Configure Azure and Devolutions Server properly to use Microsoft authentication by following the instructions below.
Requirements
- Devolutions Server scheduler installed and running
- A Microsoft Azure AD subscription
- An Azure AD web application for the Devolutions Server web application and the cache
Creation of Azure AD applications and Devolutions Server Microsoft configuration
To simplify the configuration steps and to easily copy and paste all the required parameters, keep the Devolutions Server and Azure Portal web pages open side by side throughout the whole process.
In Devolutions Server
- Log in to your Devolutions Server and navigate to Administration – Server settings – Authentication.
- Under Authentication modes, ensure Authenticate with Microsoft user is enabled.
- Under Configuration, click on Microsoft authentication.
In the Azure Portal
- Log in to your Microsoft Azure Portal using administrator credentials.
- Once logged in, select Microsoft Entra ID in the Azure services section. If you do not see it, click on More services to make other services appear or search for it in the search bar.
- In Properties, copy the Tenant ID value.
In Devolutions Server
-
Paste this value in the Tenant ID field of the Devolutions Server Microsoft Authentication configuration page.
The Use specific client ID for users and user groups cache option should only be check to support configurations when migrating from an older Devolutions Server version.
In the Azure Portal
- In the Manage menu section, click App registrations then New registration.
- Enter a significant name for the application. This name will not be used outside of the Azure Portal.
- Set which Supported account types are allowed to connect. Usually, selecting Accounts in this organizational directory only is more than enough for your Azure AD authentication.
- Set the Redirect URI to Web and enter a valid URL, the URL to reach your Devolutions Server instance, with /api/external-provider-response at the end.
- Click on Register.
- Click on Copy to clipboard next to Application (client) ID.
In Devolutions Server
- Paste the Application (client) ID in the Client ID field.
In the Azure Portal
- In the Authentication section, under Implicit grant and hybrid flows, enable Access tokens and ID tokens.
- Click Save.
- In the Certificates & secrets section, click New client secret.
- Enter a description and set an expiry date.
- Click Add.
- Copy the Value. Be sure to save the Value in a safe place before switching to another Azure Portal page, as the copy button will no longer be available.
In Devolutions Server
- Ensure the Use only the TokenID for authentication setting is disabled. This setting should only be activated if you have enabled ID tokens in Azure, but not access tokens, for retrocompatibility reasons.
- Paste the Value in the Secret value field.
In the Azure Portal
- In the API permissions section, click on Add a permission.
- Select Microsoft Graph.
- Select Application permissions.
- Select Group.Read.All under the Group section and User.Read.All under the User section.
- Click on Add permissions.
- Click the three dots next to the User.Read permission and remove it.
- Confirm the removal by clicking Yes, remove since this permission is not required for the sync application.
- If the Status of the User.Read.All and Group.Read.All permissions is set to Not granted, an administrator must grant consent. If the account used to create the application is already an administrator in Azure, click on Grant admin consent for <your organization>.
In Devolutions Server
- Click Save.
You should now be able to use the Microsoft button on the web interface.
After activating the Microsoft authentication, it may take a while for the cache to load before being able to import users and user groups. If the issue persists, please consult Unable to import Azure AD users or groups for troubleshooting via the Devolutions Server Console.
Following the login process, you may get a prompt to authorize the application to read the user accounts and groups. Check the Consent on behalf of your organization box then click Accept.