Allow SmartHub to accept authentication tokens from other Azure app registrations
SmartHub supports token exchange, allowing SmartHub to accept authentication tokens generated by another Azure App. There are a number of use cases in which you may want to use this functionality. For example:
-
The chat UI application uses different Microsoft Entra ID app for authentication than the one that is configured in SmartHub.
-
You have a token from an Azure app that you want to use, rather than obtaining a new SmartHub dedicated token.
Prerequisites
-
Your SmartHub instance must already have an app registration which was created and configured in SmartHub. For more information, see set access and user authentication for SmartHub with Azure Cognitive Search.
-
You must have 2 app registrations in Azure (your original SmartHub app registration and your secondary app registration), this allows your secondary app to request an access token from the original SmartHub app on behalf of a user. For more information on registering an additional app, see Registering the additional app for token exchange below.
Registering the additional app for token exchange
If you already have an existing secondary app registration, you can skip this section.
Register the secondary app in Microsoft Entra ID
-
Log in to the Azure Portal and navigate to Microsoft Entra ID.
-
In the left panel, select Manage > App registrations > New registration.
-
Complete the following:
-
In the Name field, provide a name for your registration. For example, "Secondary app".
-
In the Supported account types field, select an appropriate option depending on whether this will be a single-tenant or multi-tenant app.
-
In the Redirect URI field, select a platform and enter a redirect URI. For example, https://localhost if you are testing locally.
-
-
Click Register.
Configure API Permissions for your secondary app
-
In the secondary app registration, go to API Permissions > Add a permission.
-
Add the required SmartHub permissions. See set access and user authentication for SmartHub with Azure Cognitive Search for more information.
-
Under Configured permissions, click Grant admin consent to allow the app to use these permissions.
-
If you are using your secondary app to request an access token from the original SmartHub app on behalf of a user, you must not add the permissions for your original SmartHub app here.
Configuring the token exchange
Expose API permissions for your original SmartHub app
-
In your original SmartHub app registration, click Expose an API.
-
Click Set to create an Application ID URI if prompted (this will be in the format api://<client_id>).
-
Under Scopes defined by this API, click Add a scope.
-
Complete the following,
-
In the Scope name field, enter a name. For example, "access_as_user".
-
In the Who can consent? field, select Admins and users.
-
In the Admin consent display name field, enter a display name. For example, “Access original SmartHub app on behalf of the user.”
-
In the Admin consent description field, enter a description. For example, “Allow "Additional app" to call "original SH" on behalf of the signed-in user.”
-
In the State field, select Enabled.
-
-
Click Add scope.
Grant API Permissions for your original SmartHub app
-
In your original SmartHub app, go to API Permissions > Add a permission.
-
Select My APIs and choose your original SmartHub app.
-
Select the scope you created (e.g., access_as_user) and click Add permissions.
-
Click Grant admin consent for the added permission.
Configure your secondary app to use your original SmartHub app’s API
-
In secondary app, go to API Permissions > Add a permission.
-
Select My APIs (or APIs my organization uses).
-
Find and select your original SmartHub app.
-
Select the scope you created earlier (e.g., access_as_user) and click Add permissions.
-
Click Grant admin consent if required.
In SmartHub, your secondary app should be added under the Trusted App Registrations in the Security Configuration page.