neo4j · NataliaIvakina · Sep 12, 2024 · Aug 14, 2024 · Aug 19, 2024 · Aug 26, 2024
diff --git a/modules/ROOT/pages/tutorial/tutorial-sso-configuration.adoc b/modules/ROOT/pages/tutorial/tutorial-sso-configuration.adoc
@@ -132,50 +132,44 @@ image::sso-configuration-tutorials/okta-sign-on-tab.svg[title="Okta's sign-on ta
 
 This example shows how to configure Entra ID for authentication and authorization using an access token.
 
-. Set parameters to be `access_token`:
-+
-[source, properties]
-----
-dbms.security.oidc.azure.config=principal=unique_name;code_challenge_method=S256;token_type_principal=access_token;token_type_authentication=access_token
-----
+. After the successful creation of your SSO application in Azure, open the *Token configuration* tab to configure a token.
+.. In the Manage section, click *Token configuration* and then *Add groups claim*.
+.. Select *Security groups* to include in your access token.
+.. Save your changes.
 
-. Add the following parameter:
+. Next step is to open the **Expose an API** tab and click the **Add a Scope** button.
+..If you click the **Add a Scope** button for the first time, you see a new window stating that you need to add an _Application ID URI_ before proceeding
+You can find it on your app *Overview* page. 
 +
-[source, properties]
-----
-dbms.security.oidc.azure.token_endpoint=https://login.microsoftonline.com/54e85725-ed2a-49a4-a19e-11c8d29f9a0f/oauth2/v2.0/token
-----
-+
-[NOTE]
-====
-The GUID is the directory (tenant) ID.
-You can find it on the app registration page:
-
+.The GUID is used to identify specific resources or instances within Azure. You can find it on the app registration page.
 image::sso-configuration-tutorials/azure-id.svg[]
-====
++
+Click *Save and continue*.
 
-. Include the issuer:
+. Fill in all mandatory fields in the window **Add a scope** and make a note of them.
+. Configure Neo4j to use Entra ID for authentication by configuring the following settings in the _neo4j.conf_ file:
 +
 [source, properties]
 ----
+# Configure the access_token
+dbms.security.oidc.azure.config=principal=unique_name;code_challenge_method=S256;token_type_principal=access_token;token_type_authentication=access_token
+# Configure the OIDC token endpoint with the Directory (tenant) ID
+dbms.security.oidc.azure.token_endpoint=https://login.microsoftonline.com/54e85725-ed2a-49a4-a19e-11c8d29f9a0f/oauth2/v2.0/token
+# Configure the iss claim in the id token with the Directory (tenant) ID
+# Make sure you add the trailing slash (`/`) at the end of the URL, or this operation might fail.
 dbms.security.oidc.azure.issuer=https://sts.windows.net/54e85725-ed2a-49a4-a19e-11c8d29f9a0f/
+# Provide the Entra ID parameters, such as client_id, response_type, scope, etc.
+dbms.security.oidc.azure.params=client_id=4376dc8b-b5af-424f-9ada-c1c1b2d416b9;response_type=code;scope=openid profile email api://4376dc8b-b5af-424f-9ada-c1c1b2d416b9/access-token
 ----
 +
 [NOTE]
 ====
-As previously mentioned, the GUID here is also the directory (tenant) ID.
+As previously mentioned, the GUID here is also the Directory (tenant) ID.
 Make sure you add the trailing slash (`/`) at the end or this operation might fail.
-====
 
-. Go to the "Expose an API" tab and click "Add a Scope" to include the following statement:
-+
-[source, properties]
-----
-dbms.security.oidc.azure.params=client_id=4376dc8b-b5af-424f-9ada-c1c1b2d416b9;response_type=code;scope=openid profile email api://4376dc8b-b5af-424f-9ada-c1c1b2d416b9/access-token
-----
+The audience parameter for access tokens are typically set with` api://` at the front.
+====
 
-. Add the value in the scope column to the scopes in the configuration.
-Note that the audience parameter for access tokens are typically set with` api://` at the front.
 
 === ID token