MCP Server for Domino

Build 25.0.9440

Creating a Custom Entra ID (Azure AD) Application

Creating a Custom Entra ID (Azure AD) Application

Note: Microsoft has rebranded Azure AD as Entra ID. In topics that require the user to interact with the Entra ID Admin site, we use the same names Microsoft does. However, there are still CData connection properties whose names or values reference "Azure AD".

In order to authenticate as an Azure AD user, you must create a custom Azure AD application and configure the Domino REST API. This topic describes how to do that. For further information, see the HCL Domino REST API Documentation.

1. Create and Register the Custom Azure AD Application

In the Azure Portal:

  1. Click App registrations. The portal displays the App registrations page.
  2. Click + New Registration. The portal displays the Register an application form.
  3. In this form, complete the following fields:
    • Name: Enter a name for the new custom application.
    • Supported account types: Specify Accounts in this organizational directory only.
    • Redirect URI (optional): Specify Web in the first dropdown, then supply a local redirect URL. For example: http://localhost:8080.
  4. Click Register. The newly created app's Overview screen loads.
  5. Record the Application (client) ID and the Directory (tenant) ID for later use.
  6. Click Add a certificate or secret. The portal displays the Certificates & secrets page.
  7. Click + New client secret.
  8. Specify a description for the new client secret.
  9. Select an expiration period for the new client secret.
  10. Click Add. The new client secret is created and displayed ONLY ONCE.
  11. Record the Value of the newly-created client secret for later use.
  12. Under Manage in the sidebar, navigate to Expose an API.
  13. Next to Application ID URI, click Add. The Portal displays the Application ID URI pane.
  14. Specify a URI in the form api://mydominorest.
    Click Save.
  15. Click + Add a scope. The Portal displays the Add a Scope pane.
  16. Specify the attributes of the scope you want to add to the server. Ensure that admins and users can consent, and that the scope is set to Enabled.
  17. Click Add scope.
  18. Repeat the previous two steps for each scope that you want to enable.
    For further information about available scopes, see the Domino scopes documentation.
  19. In the sidebar, click Manage > API permissions.
  20. Click + Add a permission > APIs my organization uses and select your application's name. The Portal displays the Request API permissions form.
  21. Under "Select permissions", enable the scopes you defined by selecting their check boxes, then click Add permissions to confirm the selection.
  22. In the sidebar, click Manage > Owners.
  23. Click + Add Owners. Select the check box for the desired user(s) and click Select.
  24. Click Manage > Authentication in the sidebar.
  25. Under "Implicit grant and hybrid flows", select the Access tokens (used for implicit flows) check box and click Save.
  26. Navigate in the sidebar to Manage > Manifest.
  27. Record the value of the "id" in the manifest for later use.
  28. Change the value of accessTokenAcceptedVersion from null to 2 and click Save.
  29. Click Overview in the sidebar to return to the application Overview page.
  30. In the Overview page, click Endpoints.
  31. Note the following URL values for later use:
    • OAuth 2.0 authorization endpoint (v2)
    • OAuth 2.0 token endpoint (v2)
    • OpenID Connect metadata document

2. Configure the Domino REST API

In your Domino server, create a JSON file in the keepconfig.d folder within your notesdata folder. Populate the file with the following content: 

{
  "jwt": {
    "your_filename": {
      "active": true,
      "providerUrl": "https://login.microsoftonline.com/[tenantid]/v2.0/.well-known/openid-configuration",
      "aud": "[application id]",
      "iss": "[issuer URL]",
      "algorithm": "RS256"
    }
  }
}

Modify this sample content as follows:

  • Replace "your_filename" with the name of the JSON file you created, without the ".json" extension. Do not remove the double quotes.
  • Replace [tenantid] with your Tenant ID. This is the "Directory (tenant) ID" on the Azure application's Overview page.
  • Replace [application id] with the value of the Application (client) ID from the application's Overview page, which you noted earlier.
  • Replace [issuer URL] with the the "issuer" URL associated with your providerUrl above.
    • To find this, open the providerUrl (with the Tenant ID inserted) in your browser and look for the value of the "issuer" attribute.

Copyright (c) 2025 CData Software, Inc. - All rights reserved.
Build 25.0.9440