Leadcast
    Leadcast
    • Custom App Registration

    Custom App Registration

    Navigation#

    1.
    Go to the Azure portal: https://portal.azure.com
    2.
    Navigate to Microsoft Entra ID (formerly Azure Active Directory).
    3.
    In the left menu, select App registrations.
    4.
    Click New registration.

    Fill in registration details#

    5.
    Name: Enter Leadcast as the application name.
    6.
    Supported account types: Select one of the following options:
    Accounts in any organizational directory (Multiple Entra ID Tenants) — for access from multiple organizations.
    Accounts in any organizational directory and personal Microsoft accounts (Multiple Entra ID Tenants and Personal Microsoft Accounts) — if you also want to allow external logins with personal accounts.
    🔒 Tenant restriction: If you choose Multiple Entra ID Tenants only and want to further lock down which tenants can log in, select the option to allow only certain tenants. Add the following tenants:
    Your own tenant(s) (if there are any besides the one the registration is made in)
    Orange Cat tenant: c5b2134d-f5d8-4feb-9d12-e8bfdd16534d — required for application support
    ℹī¸ Note: Even if "allow all tenants" is configured, the Leadcast application will only allow known actors to authenticate. The final access configuration resides within the Leadcast application itself.
    7.
    Redirect URI:
    Platform: Web
    URI: https://<yourname>.leadcast.nl/signin-oidc and/or https://<your custom leadcast domain>/signin-oidc
    8.
    Click Register.

    Create a Client Secret#

    9.
    Open the newly created App registration (Leadcast).
    10.
    In the left menu, go to Certificates & secrets.
    11.
    Click New client secret.
    12.
    Enter a description, for example Leadcast-secret.
    13.
    Choose an expiry period (e.g. 6 months, 12 months, or 24 months).
    14.
    Click Add.
    15.
    ⚠ī¸ Copy the secret value immediately! It is only shown once.

    Configure API permissions#

    16.
    In the left menu, go to API permissions.
    17.
    Click Add a permission.
    18.
    Select Microsoft Graph (or another API if needed).
    19.
    Choose the permission type:
    Delegated permissions (on behalf of a signed-in user), or
    Application permissions (for background processes without a user).
    20.
    Select the following minimum required permissions:
    User.Read – Read the signed-in user's basic profile
    openid – OpenID Connect sign-in
    profile – Read profile information
    email – Read email address
    21.
    Click Add permissions.
    22.
    (Optional) Click Grant admin consent for [organization] if the permissions require admin consent.

    Configure token settings#

    23.
    In the left menu, go to Token configuration.
    24.
    Click Add optional claim.
    25.
    Select the token type: ID.
    26.
    Add the following claims:
    email
    family_name
    given_name
    27.
    Click Add.

    Additional settings#

    28.
    Go to Authentication in the left menu.
    29.
    Verify that the Redirect URI is correct: https://<yourname>.leadcast.nl/signin-oidc and/or https://<your custom leadcast domain>/signin-oidc
    30.
    Under Implicit grant and hybrid flows:
    Check ID tokens.
    31.
    Under Supported account types, confirm that the correct multitenant option is selected.
    32.
    Click Save.

    Additional access control after registration#

    Once registration is created and used, further access control is configured through the Azure Enterprise Application. See: Microsoft Docs

    Securely share credentials with Orange Cat Support#

    33.
    Note the following details from the App registration:
    Application (client) ID — found on the overview page
    Client Secret — copied in step 15
    34.
    Share these credentials securely with a member of Orange Cat Support using one of the following methods:
    🔐 Password manager: Share via a secure tool such as 1Password, Bitwarden, or LastPass (shared vault or secure link).
    🔗 One-time secret link: Use a service like onetimesecret.com or password.link to create a link that expires after being opened once.
    📞 Split sharing: Send the Client ID via email and communicate the Client Secret by phone or through a separate secure channel.
    35.
    ⚠ī¸ Never share the Client ID and Client Secret through insecure channels such as plain email, chat, or tickets!

    Summary#

    SettingValue
    App nameLeadcast
    Account typeMultiple Entra ID Tenants (or + Personal Microsoft Accounts)
    Tenant restriction(optional) Allowed tenants only + Orange Cat c5b2134d-f5d8-4feb-9d12-e8bfdd16534d
    Redirect URIhttps://<yourname>.leadcast.nl/signin-oidc and/or https://<your custom leadcast domain>/signin-oidc
    PlatformWeb
    Token claimsemail, family_name, given_name
    ID tokensEnabled
    Application (client) ID(available on the overview page after registration)
    Directory (tenant) ID(available on the overview page after registration)
    Client Secret(see step 15 – copy immediately!)
    Shared with Orange Cat(confirm after securely sharing in step 34)
    💡 Store the Client ID and Client Secret in a secure location (e.g. Azure Key Vault).
    Modified at 2026-03-09 19:49:30
    Built with