This guide explains how to configure Microsoft Entra ID (formerly Azure Active Directory) as the identity provider for ServiceControl and ServicePulse.
Prerequisites
- Administrator permissions on the Microsoft Entra ID tenant
- ServiceControl 6.9.0 or later
- ServicePulse 2.5.0 or later
Overview
Two app registrations are required in Microsoft Entra ID:
- ServiceControl API - Represents the ServiceControl API that ServicePulse will call
- ServicePulse - Represents the ServicePulse single-page application that users sign into
Step 1: Register the ServiceControl API
Follow Microsoft's guide to register an application with the following settings:
| Setting | Value |
|---|---|
| Name | ServiceControl API |
| Supported account types | Accounts in this organizational directory only (single tenant) |
After registration, collect these values from the app registration:
| Value | Location | Used for |
|---|---|---|
| Directory (tenant) ID | Overview page | Authority URLs |
| Application ID URI | Expose an API | Authentication. setting |
Expose the API
Follow Microsoft's guide to expose a web API and add a scope with these settings:
| Setting | Value |
|---|---|
| Application ID URI | Accept the default (api:/) |
| Scope name | api. |
| Who can consent | Admins and users |
| Admin consent display name | Full access to ServiceControl API |
| Admin consent description | Allows ServicePulse to call ServiceControl |
Step 2: Register ServicePulse
Follow Microsoft's guide to register an application with the following settings:
| Setting | Value |
|---|---|
| Name | ServicePulse |
| Supported account types | Accounts in this organizational directory only (single tenant) |
| Redirect URI - Platform | Single-page application (SPA) |
| Redirect URI - URI | The URL where ServicePulse is hosted (e.g., https:/) |
After registration, collect this value:
| Value | Location | Used for |
|---|---|---|
| Application (client) ID | Overview page | Authentication. setting |
Redirect URIs must use HTTPS in production. HTTP is only acceptable for local development. If ServicePulse is accessed from multiple URLs, add each as a redirect URI under Manage > Authentication.
Grant API permissions
Follow Microsoft's guide to configure a client application to access a web API:
- In the ServicePulse app registration, go to API permissions
- Add a permission for ServiceControl API (under My APIs)
- Select the api.access delegated permission
Step 3: Configure ServiceControl
Use the collected values to configure ServiceControl. For Entra ID, the authority URLs follow this pattern:
- ServiceControl authority:
https:// login. microsoftonline. com/ {tenant-id} - ServicePulse authority:
https:// login. microsoftonline. com/ {tenant-id}/ v2. 0
The following table summarizes how Entra ID values map to ServiceControl settings:
| Entra ID value | ServiceControl setting |
|---|---|
| Directory (tenant) ID | Used in Authentication. URL |
| Application ID URI | Authentication. |
Application ID URI + / | Authentication. |
| ServicePulse Application (client) ID | Authentication. |
See Authentication Configuration for all settings and configuration examples, including App.config and environment variable formats.
All ServiceControl instances (Primary, Audit, and Monitoring) must be configured with the same authority and audience values. ServicePulse settings are only required on the Primary instance.
Verify the configuration
After configuring ServiceControl, restart all instances. When accessing ServicePulse:
- The browser should redirect to the Microsoft sign-in page
- After signing in, ServicePulse should load and display data from ServiceControl
If authentication fails, check the ServiceControl logs for token validation errors.