You must create a custom OAuth application to authenticate to Domino via OAuth with AzureAD as an IdP.

Register and Configure an Azure AD App

In the Azure Portal, complete the following steps:

1. Click App registrations.
   • If this options isn't listed on the Azure Portal homepage, either search for "App registrations" in the search box or navigate to More services > Identity > Identity Management > App Registerations.
2. Click + New Registration.
3. Enter a name and select a supported account type.
4. Under Redirect URI (optional), select the Web option in the first dropdown and enter a local redirect URL. For example: http://localhost:8080
5. Click Register. The newly created app's Overview screen loads.
6. Note the Application (client) ID and the Directory (tenant) ID. These will be used later.
7. Click Add a certificate or secret. The Certificates & secrets page loads.
8. Click + New client secret > Add.
9. Note the Value of the newly created client secret. This will be used later to configure the add-in.
   • Warning: This value is only visible when you first create the client secret.
10. Navigate to Manage > Expose an API in the sidebar.
11. Click Add next to "Application ID URI". Specify a URI starting with "api://" (e.g. "api://mydominorest") and click Save.
12. Click + Add a scope. The Add a Scope pane appears.
13. Fill out the form in accordance with one of the scopes you want to grant to the add-in and click Add scope to complete the registration. Refer to the Domino documentation regarding scopes for information about the available scopes.
14. Repeat the previous two steps for each scope that you want to enable.
15. Click Manage > API permissions in the sidebar.
16. Click + Add a permission > APIs my organization uses and select your application's name. If your application is not visible, type its name in the search box. The Request API permissions menu appears.
17. Under "Select permissions", enable the scopes you defined by selecting their check boxes, then click Add permissions to confirm the selection.
18. In the sidebar, click Manage > Owners.
19. Click + Add Owners. Select the check box for the desired user(s) and click Select.
20. Click Manage > Authentication in the sidebar.
21. Under "Implicit grant and hybrid flows", select the Access tokens (used for implicit flows) check box and click Save.
22. Navigate in the sidebar to Manage > Manifest.
23. Note the value of the "id" in the manifest. This will be used later.
24. Change the value of accessTokenAcceptedVersion from null to 2 and click Save.
25. Click Overview in the sidebar to return to the application Overview page, then click Endpoints.
26. Note the following URL values for later use:
    • OAuth 2.0 authorization endpoint (v2)
    • OAuth 2.0 token endpoint (v2)
    • OpenID Connect metadata document

Configuring the Domino REST API

In your Domino server, create a JSON file in the keepconfig.d folder within your notesdata folder. Populate the file with the following content:

{
  "jwt": {
    "your_filename": {
      "active": true,
      "providerUrl": "https://login.microsoftonline.com/[tenantid]/v2.0/.well-known/openid-configuration",
      "aud": "[application id]",
      "iss": "[issuer URL]",
      "algorithm": "RS256"
    }
  }
}

Modify this sample content as follows:

• Replace "your_filename" with the name of the JSON file you created, without the ".json" extension. Do not remove the double quotes.
• Replace [tenantid] with your Tenant ID. This is the "Directory (tenant) ID" on the Azure application's Overview page.
• Replace [application id] with the value of the Application (client) ID from the application's Overview page, which you noted earlier.
• Replace [issuer URL] with the the "issuer" URL associated with your providerUrl above.
  • To find this, open the providerUrl (with the Tenant ID inserted) in your browser and look for the value of the "issuer" attribute.