Entra OpenID Connect (OIDC)

Last Updated: April 07, 2026

An Entra OIDC configuration is required if your organization uses a Entra ID (Azure AD) SAML connection for identity management and Microsoft Microsoft Intune for mobile app deployment. Microsoft Intune's Mobile Application Management (MAM) policies require OIDC authentication for mobile apps to access protected documents.

Key Points

  • This configuration is specifically for mobile Microsoft Intune environments.
  • OIDC works alongside any existing Entra ID (Azure AD) SAML connections for desktop and web users (doesn't replace them).
  • Ensure Microsoft Intune mobile settings are enabled. Contact your Vasion representative for assistance.
  • This authentication method is specific to mobile sign-in to enable the PrinterLogic app to access documents protected by Microsoft Intune's Mobile Application Management (MAM) policies.

Requirements

  • Existing Entra ID (Azure AD) SAML connection configured for Vasion Print.
  • Multi-IdP and Microsoft Intune features enabled for your Vasion Print instance.
  • MicrosoftMicrosoft Intune environment with Mobile Application Management (MAM) policies.
  • Administrative access to both the Microsoft Entra admin center and Vasion Print Admin Console.

Configure the Connection

To add and configure app properties for the Vasion Print OIDC connection do the following:

  1. Add IdP Template.
  2. Register Entra Application.
  3. Add Mobile URI.
  4. Configure IdP Settings.
  5. Configure SCIM Provisioning.
  6. Enable Mobile Intune Login.

1. Add IdP Template

  1. Open your Vasion Print Admin Console and sign in.
  2. Go to Tools then Settings then General and scroll down to the Identity Provider Settings section.
  3. Select IdP, and then select Add.
  4. Select Custom in the IdP Template dropdown.
  5. Select OIDC in the Authentication Protocol section.
  6. Leave the checkboxes in the Provisioning section blank.
  7. In the Name field, enter the name you want displayed on the login button for users, e.g. Microsoft Intune Login, Mobile Only, etc.

Do not select the Enable for End User Login or the Enable for Admin Login options. Microsoft Intune authentication is only supported by the mobile app.

Custom OIDC IdP template as seen in the Admin Console.

Keep the IdP Settings screen open so that the Service Provider Information at the bottom is available for the following steps.

2. Register an Application

  1. Go to the Microsoft Entra admin center. (https://entra.microsoft.com/)

  2. In the left-side menu expand Entra ID, then select App registrations.

    Some Entra ID options in the Entra Admin center side navigation.

  3. On the App Registrations page, select + New Registration in the upper-left.
  4. In the Register an application page, enter a Name for the application. End-users will see this name.
  5. Select the desired option in the Support account types section.
  6. In the Redirect URI (optional) section, choose the Web option in the Select a platform dropdown.

  7. Go back to the IdP Settings template and copy the SSO URL from the Service Provider Information section.

    Service provider information SSO URL and Mobile SSO URL.

  8. Paste the SSO URL in the field next to the Web option.
  9. Select Register.

Register an application modal.

3. Add Mobile URI

  1. On the new app's homepage, select the Redirect URIs option in the Essentials section.

    Intune application overview page showing the Essentials section.

  2. In the Redirect URIs section, select Add URI.

  3. Go back to the IdP Settings template and copy the Mobile SSO URL from the Service Provider Information section.

    Service provider information SSO URL and Mobile SSO URL.

  4. Paste the Mobile SSO URL in the new Entra URI field.
  5. Scroll down to the Implicit grant and hybrid flows section, select the Access tokens (used for implicit flows) option.
  6. Select Save.

4. Configure IdP Settings

  1. Select Overview from the app's left-side menu.

  2. Select the Endpoints option.

    Endpoints menu option in Entra.

    1. In the Endpoints modal, copy the OpenID Connect metadata document.
    2. Paste it into the IdP Settings Discovery Endpoint field.
    3. Close the Endpoints modal.

  3. Copy the Application (client) ID from the Entra app's Essentials section and paste it into both the Client Id for Clients and the Client Id for Server fields.

    Intune application overview page showing the Essentials section.

  4. Select Certificates and secrets in the app's left-side menu.
  5. Select + New client secret.
    1. Enter Server in the Description field.
    2. Adjust the Expires value as needed.
    3. Select Add.

  6. Copy the Value for the Server secret and paste it into the IdP Settings Client Secret for Server field.

    Copy the Value, not the Secret ID.
  7. Select + New client secret again.
    1. Enter Client in the Description field.
    2. Adjust the Expires value as needed.
    3. Select Add.

  8. Copy the Value for the Client secret and paste it into the IdP Settings Client Secret for Clients field.

    Client secrets.

  9. Select Apply in the IdP Settings modal.
  10. Select Save in Vasion Print.

IdP Settings modal showing the filled in fields.

5. Configure SCIM Provisioning

The following sections guide you through creating the Entra Provisioning app, adding the Microsoft Intune users and groups, and applying the SCIM token.

Create Provisioning App

  1. Navigate to the Microsoft Entra admin center.

  2. In the left-side menu expand Entra ID, then select Enterprise apps.

    Some Entra ID options in the Entra Admin center side navigation.

  3. Select + New Application in the upper-left.
  4. In the Browse Microsoft Entra Gallery window, use the search bar to search for and select PrinterLogic.

  5. In the new app modal, enter a unique Name, then select Create.

    Entra ID showing the PrinterLogic search result and create new app modal to the right-side.

Add Users and Groups

  1. On the app's Overview page, and select 1. Assign Users and Groups.
  2. Select the + Add User/Group option.
  3. In the Users and Groups section of the Add Assignments page, select None Selected.
  4. Add the Microsoft Intune users and groups you want to provision over.
  5. Assign the Users role for end users.
  6. Select the Select button.
  7. Select Assign.

Entra ID Add Assignment Users and Groups window.

Enable Provisioning

  1. On the app's Overview page, select Provisioning from the left-side Manage menu.

  2. On the Overview (Preview) page, select + New configuration.

    New Configuration button in application overview.

  3. In Vasion Print, select the your separate Entra ID configuration and then select Modify.

    This is the SCIM Tenant URL from your existing Entra ID (Azure AD) configuration, not the new Custom OIDC configuration.

  4. Copy the SCIM Tenant URL from the Service Provider Information section and paste the URL into the Entra Tenant URL field.
  5. Close out of the Admin Console IdP Settings window.

4. Generate and Apply SCIM Token

  1. In the Vasion PrintGeneral settings, select the SCIM option in the Identity Provider Settings section.
  2. Select your Microsoft Intune configuration in the dropdown menu.

  3. Select Generate SCIM Token.

    SCIM section showing the IdP selected in the drop-down, and the Generate SCIM Token button to the right.

    Generating a SCIM token invalidates any previous tokens for that IdP.

  4. Select Proceed.
  5. Copy the token, close the modal, and select Save at the top-right corner of the General Settings window.
  6. In the Entra New provisioning configuration panel, paste the SCIM token into the Secret Token field.
  7. Select Test Connection.
  8. Select Create.

New provisioning configuration page.

The initial provisioning can take up to 45 minutes to "Automatically" provision after changes are made. Select the Start Provisioning option on the Provisioning tab to start the process sooner. Use Provision on Demand to provision specific users for testing purposes.

6. Enable Microsoft Intune Login

  1. Go to Tools then Settings then Mobile in the Admin Console.

  2. In the Intune Settings section, select Enable Microsoft Intune Login.

  3. Select the IdP you wish to use for Microsoft Intune authentication from the dropdown.

  4. Select Save in the upper-right corner.