Skip to main content
Connect Microsoft Entra ID (formerly Azure Active Directory) to authenticate end users with your Char agent. Create an app registration and configure Char for token validation.

Prerequisites

  • A Microsoft Entra ID tenant (Azure AD)
  • Admin access to create app registrations
  • Access to the Char dashboard

Azure Portal

App registrations in Azure Portal

Entra Admin Center

Microsoft Entra Admin Center

Microsoft Docs

Register an application quickstart

ID Token Claims

Token claims reference

SDK References

@azure/msal-browser

Microsoft Authentication Library for Browser

@azure/msal-react

MSAL React wrapper library

Configuration Steps

1

Register an Application in Azure

  1. Sign in to the Azure Portal or Entra Admin Center
  2. Navigate to Microsoft Entra IDApp registrations
  3. Click New registration
  4. Configure the registration:
SettingValue
NameChar Agent (or your preferred name)
Supported account typesChoose based on your needs (typically “Single tenant”)
Redirect URISelect “Single-page application (SPA)” and enter your callback URL
  1. Click Register
2

Note Your Application (Client) ID and Tenant ID

After registration, from the Overview page, copy:
  1. Application (client) ID - This is your Client ID
  2. Directory (tenant) ID - This is your Tenant ID (used as the domain in Char)
See Microsoft’s app registration guide for screenshots showing exactly where to find these values.
3

Configure Authentication Settings

Navigate to Authentication in your app registration:
  1. Under Single-page application, verify your redirect URIs
  2. Under Implicit grant and hybrid flows, ensure ID tokens is checked
  3. Click Save
For production, use the Authorization Code flow with PKCE instead of implicit flow. The MSAL library handles this automatically.
4

Configure Char

In the Char Dashboard:
  1. Navigate to SettingsIntegration
  2. Under SSO Configuration, select Azure AD as the provider
  3. Enter your Application (client) ID as the Client ID
  4. Enter your Directory (tenant) ID as the Tenant ID
  5. Click Test Connection to verify
  6. Click Save Changes

Configuration Reference

Char FieldAzure ValueExample
Provider TypeAzure ADazure
Client IDApplication (client) ID12345678-1234-1234-1234-123456789012
Tenant IDDirectory (tenant) ID87654321-4321-4321-4321-210987654321
You can also use your verified domain name instead of the Tenant ID (e.g., contoso.onmicrosoft.com or a custom domain like contoso.com).

Token Requirements

Char validates Azure AD tokens with these requirements:
ClaimRequirement
issMust match https://login.microsoftonline.com/{tenant-id}/v2.0
audMust include your configured Application (client) ID
subRequired - used as the user identifier
expMust not be expired

Example: Obtaining and Passing the Token

import { PublicClientApplication } from '@azure/msal-browser';
import "@mcp-b/char/web-component";
import type { WebMCPAgentElement } from "@mcp-b/char/web-component";

const CLIENT_ID = '12345678-1234-1234-1234-123456789012';

const msalConfig = {
  auth: {
    clientId: CLIENT_ID,
    authority: 'https://login.microsoftonline.com/87654321-4321-4321-4321-210987654321',
    redirectUri: window.location.origin,
  },
};

const msalInstance = new PublicClientApplication(msalConfig);
await msalInstance.initialize();

// After authentication
const account = msalInstance.getAllAccounts()[0];
const tokenResponse = await msalInstance.acquireTokenSilent({
  account,
  scopes: ['openid', 'profile', 'email'],
});

const agent = document.querySelector("char-agent") as WebMCPAgentElement
  ?? document.createElement("char-agent") as WebMCPAgentElement;

if (!agent.isConnected) {
  document.body.appendChild(agent);
}

// Use connect() - keeps token out of DOM
agent.connect({ idToken: tokenResponse.idToken, clientId: CLIENT_ID });
SPA vs SSR: Use connect({ idToken, clientId }) for SPAs to keep the JWT out of the DOM. Use connect({ ticketAuth }) for SSR apps where MSAL sessions live on your server.

Multi-Tenant Configuration

If your application supports multiple Azure AD tenants:
  1. Register your app with Accounts in any organizational directory
  2. Use the common or organizations authority endpoint
  3. Configure Char with your specific tenant ID where you want to validate tokens
Multi-tenant apps accept tokens from any tenant. For Char, you should configure a specific tenant ID to ensure only users from your organization can access the agent.

Troubleshooting

The token issuer doesn’t match your configured tenant:
  • Verify the Tenant ID in Char matches your Azure AD directory
  • Check that you’re using the v2.0 endpoint (MSAL uses this by default)
  • For multi-tenant apps, ensure you’ve configured the correct tenant
The token’s aud claim doesn’t match your configured Client ID:
  • Ensure the Client ID matches your Application (client) ID exactly
  • Verify you’re using the ID token, not the access token
  • Check that your app registration has the correct redirect URI type (SPA)
Char couldn’t reach Azure’s JWKS endpoint:
  • Verify your Tenant ID is correct
  • Check network connectivity to login.microsoftonline.com
  • Use Test Connection in the dashboard to verify
If acquireTokenSilent fails:
  • Ensure the user has previously authenticated interactively
  • Check that your scopes include openid
  • Verify the redirect URI matches your app registration
  • Try acquireTokenPopup or acquireTokenRedirect as a fallback

Security Best Practices

  • Use connect() for authentication - The connect({ idToken, clientId }) method keeps tokens out of the DOM
  • Use ticket exchange for SSR - For server-rendered pages, exchange Azure AD JWTs for short-lived tickets server-side
  • Use single-tenant configuration unless you specifically need multi-tenant support
  • Enable Conditional Access policies in Azure AD for additional security controls
  • Configure token lifetime appropriately in Azure AD
  • Monitor sign-in logs in Azure AD for suspicious activity
  • Regularly review app permissions and remove unnecessary scopes