Overview
Multi-factor authentication (MFA) is required for Government-connected software. It enhances security by requiring a second form of verification alongside your password.
If you have Microsoft accounts already secured with MFA, your organisation can opt for single sign-on (SSO) via Microsoft Azure AD B2C instead of Authenticator App logins.
Once SSO is set up, TaxLab support will provide your organisation with a unique login URL. This link allows your team to set up their accounts and securely access TaxLab using their Microsoft credentials.
Step 1: Register an Application
- Open Microsoft Azure AD B2C.
- In the left hand panel > Under Manage > Select App registrations.
- Select New registration.
- In Register an application:
- Enter a Name for the application.
- Choose the supported account types (Recommended: Accounts in this organizational directory only).
- Enter the following Redirct URI:
- Select Web from the drop down menu.
- Enter https://taxlabauth.b2clogin.com/taxlabauth.onmicrosoft.com/oauth2/authresp
- Select Register.
Step 2: Configure authentication settings
- In the left hand panel > Under Manage > select Authentication.
- Under Front-channel logout URL > enter the following logout URL:
- Under Implicit and hybrid flows > Select the check boxes for:
- Access tokens (used for implicit flows)
- ID tokens (used for implicit and hybrid flows)
- Select Save.
Step 3: Expose an API - Add a scope
In the Microsoft identity platform, a scope represents a delegated permission for a specific resource, defining what an application (e.g., TaxLab) can access on behalf of the authenticated user (e.g., email, family_name, given_name).
Configuring the scope enables the application (e.g. TaxLab) to request and retrieve the necessary user claims during the authentication process to facilitate secure login.
- Under Manage > select Expose an API.
- Select Add a scope.
- In Add a Scope > Select Save and Continue to confirm the Application ID URI. (This will automatically populate with the Client ID).
- To create the scope fill in the following information:
- Scope name. (The name is up to you - please see an example below).
- Who can consent? (Recommended: Admins and users).
- Admin consent display name & description.
- User consent display name & description.
- State should be enabled.
- Select Add scope.
Example:
- Scope name: user_impersonation.
- Admin consent display name: Access TaxLab application.
- Admin consent description: Allow the application to access TaxLab on behalf of the signed in user.
- User consent display name: Access TaxLab application.
- User consent description: Allow the application to access TaxLab on your behalf.
Step 4: Token configuration - Add option claims
- Under Manage > Select Token configuration.
- Select Add optional claim.
- In the Add optional claim panel > Select ID as the Token type.
- Select the check boxes for:
- family_name
- given_name
- Select Add.
- Review and select the check box for Turn on the Microsoft Graph email, profile permission.
- Select Add.
Step 5: Send required information to TaxLab Support
Once the App registration and settings have been configured, TaxLab requires the following information to complete the set up:
- OpenID Connect metadata document:
- Located in Overview > Select Endpoints > the OpenID Connect metadata document will end in /.well-known/openid-configuration.
- Client ID.
- Located in Overview > Under Essentials > Copy Application (client) ID.
Please contact support to discuss options to securely provide these details.
Was this article helpful?
That’s Great!
Thank you for your feedback
Sorry! We couldn't be helpful
Thank you for your feedback
Feedback sent
We appreciate your effort and will try to fix the article