa/pages/usage-guide/user-info-fetcher.adoc | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/docs/modules/opa/pages/usage-guide/user-info-fetcher.adoc b/docs/modules/opa/pages/usage-guide/user-info-fetcher.adoc index 07b99140..7eb9b212 100644 --- a/docs/modules/opa/pages/usage-guide/user-info-fetcher.adoc +++ b/docs/modules/opa/pages/usage-guide/user-info-fetcher.adoc @@ -192,16 +192,16 @@ NOTE: The Entra backend was marked as non-experimental in SDP 26.3.0. Fetch groups but not roles for a user from Entra. The client in Entra must use the `client_credentials` flow and requires the `User.Read.All` and `GroupMember.Read.All` permissions. -To grant these, open your app registration in the Entra portal and, under menu:API permissions[Add a permission > Microsoft Graph], select *Application permissions* (not *Delegated permissions*). -Add `User.Read.All` and `GroupMember.Read.All`. +To grant these, open your app registration in the Entra portal and go to *API permissions*, then *Add a permission* and *Microsoft Graph*. +Select *Application permissions* (not *Delegated permissions*) and add `User.Read.All` and `GroupMember.Read.All`. -IMPORTANT: Application permissions require administrator consent. After adding the permissions, click btn:[Grant admin consent for ]. Without this, the `client_credentials` flow fails with an authorization error even though the permissions are listed. +IMPORTANT: Application permissions require administrator consent. After adding the permissions, click *Grant admin consent for *. Without this, the `client_credentials` flow fails with an authorization error even though the permissions are listed. The values used in the configuration below can be found in the Entra portal as follows: * `tenantId`: the *Directory (tenant) ID* on the app registration's *Overview* page. * `clientId`: the *Application (client) ID* on the app registration's *Overview* page. -* `clientSecret`: create one under menu:Certificates & secrets[Client secrets > New client secret] and copy its *Value* (not the *Secret ID*). +* `clientSecret`: create one under *Certificates & secrets*, then *Client secrets*, then *New client secret*, and copy its *Value* (not the *Secret ID*). [source,yaml] ----