{
  "@context": [
    "https://www.w3.org/ns/credentials/v2"
  ],
  "type": [
    "VerifiableCredential",
    "BlogPostCredential"
  ],
  "id": "urn:uuid:e515877d-4c9a-4749-8313-46d88c5d7aa3",
  "issuer": "did:webvh:QmTVQnV3qGxWzWmnmWJAy1zkYswgbUmE95K5qodmAizVfr:mjendza.net",
  "validFrom": "2026-03-15T13:35:32Z",
  "credentialSubject": {
    "title": "Backstage for Entra ID Team",
    "author": "Mateusz Jendza",
    "body": "![enum](/images/backstage/backstage.jpg)\r\n\r\n## TL;DR\r\n- Backstage is an open-source developer portal that helps us manage software projects, tools, and APIs.\r\n- With Backstage, we can create a unified view of our software ecosystem, making it easier for developers to discover and use tools.\r\n- With Backstage, we can create custom plugins to integrate with our existing tools and services.\r\n- My post provides an example custom template for Entra ID, which allows us to build a process to enable SSO for the applications.\r\n\r\n## Introduction\r\nBased on the Identity perspective for the organisation, we are facing the challenge of managing multiple software projects, tools, and APIs. Backstage is an open-source developer portal that helps us create a unified view of our software ecosystem, making it easier for developers to discover and use tools. In this post, I will guide us through setting up Backstage and creating a custom plugin for Entra ID.\r\n\r\n## Big Picture\r\n![backstage-diagram](/images/backstage/big-picture.jpg)\r\nVia the Backstage template (YAML file), we can improve our operations and automate the enablement of SSO for a new application. The template can include the necessary steps to create an Entra ID application, configure SSO, and set up the required permissions. Via the Backstage template a pull request will be created. Accepted by the operations team, will trigger the automation process to create the Entra ID application via terraform. Based on the requirements expected details like client_id will be shared via dedicated channel.\r\n\r\nThis allows for a more streamlined and efficient process, reducing the time and effort required to set up SSO for new applications.\r\n\r\n## Workflow overview\r\nEnter basic details: name and description.\r\n![backstage-workflow](/images/backstage/s1.jpg)\r\n\r\nExpected permissions, secret?\r\n![backstage-workflow](/images/backstage/s2.jpg)\r\n\r\nSummary and submit the request.\r\n![backstage-workflow](/images/backstage/s3.jpg)\r\n\r\nRun the flow: read repository, update terraform file to enable SSO for the application.\r\n![backstage-workflow](/images/backstage/s4.jpg)\r\n\r\nOperation team must review pull request - check expected permissions, approve or reject and merge.\r\n![backstage-workflow](/images/backstage/s5.jpg)\r\n\r\nRun the pipeline with GitHub Actions or maybe with SpaceLift?\r\n![backstage-workflow](/images/backstage/s6.jpg)\r\n\r\nShare the details with the application team.\r\n\r\n## Business Value\r\n- Developer Self-Service to enable SSO for new applications.\r\n- The operations team can focus on more important tasks instead of manual SSO configuration.\r\n- Approval process via pull request ensures that the operations team can review and approve the changes before they are applied.\r\n- Continuous improvement of the process by collecting feedback from developers and operations team - managed by Terraform Entra as Code can be improved by changes in the internal Terraform implementation.\r\n- Automated process for many environments (dev, test, prod) to ensure consistency and reduce errors, by one request internal process can be triggered to create the Entra ID applications for dev, test and prod.\r\n- A similar process can be used to build a process for Landing Zones.\r\n- Backstage can be used to manage other tools and services, like Azure DevOps, GitHub, or Jenkins, providing a unified view of the software ecosystem.\r\n## Technical Summary\r\n- Backstage is a powerful Developer Portal that helps us manage software projects, tools, and APIs.\r\n- Custom plugins can be created, like in my case to merge files. Nice documentation and examples plus javascript or typescript knowledge are required. There are no issues from my side.\r\n- Backstage templates via [Nunjucks](https://mozilla.github.io/nunjucks/templating.html#tags) are easy to use.\r\n\r\n## Challenges\r\n- There is no built-in support to merge files in Backstage templates. We need to create a custom plugin to handle this.\r\n- The standard Backstage examples are provided to generate an Application Repository based on the scaffold template. We expect to create a pull request to the existing repository with the updated Terraform file.\r\n## Links\r\n- [Backstage](https://backstage.io/)\r\n- [Backstage GitHub](https://github.com/backstage/backstage)\r\n- [Create Backstage Plugin](https://backstage.io/docs/plugins/create-a-plugin)\r\n- [Write a template](https://backstage.io/docs/features/software-templates/writing-templates)",
    "datePublished": "2025-07-23",
    "url": "/post/backstage-for-entra-operations",
    "description": "Enable SSO for new applications with Backstage, Entra ID, Terraform, Github and CI/CD.",
    "tags": [
      "Entra-Id",
      "Backstage",
      "Developer Portal"
    ]
  },
  "proof": {
    "type": "DataIntegrityProof",
    "cryptosuite": "eddsa-jcs-2022",
    "verificationMethod": "did:key:z6MksoqpqENZmzzA4nhCPkfcbWtRHVegGV38Yqu2arRc5Er2#z6MksoqpqENZmzzA4nhCPkfcbWtRHVegGV38Yqu2arRc5Er2",
    "created": "2026-03-15T13:35:32Z",
    "proofPurpose": "assertionMethod",
    "proofValue": "z4WoVkKMp6NDvh51TFsq8d8bPxm9HvVbfQnqznTuqqmwsqnHXccS9GMdN2aMFvLoDHip6DBp37GsAgwFLMq9e9wbp"
  }
}