Configure Azure Entra ID and AI Red Teaming OAuth 2.0 Integration

1. Register an app in Microsoft Entra ID.

   1. Log in to the Microsoft Entra admin center (entra.microsoft.com).
   2. Navigate to Entra IDApp registrationsNew registration.
   3. Enter a name (for example, airt-red-teaming).
   4. In the Supported account types, select Accounts in this organizational directory only (single-tenant).
   5. Skip Redirect URI because it is not needed for client credentials.
   6. Select Register.
   7. Record the following from the Overview page:

      • Application (client) ID—for example, 00001111-aaaa-2222-bbbb-3333cccc4444
      • Directory (tenant) ID—for example, aaaabbbb-0000-cccc-1111-dddd2222eeee
2. Create a client secret.

   1. In your app registration, navigate to Certificates & secretsClient secretsNew client secret.
   2. Add a description and expiry.
   3. Copy the secret Value immediately.

      The secret value is only shown once.
3. Add application API permissions.

   Delegated scopes (user.read, email, openid, profile, offline_access) with grant_type=refresh_token will not work with AI Red Teaming. You must use Application permissions with grant_type=client_credentials and scope=<api>/.default.

   1. Go to API permissionsAdd a permission.
   2. Select the API your target uses (for example, Microsoft Graph or your own custom API).
   3. Select Application permissions (not Delegated permissions).
   4. Select the required permissions.
   5. Select Grant admin consent for <tenant>.

      This requires an administrator role.
4. Verify the configuration with cURL.

   curl -X POST \
                           'https://login.microsoftonline.com/<TENANT_ID>/oauth2/v2.0/token' \
                           -H 'Content-Type: application/x-www-form-urlencoded' \
                           -d 'grant_type=client_credentials&client_id=<CLIENT_ID>&client_secret=<CLIENT_SECRET>&scope=<SCOPE>'

   Replace the following values:

   • <TENANT_ID>: Directory (tenant) ID from Step 1.
   • <CLIENT_ID>: Application (client) ID from Step 1.
   • <CLIENT_SECRET>: Client secret value from Step 2.
   • <SCOPE>: API resource URI with /.default suffix. Scope format depends on what API your target protects (for example, api://<CLIENT_ID>/.default or https://graph.microsoft.com/.default). Check your Entra ID app's Expose an API blade for the correct Application ID URI.

   Expected response:

   {
             "token_type": "Bearer",
             "expires_in": 3599,
             "access_token": "eyJ0eXAiOiJKV1QiLCJhbGciOiJSUzI1NiIs..."
            }

5. Configure the authentication in the AI Red Teaming.

   Set the following on your target, replacing the placeholder values with your specific tenant ID, client ID, client secret, and scope:

   auth_type: OAUTH2
            auth_config: {
                "oauth2_token_url": "https://login.microsoftonline.com/<TENANT_ID>/oauth2/v2.0/token",
                "oauth2_expiry_minutes": 60,
                "oauth2_headers": { 
                  "Content-Type": "application/x-www-form-urlencoded" 
                },
                "oauth2_body_params": {
                  "grant_type": "client_credentials",
                  "client_id": "<CLIENT_ID>",
                  "client_secret": "<CLIENT_SECRET>",
                  "scope": "<SCOPE>"
                 },
                 "oauth2_token_response_key": "access_token",
                 "oauth2_inject_header": { 
                   "Authorization": "Bearer {TOKEN}" 
                 }
               }