Azure SSO setup for mobile

Updated 4 months ago by Leigh Hutchens

  1. Login to Microsoft Azure.
  2. Navigate to "Enterprise applications" menu.
  3. Click "Create new application" and then "Create your own application". Enter the name of the application, for example “Quinyx Mobile“, and choose the third option, as shown in the image below:
  1. Navigate to "Enterprise Applications" > "Consent and permissions" > "Permissions and classifications". Add Microsoft Graph permissions, and the result should be the same as displayed on the image below:
Be sure all 5 displayed permissions from the image are added.
  1. Navigate to "Azure Active Directory" > "App registrations", and click on the application you created in step 3. Click "API permissions" in the sub menu, and approve all permissions added in the previous step. Permission view should look like the image below. Click "Grant admin consent" for Default Directory and confirm it:
  1. Click on the "Certificates and secrets" sub menu, and click "New client secret". Add a description to the new key, and set the desired expiration period, which can be any, as long you are sure it's active and you don’t forget to create a new one when the expiration date approaches. When the key is created, copy its "Value", and store it somewhere until its copied to "Customer Mobile Oauth Configuration" in Quinyx in the "Client Secret" field:
  1. Navigate to Authentication sub menu and under "Web Redirect URLs" enter the URL, like where customerNameInQuinyx should be the unique customer name in the Quinyx app, without spaces. That URL should be copied to “Customer Mobile Oauth Configuration” in Quinyx in the "Redirect URL" field. If you need to setup multiple environments for the same customer the same Redirect URL can be used:
  1. Now in the sub menu, click "Overview", and you'll see the "Endpoint" button. Click it, and the sidebar on the right will open. Look for the “OAuth 2.0 token endpoint (v1)“ and copy it's value to "Customer Mobile Oauth Configuration" in Quinyx, in the Endpoint URL field:
  1. From the same Overview page, find “Directory (tenant) ID“, lets call it in short the "TenantID" and “Application (client) ID“ and call it "ClientID". Check for the customerNameInQuinyx used in Step 7. Now with these three values, build the Login Url which should be in the format: This value should be copied to “Customer Mobile Oauth Configuration” in Quinyx, in the Login URL field.
  2. While on the Overview page, you can copy the ClientID to “Customer Mobile Oauth Configuration” in Quinyx, in the "Client ID" field. To finish the “Customer Mobile Oauth Configuration” in Quinyx, select "Azure/ADFS" in the Implementation drop-down, enter the desired Name, choose the Environment and in the "Idp token to use" and select Access token. The default value for Idp field to match is upn (User Principal Name) and QWFM field to match is email. In some cases, it's possible in the Azure setup that value for the Idp field to match should be email, but by default upn is the value to use. Save the “Customer Mobile Oauth Configuration” in Quinyx. You can use same configuration data for multiple environments in Quinyx, for example Production and Release Candidate (RC), just be sure that Name differs in both of them and is unique in the system. You can confirm the configuration works by opening the Quinyx mobile application, typing the environment Name entered in “Customer Mobile Oauth Configuration”, and by using the Azure credentials.

Azure v2 endpoint

If the customer wants to use the v2 endpoint instead of the default v1 above (identified by v2.0 in the url as example) the steps below replace steps 9 and 10 in the above instructions:

  1. The login URL should be
  2. For the setting Idp token to use choose "ID token" (not Access Token).

Domain hint

To help the Azure endpoint to know which domain it’s going to default to, a domain_hint can be used. To add a domain_hint add "&domain_hint=<domain" to the end of the url in step 9. This is only used if requested by the customer, or if the customer has a setup where this might be required.

For more information, please refer to documentation about domain_hint from Microsoft and how it works.

How Did We Do?