Improve a few steps configuring SSO on Azure (neo4j#1767)

These instructions were added in [the
PR#906](neo4j#906).

---------

Co-authored-by: Lidia Zuin <[email protected]>
Co-authored-by: Reneta Popova <[email protected]>

Author: 3 people

modules/ROOT/pages/tutorial/tutorial-sso-configuration.adoc

@@ -132,50 +132,52 @@ image::sso-configuration-tutorials/okta-sign-on-tab.svg[title="Okta's sign-on ta
 
 This example shows how to configure Entra ID for authentication and authorization using an access token.
 
-. Set parameters to be `access_token`:
-+
-[source, properties]
-----
-dbms.security.oidc.azure.config=principal=unique_name;code_challenge_method=S256;token_type_principal=access_token;token_type_authentication=access_token
-----
+. After the successful creation of your SSO application in Azure, open the *Token configuration* tab to configure a token.
+.. Click *Add groups claim*.
+.. Select *Security groups* to include in your access token.
+.. Save your changes.
 
-. Add the following parameter:
+. Open the **Expose an API** tab and select **Add a Scope**.
+.. If you click the **Add a Scope** button for the first time, you see a new pane stating that you need to add an _Application ID URI_ before proceeding.
 +
-[source, properties]
-----
-dbms.security.oidc.azure.token_endpoint=https://login.microsoftonline.com/54e85725-ed2a-49a4-a19e-11c8d29f9a0f/oauth2/v2.0/token
-----
+You can find it on your app *Overview* page. 
 +
-[NOTE]
-====
-The GUID is the directory (tenant) ID.
-You can find it on the app registration page:
-
+.The GUID is used to identify specific resources or instances within Azure. You can find it on the app registration page.
 image::sso-configuration-tutorials/azure-id.svg[]
-====
++
+.. Click *Save and continue* after setting the _Application ID URI_.
+
+. Fill in all mandatory fields in the pane **Add a scope**.
+.. Enter a new *Scope name*, *Admin consent display name*, and *Admin consent description*.
+.. Make sure the *Enabled* scope state is selected.
+.. Select the *Add scope* button again to create a new scope.
+You can add all scopes supported by your API.
++
+Once the scopes are created, make a note of them for use later.
 
-. Include the issuer:
+. Configure Neo4j to use Entra ID for authentication by configuring the following settings in the _neo4j.conf_ file:
 +
 [source, properties]
 ----
+# Configure the access_token
+dbms.security.oidc.azure.config=principal=unique_name;code_challenge_method=S256;token_type_principal=access_token;token_type_authentication=access_token
+# Configure the OIDC token endpoint with the Directory (tenant) ID
+dbms.security.oidc.azure.token_endpoint=https://login.microsoftonline.com/54e85725-ed2a-49a4-a19e-11c8d29f9a0f/oauth2/v2.0/token
+# Configure the iss claim in the id token with the Directory (tenant) ID
+# Make sure you add the trailing slash (`/`) at the end of the URL, or this operation might fail.
 dbms.security.oidc.azure.issuer=https://sts.windows.net/54e85725-ed2a-49a4-a19e-11c8d29f9a0f/
+# Provide the Entra ID parameters, such as client_id, response_type, scope, etc.
+dbms.security.oidc.azure.params=client_id=4376dc8b-b5af-424f-9ada-c1c1b2d416b9;response_type=code;scope=openid profile email api://4376dc8b-b5af-424f-9ada-c1c1b2d416b9/access-token
 ----
 +
 [NOTE]
 ====
-As previously mentioned, the GUID here is also the directory (tenant) ID.
+As previously mentioned, the GUID here is also the Directory (tenant) ID.
 Make sure you add the trailing slash (`/`) at the end or this operation might fail.
-====
 
-. Go to the "Expose an API" tab and click "Add a Scope" to include the following statement:
-+
-[source, properties]
-----
-dbms.security.oidc.azure.params=client_id=4376dc8b-b5af-424f-9ada-c1c1b2d416b9;response_type=code;scope=openid profile email api://4376dc8b-b5af-424f-9ada-c1c1b2d416b9/access-token
-----
+The audience parameter for access tokens is typically set with `api://` at the front.
+====
 
-. Add the value in the scope column to the scopes in the configuration.
-Note that the audience parameter for access tokens are typically set with` api://` at the front.
 
 === ID token