# Azure AD Configuration for Server-Side Scripts

## Overview

In some cases, you'll want to perform a specific task that can be automated but needs access to the WorkflowGen GraphQL API; this use case is often in the form as a server-side script. For this, OAuth2 provides a type of grant called **Client Credentials** that simply exchanges a client ID and secret for an access token. There is no ID token since it's not part of the OpenID Connect standard and there's no user involved.

This section provides instructions on how to configure Azure AD with a server-side script that has access to the GraphQL API. First, you'll need to configure a new web application in the Azure portal; then, you'll need to configure a new application in WorkflowGen.

## Prerequisites

* Make sure to have a licensed copy of WorkflowGen installed and running on a server.<br>
* Make sure to have administrative access to WorkflowGen.<br>
* Make sure to have administrative access to Azure Active Directory to be able to configure it properly.<br>
* Make sure to have successfully configured delegated authentication to Azure AD on your WorkflowGen instance following the instructions in the [Azure Active Directory authentication](https://docs.advantys.com/workflowgen-for-azure/7.14.0-5/azure-active-directory-authentication) section.

## Azure Active Directory configuration

### Step 1: Register a new web application

1. In the Azure portal, click **App registrations** in the **Azure Active Directory** section.<br>
2. Click **New application registration**, and fill in the properties:<br>
   * **Name**: Your script name
   * **Application type**: `Web App / API`
   * **Sign-on URL**: This isn't needed, since there's no login involved.<br>
3. Click **Create** at the bottom of the page.

You've now successfully registered your script in Azure Active Directory.

### Step 2: Grant access to the GraphQL API

1. On the application's overview page, click **Settings**.<br>
2. In the **API Access** section, click **Required permissions**, then click **Add**.<br>
3. Click **Select an API**.<br>
4. Search for the WorkflowGen GraphQL API and select it.<br>
5. Click **Select permissions**, then check all of the checkboxes.<br>
6. Click **Select**.

You should now see the WorkflowGen GraphQL API in the list of required permissions.

### Step 3: Generate a key

1. Return to the application's overview page, then click **Settings**.<br>
2. In the **Keys** section, enter a new key with the following properties:<br>
   * **Description**: `client_secret` (or something that clearly identifies that it's a secret)
   * **Expires**: `Never expires`
   * **Value**: A string that represents the secret. Make sure that it has sufficient entropy so that it can't be guessed, such as a UUID.<br>
3. Click **Save**.<br>
4. Copy and save the value generated by Azure. This is your client secret, and you won't be able to retrieve it later.

### Review the registration

Here's a review of the information you'll need:

* A client ID, which can be found on the registered application settings tab.<br>
* A client secret, which can be found on the registered application settings tab.<br>
* Your Azure AD's tenant ID, which can be found in the properties sub-section in the Active Directory section in the portal.<br>
* The WorkflowGen GraphQL API's application ID, which can be found on its overview page.

You're now ready to register your script in WorkflowGen.

## WorkflowGen configuration

As with user provisioning, WorkflowGen needs to know which application is accessing the GraphQL API. Therefore, you have to register the application, which consists of your script.

### Register a new application

1. On the **Applications** page in the WorkflowGen Administration Module, click **New application**.<br>
2. Fill in the form:
   * **Name**: `My Server Application`
   * **Description**: A description that clearly identifies the script
   * **Type**: `Non-interactive Client`
   * **Impersonate username**: Any username that has the required access to the GraphQL API
   * **Client ID**: The client ID you retrieved earlier
   * **Active**: Check this checkbox<br>
3. Click **Save**.

Your application should now appear in the list of applications.

{% hint style="success" %}
You should now have the necessary components in place to make GraphQL API requests with your script by passing the access token received from Azure AD from a Client Credentials Grant flow.
{% endhint %}