Through the Admin Interface

To set up OAuth-based authentication and authorization with Microsoft Entra through the Admin Interface, follow these steps:

1. Create your external security object by setting these fields on the External Security configuration page and clicking OK:

   Field	Setting
   External Security Name	Enter a descriptive name for this external security object that identifies the external agent. EXAMPLE: MicrosoftEntraExampleOAuth
   Description	(Optional) Enter a description for this external security object. EXAMPLE: Microsoft Entra external security object for OAuth
   Authentication	Choose oauth from the dropdown. Setting this field to oauth makes the OAuth Server fields available.
   Cache Timeout	Enter a number in seconds after which you want MarkLogic Server to re-authenticate the user with your OAuth external agent instead of with the credentials stored in the cache. EXAMPLE: 300 (default kept) Note: Clear the cache by calling either sec.externalSecurityClearCache() or sec:external-security-clear-cache().
   Authorization	Choose oauth from the dropdown.

   OAuth Server fields:

   Field	Setting
   OAuth Flow Type	Choose Resource server from the dropdown.
   OAuth Vendor	Choose Microsoft Entra from the dropdown.
   OAuth Client ID	Enter the application ID found on your registered Microsoft Entra application’s overview page. EXAMPLE: 37b06574-bdf0-42a2-9659-ebeaf8faf1c6
   OAuth JWT Issuer URI	Required: Enter your tenant ID found on your registered Microsoft Entra application’s overview page. EXAMPLE:https://sts.windows.net/3fc33f01-1894-4196-b81f-54417daac155/
   OAuth Token Type	Choose JSON Web Tokens from the dropdown.
   OAuth Username Attribute	name
   OAuth Role Attribute	groups
   OAuth JWT Algorithm	Choose RS256 from the dropdown.
   OAuth JWT Secrets	Enter the key ID into the left field as the Secret Key ID and the public key in PEM format into the right field as the Secret Value. To enter more secrets, click Add Secret to expose additional field pairs. EXAMPLE: Secret Key ID = XRvko8P7A3UaWSnU7bM9nT0MjhA Secret Value = -----BEGIN PUBLIC KEY----- <PEM-converted key> -----END PUBLIC KEY----- Note: The JWT Secrets field secures both symmetric and asymmetric signature keys.
   OAuth JWKS URI	(Optional) JSON Web Key Sets Endpoint for obtaining JSON Web Keys. URI must support TLS (https) or be a loopback URI. EXAMPLE: https://login.microsoftonline.com/3fc33f01-1894-4196-b81f-54417daac155/discovery/v2.0/keys Note: You can specify a JWKS URI to validate incoming JWT access tokens with JWKS instead of with JWT Secrets signature keys.

2. Configure your desired app servers to use this external security object by setting these fields on each App Server configuration page and clicking OK:

   Field	Setting
   Authentication	Choose oauth from the dropdown.
   Internal Security	Click the false radio button.
   External Securities dropdown	Choose from the dropdown the External Security Name that you gave to your external security object in the previous step. Choose only one. EXAMPLE: MicrosoftEntraExampleOAuth

3. Assign the external name to your desired roles by setting this field on each Role configuration page and clicking OK:

   Field	Setting
   External Name	From the Groups section of your Microsoft Entra tenancy page, enter the UUID of the role within the JWT payload field groups that you want to associate with this MarkLogic Server role. EXAMPLE: 7228762e-cb30-428a-ae1a-3a8cf9e2f728

MarkLogic Server is now set up for OAuth-based authentication and authorization with Microsoft Entra.