Skip to main content

Microsoft Entra Id SSO Setup Guide - Custom app

Updated yesterday

Overview

This guide is intended to help get Reclaim.ai setup for OIDC authentication via Microsoft Entra Id in a custom app.

Note: For most organizations, a custom application is not required. Reclaim.ai offers a native Microsoft integration that utilizes OIDC for secure authentication. The native integration allows administrators to manage application consent and restrict access to specific users or groups via the Entra ID portal. However, if your security policy requires a dedicated custom application, this guide will walk you through the manual setup process. Keep in mind that if you decide to use your custom app you would need to contact us every time the application secret is rotated to update that record on our end.

If you require assistance beyond this guide, please reach out to your Reclaim.ai representative or contact our support team via Reclaim.ai Support or [email protected].

Step 1: Register the Application

  1. Sign in to the Microsoft Entra admin center (2026 version) as an Application Developer or Cloud Application Administrator.

  2. Navigate to Identity > Applications > App registrations.

  3. Select + New registration.

  4. Enter a Name (e.g., "Reclaim.ai OIDC").

  5. Under Supported account types, select Accounts in this organizational directory only (Single tenant).

  6. Under Redirect URI, select Web from the dropdown and enter the Callback URL provided by your Reclaim.ai representative which will look like https://api.app.reclaim.ai/oauth/callback/sso-{companyslug} .

  7. Click Register.

Step 2: Generate a Client Secret

  1. Within your new app registration, navigate to Manage > Certificates & secrets.

  2. Select the Client secrets tab and click + New client secret.

  3. Add a description (e.g., "Reclaim OIDC Secret") and select an expiration period. Click Add.

  4. Important: Copy the Value of the secret immediately. This is the only time it will be visible. You will need this for the Reclaim.ai configuration.

  5. Important: The maximum expiration time allowed is 2 years; before the expiration date you will need to generate a new secret and provide it to Reclaim to guarantee interrupted service.

Step 3: Configure Token Claims

  1. Navigate to Manage > Token configuration.

  2. Click + Add optional claim.

  3. Select ID as the token type.

  4. From the list, select email, given_name, and family_name (only email is required). This ensures Reclaim.ai can correctly identify and name users during login.

  5. Click Add. If prompted to "Turn on the Microsoft Graph email, profile permission," check the box and click Add.

Step 4: Set API Permissions

  1. Navigate to Manage > API permissions.

  2. Click + Add a permission and select Microsoft Graph.

  3. Select Delegated permissions.

  4. Ensure the following are checked: email, openid, profile, and User.Read.

  5. After adding them, click Grant admin consent for [Your Company Name] to ensure users aren't prompted for consent individually.

Step 5: Finalize Connection Details

  1. Navigate back to the Overview page of your app registration.

  2. Copy the Application (client) ID.

  3. Click the Endpoints button at the top of the page.

  4. Locate and copy the OpenID Connect metadata document URL (e.g., login.microsoftonline.com/{tenant-id}).

Step 6: Provide Details to Reclaim.ai

To complete the setup, provide the following information securely to your Reclaim.ai representative:

  • Client ID

  • Client Secret

  • OIDC Metadata URL (or the Issuer URL/Tenant ID)

Those are all steps you need. If you need further assistance please reach out to your Reclaim.ai representative or contact our support team via Reclaim.ai Support or [email protected].

Related Articles
SSO Support (ie: Okta)
Okta SSO Setup Guide - App Catalog
Okta SCIM - Initial Setup Guide
Okta SSO Setup Guide - Bookmark App
Did this answer your question?