# App Registration

02 Nov 2023

Please make sure to have completed the steps in the previous section.

# 1. Configure Pozi Server Application registration

The creation of the Pozi Server Enterprise Application has also implicitly created an app registration with the same name. Search for this app in the 'App registrations' section in Entra ID.

# 2. Authentication

In this section we will make sure that an authenticated user will be granted access through the Pozi Web App.

First, confirm that one Redirect URI has been configured that points to the Application Proxy URL that we have configured in the previous section. If it's not there, please add now.

Now, add a platform and choose 'Single-page application'. It will ask to fill in a Redirect URI. Fill in http://localhost/. We will add a few more in the next step.

Add the missing Redirect URIs from the list below in the Single-page application section:

  • http://localhost/ (for Pozi development purposes)
  • https://staging.pozi.com/ (for client testing/debugging)
  • https://<pozi-site-name>.enterprise.pozi.com/ (replace <pozi-site-name> with the actual site name)
  • https://<pozi-site-name>-entra-id.enterprise.pozi.com/ (optional: only for clients that transition their existing site to Entra ID)

There are some more settings in this section. Most can be ignored. Confirm that the following have the values below.

  • Access tokens: Unchecked
  • ID tokens: Unchecked
  • Enable the following mobile and desktop flows: No

# 3. Expose an API (user_impersonation)

This section covers a crucial setting for the application to access Pozi Server on behalf of the user: the user_impersonation scope.

Go to the 'Expose an API' section of Pozi Server.

Firstly, confirm that the Application ID URI looks something like https://poziserver-<entra-application-client-name>.msappproxy.net/pozi. This should not be changed.

Make sure that in the 'Expose an API' section there is one scope defined, called user_impersonation (prefixed by the Application ID URI above).

Often, this scope gets created by Entra ID automatically but not in every organisation. If this scope is missing, add it as following.

  • Scope name: user_impersonation (correct spelling is crucial!)
  • Who can consent?: Admins only
  • Admin consent display name: Access Pozi Server
  • Admin consent description: Allow the application to access Pozi Server on behalf of the signed-in user.
  • User consent display name: Access Pozi Server (optional)
  • User consent description: Allow the application to access Pozi Server on your behalf. (optional)
  • State: Enabled

The scope above will be used in the Site Configuration in Pozi in the 'Scopes' section. It should look something like: https://poziserver-<entra-application-client-name>.msappproxy.net/pozi/user_impersonation

# 4. Access control

It is possible to further control user access to map catalogues (ie QGIS projects) in Pozi Web App. In order to enforce this access control, Pozi Web App needs to know what groups a user is a member of in the Entra ID environment is required.

This section describes how to provide Pozi Web App with the relevant group information.

Go to the 'Token configuration' section and click on 'Add groups claim'. Then, select desired group types (just 'Security groups` is generally sufficient) and keep default settings

That is all that is needed in Entra ID. Pozi Web App will receive the group information as a list of group ids, like this:

"groups": [

Email support@pozi.com with your list of group ids and what catalogues (ie QGIS projects) each group should have access to.

The group ids can be found under IdentityGroupsAll groups.

# Troubleshooting

Error message Solution
MSAL Error: Invalid Client errorMessage AADSTS65005: The application 'xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx' asked for scope 'user_impersonation' that doesn't exist. Add the 'user_impersonation' scope
AADSTS9002326: Cross-origin token redemption is permitted only for the 'Single-Page Application' client-type. Request origin: 'https://poziserver-councilnamevicgovau.msappproxy.net'. TODO: VERIFY - App registration -> Authentication-> platform type should be SPA
AADSTS50011: The redirect URI 'https://xxxxxxxxxxxxxxxxxxx/' specified in the request does not match the redirect URIs configured for the application 'xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx'. Make sure the redirect URI sent in the request matches one added to your application in the Azure portal. Navigate to https://aka.ms/redirectUriMismatchError to learn more about how to fix this. It could be that the 'https://xxxxxxxxxxxxxxxxxxx/' redirect URI was not configured as a SPA, or, it could be that the application ID of the Pozi Server Enterprise Application was accidentally
invalid_resource: AADSTS500011 - The resource principal named xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx was not found in the tenant named xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx. This can happen if the application has not been installed by the administrator of the tenant or consented to by any user in the tenant. You might have sent your authentication request to the wrong tenant. Make sure you have provided the correct tenant id and that you are logged in the correct account
AADSTS50105: Your administrator has configured the application Pozi Server ('xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx') to block users unless they are specifically granted ('assigned') access to the application. The signed in user 'xxxxxxxxx.xxxxxxx@xxxxxxxxxxx.xxx.xxx.xx') is blocked because they are not a direct member of a group with access, nor had access directly assigned by an administrator. Please contact your administrator to assign access to this application. Give the relevant users/groups access via Enterprise Applications. See the Assign users section.
Forbidden: This corporate app can't be accessed. You are not authorized to access this application.

Next Steps.

Authorization failed. Make sure to assign the user with access to this application.