Follow the steps outlined below to integrate SSPIM with your Entra ID tenant
You can download the detailed install guide here

Step 1: create the app registration

Create the App Registration in the Entra ID tenant that will authenticate Self Service PIM users.


  1. Browse to the Entra ID portal. Log on with a Global Admin.

  2. Navigate to Entra ID - App Registrations - New Registration

  3. Give the application a name and select "Accounts in this organizational directory only"

  4. Fill in the URL (Redirect URI) of your Self Service PIM Instance (example: https://xyz.selfservicepim.com). This information is sent to you by mail.

  5. Register the application.

Step 2: provide tenant and application information

Use the input boxes below to provide necessary information. This information can be found on and copied from the dashboard of the app registration.


Application (Client) ID:
Tenant ID:
Tenant Name:

Step 3: grant necessary API permissions

Self Service PIM needs specific API permissions to perform lookups on your Entra ID tenant.


  1. Navigate to your newly created App Registration and select "API Permissions"

  2. Add a delegated permission "User.Read" for Microsoft Graph

  3. Add an application permission "User.Read.All" for Microsoft Graph

  4. Add an application permission "Group.Read.All" for Microsoft Graph

  5. Grant admin consent for the tenant

Step 4: generate a secret

Self Service PIM needs specific API permissions to do its thing.


  1. Navigate to your newly created App Registration, Entra ID - App registrations - All applications, and select "Certificates & secrets"

  2. Select "New client secret". Provide a sensible description and make sure to select an expiration of 2 years (custom)

  3. Supply the secret value:

Step 5: create application roles

These roles determine what kind of access a user will have within Self Service PIM.


  1. Navigate to your newly created App Registration, Entra ID - App registrations - All applications, select your application and select "App roles"

  2. Create an app role "Admin" (Display Name and Value), allow Users/Groups as members. Give a sensible description

  3. Create an app role "User" (Display Name and Value), allow Users/Groups as members. Give a sensible description

  4. Navigate to Entra ID - Enterprise Applications - Users and groups, and select the newly created application

  5. Add your user as an "Admin" to the application. You can optionally already supply other users as "Admin" as well

  6. On the Properties page of your Enterprise Application, make sure to toggle "User assignment required?" to yes

Step 6: issue ID tokens

Self Service PIM uses OpenID tokens for authorization.


  1. Navigate to your newly created App Registration, Entra ID - App registrations - All applications, select your application and select "Authentication"

  2. Under the section "Implicit grant and hybrid flows" make sure the checkbox "ID tokens (used for implicit and hybrid flows)" is checked. If this section is missing you will need to modify the manifest file. Please refer to the install guide linked on the header of this page.

  3. Save the configuration

You work here is done!


Press the "Complete Setup" button.
IMPORTANT: if you complete the setup with incorrect parameters, you will be locked out of Self Service PIM. You will need to raise a ticket at selfservicepim.com/support.