Identity Configuration & Setup Guide
A practical, implementation-ready guide for configuring Datamine's MineTrust Platform with Microsoft Entra ID (formerly Azure AD), Microsoft Entra External ID (Azure AD B2C), or Active Directory Federation Services (ADFS) in a customer-owned tenant.
Who this is for: Customer administrators setting up MineTrust in their own Microsoft Entra ID / B2C tenant or ADFS environment, following deployment of the MineTrust Platform via the on-premise installer.
Overview & Topology
Supported Modes
- Mode A – Entra ID (formerly Azure AD): Standard enterprise OpenID Connect (authorization code + PKCE) for workforce identities.
- Mode B – Entra External ID for Customers (formerly Azure AD B2C): User flows/custom policies for customer identities.
- Mode C – ADFS / IdentityServer: JwtBearer authentication for environments using Active Directory Federation Services or compatible IdentityServer implementations.
Note: "Microsoft Entra ID" is simply the new name for Azure Active Directory (Azure AD). All configuration references to AzureAd correspond to Entra ID. Likewise, Microsoft Entra External ID (B2C) was formerly known as Azure AD B2C.
Note: ADFS integration (Mode C) is currently documented for MineTrust Server and MineTrust Online only. Other components may also support ADFS but are not covered in this guide.
MineTrust Logical Apps (Typical)
- MineTrust Server API: protected REST API that all clients communicate with.
- MineTrust Online: interactive web front-end (Blazor web frontend).
- MineTrust Provisioner: non-interactive daemon/service that automates provisioning tasks.
- MineTrust Connector: native desktop client used for local file ingestion and synchronisation.
See MineTrust Server, MineTrust Provisioner, and MineTrust Online for component-specific documentation.
Your exact app list may differ. The sample below represents a Datamine baseline configuration.
Tenant Prerequisites
Entra ID / External ID (B2C)
- Tenant type: Entra ID or External ID (B2C)
- Primary domain & verified custom domains
- Global Administrator access for initial setup
- Conditional Access: identify policies that may affect sign-in/token acquisition
ADFS
- Windows Server with the Active Directory Federation Services role installed and configured
- ADFS service account and administrative access to the ADFS Management console
- A valid SSL/TLS certificate for the ADFS service endpoint
- DNS resolution for the ADFS hostname (e.g.
adfs.yourdomain.local) - Network connectivity between MineTrust components and the ADFS endpoint
Identity Model
Entra ID (Mode A)
- Grant type: Authorization Code + PKCE
- Audience:
api://<minetrust-server-application-id>(or custom App ID URI) - Token lifetimes: Default unless overridden
- Group claims: Optional (via Graph lookup or group claims)
External ID B2C (Mode B)
- User flow(s): e.g.
B2C_1_signin_signup - Authority format:
https://<tenant>.b2clogin.com/<tenant>.onmicrosoft.com/<policy>/v2.0 - Scopes:
https://<tenant>.onmicrosoft.com/<mine-trust-api>/<scope>
ADFS / IdentityServer (Mode C)
- Grant type: Authorization Code (confidential client)
- Authority:
https://<adfs-hostname>/adfs - Audience:
https://minetrust/api(the identifier registered in the ADFS Web API) - Token lifetimes: Governed by ADFS Relying Party Trust and issuance policies
- Claims: Configurable via ADFS Issuance Transform Rules (e.g. Primary SID pass-through)
Application Registrations
Inventory Table
| App | Type | Audience |
|---|---|---|
| MineTrust-Server | Protected API / Web API | Entra ID / B2C / ADFS |
| MineTrust-Online | Web (confidential) | Entra ID / B2C / ADFS |
| MineTrust-Provisioner | Daemon / Confidential client | Entra ID / B2C |
| MineTrust-Connector | Native / Public client | Entra ID / B2C |
Note: For ADFS deployments, MineTrust-Server and MineTrust-Online are registered within a single Application Group in the ADFS Management console. The Provisioner and Connector are not covered for ADFS in this guide.
Registration Details – Entra ID / External ID (per app)
MineTrust Server (Protected API)
- Identifier URI (App ID URI):
api://<minetrust-server-application-id>(Entra ID)https://<your-domain>/minetrust-api(External ID/B2C)
- Exposed API:
- Scopes:
mine_trust_access - App roles:
provisioner_access(Application role)
- Scopes:
- Required resource access: Microsoft Graph basic scopes
MineTrust Online (Web)
- Redirect URIs: should include the public facing hostname for the MineTrust Online web application. Example:
https://<public-facing-hostname>/signin-oidcandhttps://<public-facing-hostname>/signouthttps://localhost/signin-oidcandhttps://localhost/signout(optionally enabled for local development only)
- Secrets: one long-lived confidential client secret.
- Required resource access:
- MineTrust Server API: scope
mine_trust_access - Microsoft Graph: offline_access, openid, User.Read
- MineTrust Server API: scope
MineTrust Provisioner (Daemon)
- Redirect URIs: none (non-interactive)
- Secrets: one confidential client secret for service authentication.
- Required resource access:
- MineTrust Server API: application role
provisioner_access - Microsoft Graph: basic directory roles if required
- MineTrust Server API: application role
MineTrust Connector (Native / Public)
- Redirect URIs:
http://localhost:8989/ - Required resource access:
- MineTrust Server API: scope
mine_trust_access - Microsoft Graph: offline_access, openid, User.Read
- MineTrust Server API: scope
Registration Details – ADFS
In ADFS, MineTrust components are registered within a single Application Group rather than as individual app registrations.
Application Group
- Name: e.g. MineTrust (or a name reflecting your environment, such as MineTrust Dev or MineTrust Prod)
MineTrust Online (Server Application)
- Type: Server Application
- Name: MineTrust Online
- Redirect URI:
https://<public-facing-hostname>/signin-oidc - Credentials:
- Register a key used to sign JSON Web Tokens (add the ADFS signing certificate)
- Generate a client secret – copy and store this securely
MineTrust Server API (Web API)
- Type: Web API
- Name: MineTrust Server API
- Identifier (Relying Party):
https://minetrust/api - Client Permissions: Grant MineTrust Online the following scopes:
mine_trust_access(create this scope if it does not already exist)allatclaimsprofileoffline_accessopenidemail
- Issuance Transform Rules:
- Pass through incoming claim – Rule name: Passthrough Primary SID, incoming claim type: Primary SID
Redirect URI Matrix (by environment)
The following is a typical example of the Redirect URIs across a multi-environment deployment of MineTrust:
| Environment | MineTrust Online | MineTrust Provisioner | MineTrust Connector |
|---|---|---|---|
| Local Dev | https://localhost/signin-oidc and https://localhost/signout |
— | http://localhost:8989/
|
| Test | https://<test-hostname>/signin-oidc and https://<test-hostname>/signout |
— | — |
| Prod | https://<public-facing-hostname>/signin-oidc and https://<public-facing-hostname>/signout |
— | — |
Each customer deployment of MineTrust Online will use its own hostname, which must be registered here. Remove any unused or internal redirect URIs.
For ADFS deployments, the redirect URI for MineTrust Online is configured on the Server Application within the Application Group (see Registration Details – ADFS). A typical configuration is:
| Environment | MineTrust Online |
|---|---|
| Test | https://<test-hostname>/signin-oidc
|
| Prod | https://<public-facing-hostname>/signin-oidc
|
Step-by-Step Setup Instructions
Entra ID / External ID (B2C)
MineTrust Server (Protected API)
- In Azure Portal → App registrations, select New registration.
- Enter name MineTrust-Server.
- Supported account type: Accounts in this organizational directory only.
- Leave Redirect URI empty.
- After creation, go to Expose an API → Set Application ID URI and set the value:
api://<minetrust-server-application-id>(Entra ID)https://<your-domain>/minetrust-api(External ID/B2C)
- Add a new Scope named
mine_trust_accesswith 'Admins only', and configure admin consent display name and description as Access MineTrust API. - Under App roles, add a new role Provisioner Access with value
provisioner_access(member type Application). - Save changes.
MineTrust Online (Web)
- Create new app registration named MineTrust-Online.
- Supported account type: Accounts in this organizational directory only.
- Add redirect URIs for your environment:
https://<public-facing-hostname>/signin-oidcandhttps://<public-facing-hostname>/signout(required)https://localhost/signin-oidcandhttps://localhost/signout(optional for local testing)
- Under Certificates & secrets, generate a client secret.
- Under API permissions, add → MineTrust Server API → mine_trust_access (delegated permissions).
- Add Microsoft Graph permissions → offline_access and openid (delegated permissions).
- Save and grant admin consent.
MineTrust Provisioner (Daemon)
- Create new app registration named MineTrust-Provisioner.
- Supported account type: Accounts in this organizational directory only.
- No redirect URIs required.
- Under Certificates & secrets, create a client secret.
- Under API permissions, add → MineTrust Server API → provisioner_access (application permissions).
- Under API permissions, add → User.Read.All and User.ReadWrite.All (application permissions).
- Add Microsoft Graph permissions → offline_access and openid (delegated permissions).
- Save and grant admin consent.
MineTrust Connector (Native / Public)
- Create new app registration named MineTrust-Connector.
- Supported account type: Accounts in this organizational directory only.
- Redirect URI:
http://localhost:8989/(Public client/native app). - No secret required.
- Under API permissions, add → MineTrust Server API → mine_trust_access (delegated permissions).
- Add Microsoft Graph permissions → offline_access, openid and User.Read (delegated permissions).
- Save and grant admin consent.
ADFS
The following instructions describe how to configure an ADFS Application Group for MineTrust. These steps are performed in the ADFS Management console on your AD FS server.
Create the Application Group
- Open ADFS Management → Application Groups.
- Select Add Application Group…
- Enter a name for the group (e.g. MineTrust Dev or MineTrust Prod).
- Select the Server application accessing a web API template and click Next.
Configure MineTrust Online (Server Application)
- Within the Application Group wizard, a Server application is created automatically.
- Set the Name to MineTrust Online.
- Note the Client Identifier – this value is required later as the
ClientIdin the MineTrust Online configuration. - Add the Redirect URI:
https://<public-facing-hostname>/signin-oidcand click Add. - Click Next to proceed to the Configure Application Credentials step.
- Select Generate a shared secret and copy the generated secret securely. This value is required as the
ClientSecretin the MineTrust Online configuration. - Optionally, under the JWT signing section, add the ADFS token-signing certificate.
- Click Next.
Configure MineTrust Server API (Web API)
- In the same wizard, you are prompted to configure the Web API.
- Set the Name to MineTrust Server API.
- Under Identifier, add
https://minetrust/api(or a custom identifier matching your environment) and click Add. This value is used as theAudiencein the MineTrust Server configuration. - Click Next to proceed to Choose Access Control Policy. Select the policy appropriate for your environment (e.g. Permit everyone) and click Next.
- On the Configure Application Permissions step, ensure MineTrust Online is listed as a permitted client application. Add the following scopes (create any that do not already exist):
mine_trust_accessallatclaimsprofileoffline_accessopenidemail
- Click Next, review the summary, and click Close to finish creating the Application Group.
Configure Issuance Transform Rules
- Open the newly created Application Group and double-click the MineTrust Server API (Web API) entry.
- Navigate to the Issuance Transform Rules tab.
- Click Add Rule… and select the Pass Through or Filter an Incoming Claim template.
- Configure the rule as follows:
- Claim rule name: Passthrough Primary SID
- Incoming claim type: Primary SID
- Pass through all claim values: selected
- Click Finish and then OK to save.
Verify the ADFS Configuration
- Confirm that the ADFS metadata endpoint is accessible at
https://<adfs-hostname>/adfs/.well-known/openid-configuration. - Verify that the audience (
https://minetrust/api) and issuer URI are present in the metadata. - Test token acquisition using a tool such as Postman or
curlagainst the ADFS token endpoint, providing the client ID and secret from the Configure MineTrust Online step.
Token Configuration
Entra ID / External ID (B2C)
- Optional claims: email, family_name, given_name, groups
- Group claims: None / Security groups / Directory roles
ADFS
- Issuance Transform Rules: Configure claim pass-through rules on the Web API within the Application Group (see Configure Issuance Transform Rules)
- Recommended claims: Primary SID (pass-through)
- Token lifetime: Governed by the ADFS Relying Party Trust properties; adjust as required for your environment
MineTrust Application Bindings
Entra ID / External ID (B2C) Bindings
MineTrust Server API
- Audience / App ID URI:
api://<minetrust-server-application-id>(Entra ID)https://<your-domain>/minetrust-api(External ID/B2C)
- Scopes:
mine_trust_access - App roles:
provisioner_access
MineTrust Online (Blazor/Web frontend)
- Authority (B2C):
https://<tenant>.b2clogin.com/<tenant>.onmicrosoft.com/<policy>/v2.0 - Requested scopes:
api://<minetrust-server-application-id>/mine_trust_access(Entra ID)https://<tenant>.onmicrosoft.com/minetrust-api/mine_trust_access(External ID/B2C)
MineTrust Provisioner (daemon)
- Permission: Application role assignment to
provisioner_access - Auth: client credentials (secret/cert)
MineTrust Connector (native)
- Redirect URI:
http://localhost:8989/ - Scopes:
api://<minetrust-server-application-id>/mine_trust_access(Entra ID)https://<tenant>.onmicrosoft.com/minetrust-api/mine_trust_access(External ID/B2C)
ADFS Bindings
MineTrust Server API
- Mode:
JwtBearer - Authority:
https://<adfs-hostname>/adfs - Audience:
https://minetrust/api(must match the identifier registered on the Web API in ADFS) - Issuer:
http://<adfs-hostname>/adfs/services/trust(as reported by ADFS metadata)
MineTrust Online (Blazor/Web frontend)
- Mode:
JwtBearer - Authority:
https://<adfs-hostname>/adfs - Client ID: The Client Identifier generated during Server Application registration (see Configure MineTrust Online)
- Client Secret: The shared secret generated during Server Application registration
- Callback Path:
/signin-oidc - Resource:
https://minetrust/api
Example Local Configuration Files
Each component below includes a single configuration profile, representing either Entra ID (AzureAd), Entra External ID (AzureAdB2C), or ADFS (ADFS). Only one authentication section should be present per deployment.
The following samples are configuration fragments only, and do not represent the entire configuration tree of any component.
The Mode field in each authentication section determines the underlying authentication handler: MicrosoftIdentity selects the Microsoft Identity Platform integration (for Entra ID and External ID), while JwtBearer selects the generic JWT bearer handler (for ADFS and other IdentityServer implementations).
MineTrust Server (appsettings.json)
Entra ID (AzureAd):
Alternative – Entra External ID (AzureAdB2C) variant:
{
"MTOptions": {
...
"Authentication": "AzureAdB2C",
"ProvisionerId": "<provisioner-application-id>",
...
},
...
"AzureAdB2C": {
"Mode": "MicrosoftIdentity",
"Instance": "https://datamineid.b2clogin.com",
"Domain": "datamineid.onmicrosoft.com",
"ClientId": "<application-id>",
"SignUpSignInPolicyId": "b2c_1_sign_in",
"ApplicationIdUri": "https://datamineid.com/minetrust-api"
},
...
}
Alternative – ADFS variant:
{
"MTOptions": {
...
"Authentication": "ADFS",
"ProvisionerId": "<provisioner-application-id>",
...
},
...
"ADFS": {
"Mode": "JwtBearer",
"Authority": "https://<adfs-hostname>/adfs",
"Audience": "https://minetrust/api",
"RequireHttpsMetadata": false,
"TokenValidationParameters": {
"ValidateIssuer": true,
"ValidIssuer": "http://<adfs-hostname>/adfs/services/trust",
"ValidateAudience": true,
"ValidAudience": "https://minetrust/api",
"ValidateIssuerSigningKey": true,
"ValidateLifetime": true
}
},
...
}
MineTrust Provisioner (appsettings.json)
Entra ID (AzureAd):
{
"MTProvisionerOptions": {
...
"AzureClientProfile": "AzureAd"
},
...
"AzureAd": {
"Instance": "https://login.microsoftonline.com/",
"TenantId": "<tenant-id>",
"ClientId": "<application-id>",
"ClientCredentials": [
{
"SourceType": "ClientSecret",
"ClientSecret": "<CLIENT_SECRET_HERE>"
}
],
"MTServerAppUriId": "api://<minetrust-server-application-id>"
}
...
}
Alternative – Entra External ID (AzureAdB2C) variant:
{
"MTProvisionerOptions": {
...
"AzureClientProfile": "AzureAdB2C"
},
...
"AzureAdB2C": {
"Instance": "https://datamineid.b2clogin.com/tfp/datamineid.onmicrosoft.com/b2c_1_sign_in",
"TenantId": "datamineid.onmicrosoft.com",
"ClientId": "<application-id>",
"ClientCredentials": [
{
"SourceType": "ClientSecret",
"ClientSecret": "<CLIENT_SECRET_HERE>"
}
],
"MTServerAppUriId": "https://datamineid.com/minetrust-api"
}
...
}
MineTrust Online (appsettings.json)
Entra ID (AzureAd):
{
"MTOnlineOptions": {
...
"Authentication": "AzureAd",
"RequiredScope": "mine_trust_access",
...
},
...
"AzureAd": {
"Mode": "MicrosoftIdentity",
"Instance": "https://login.microsoftonline.com/",
"Domain": "dataminesoftware.com",
"TenantId": "<tenant-id>",
"ClientId": "<application-id>",
"ClientSecret": "<CLIENT_SECRET_HERE>",
"CallbackPath": "/signin-oidc",
"SignedOutCallbackPath": "/signout-oidc",
"MTServerAppUriId": "api://<minetrust-server-application-id>"
},
...
}
Alternative – Entra External ID (AzureAdB2C) variant:
{
"MTOnlineOptions": {
...
"Authentication": "AzureAdB2C",
"RequiredScope": "mine_trust_access",
...
},
...
"AzureAdB2C": {
"Mode": "MicrosoftIdentity",
"Instance": "https://datamineid.b2clogin.com",
"Domain": "datamineid.onmicrosoft.com",
"ClientId": "<application-id>",
"ClientSecret": "<CLIENT_SECRET_HERE>",
"SignUpSignInPolicyId": "b2c_1_sign_in",
"SignedOutCallbackPath": "/signout/B2C_1_susi_reset_v2",
"MTServerAppUriId": "https://datamineid.com/minetrust-api"
},
...
}
Alternative – ADFS variant:
