~10 minutes
Set up OpenID Connect sign-in against Microsoft Entra ID (formerly Azure AD). Once configured, members whose email matches your tenant's domain land on the Microsoft sign-in flow automatically.
Sign in to the Microsoft Entra admin center at entra.microsoft.com. If you have access to more than one tenant, use the Settings icon to switch to the right one before continuing.
In the left navigation, open Entra ID → App registrations and click "New registration". Give the app a name such as "Wando", then choose the account type — "Single tenant" is the right answer for almost every business deployment.
Under "Redirect URI", choose the "Web" platform and paste the URL below. This is the address Microsoft will send the user back to after sign-in. Click "Register" to create the app.
https://www.wando.tromb.com/api/auth/callback/<your-provider-id>Replace `<your-provider-id>` with the slug you will use in Wando (e.g. "entra-acme"). You set this in step 7.
You will see the new app's Overview page. Copy the "Application (client) ID" and "Directory (tenant) ID" — Wando needs both.
In the left menu of the app, open "Certificates & secrets" → "Client secrets" → "New client secret". Pick an expiry that suits your rotation policy and click "Add". Copy the secret VALUE (not the ID) immediately — it is shown only once.
Open "API permissions". Microsoft Graph → "User.Read" is added by default, which is what we need for sign-in. If you are configuring an external tenant, click "Grant admin consent for <tenant>" so users do not have to consent individually.
Wando uses the OIDC discovery endpoint to find the rest of the configuration automatically. The URL pattern for Entra is:
https://login.microsoftonline.com/<tenant-id>/v2.0/.well-known/openid-configurationSend your values to your Wando contact
Send the values below to your Wando contact. They will wire them into your organisation's SSO config and confirm when the provider is live for your users to sign in with.