deen

Azure Portal configuration guide Microsoft Authentication

Index

The following topic contains the procedure to configure Azure and Devolutions Server properly to use Microsoft authentication.

Requirements

  • Devolutions Server Scheduler installed and running.
  • A Microsoft Azure AD subscription.
  • An Azure AD Web Application for the Devolutions Server web application and the cache.

Creation of Azure AD applications and Devolutions Server Microsoft configuration

  1. Log in to your Microsoft Azure Portal using administrator credentials.

  2. To simplify the configuration steps and to easily copy and paste all the required parameters, please have the Azure Portal and the Devolutions Server web UI opened side by side in Administration – Server Settings – Authentication – Microsoft Authentication.

  3. Once logged in, go to Azure Active Directory – Properties.

  4. Click on the Copy to clipboard button beside the Tenant ID property.

    Copy the Tenant ID
    Copy the Tenant ID

  5. Paste this value in the Tenant ID field of the Devolutions Server Microsoft Authentication configuration page.

    The Use specific client ID for users and user groups cache option should only be check to support configurations when migrating from an older Devolutions Server version.

    Paste the Tenant ID
    Paste the Tenant ID

  6. Click App registrations in the Manage menu section.

    App registrations
    App registrations

  7. Create the application using the New registration button.

    New registration
    New registration

  8. Enter a significant name for the application. This name will not be used outside of the Azure Portal.

  9. Set which Supported account types are allowed to connect. Usually, selecting Accounts in this organizational directory only is more than enough for your Azure AD authentication.

  10. Set the Redirect URI to Web and enter a valid URL, the URL to reach your Devolutions Server instance, with /api/external-provider-response at the end.

    Redirect URI
    Redirect URI

  11. Click on the Register button.

  12. Click on the Copy to clipboard button next to the Application (client) ID.

    Copy the Application ID
    Copy the Application ID

  13. Paste the Application (client) ID in the Client ID field of the web application section in the Devolutions Server Microsoft Authentication configuration page.

    Paste the Application ID
    Paste the Application ID

  14. Select the Authentication tab of the Azure Web application and enable the ID tokens under the Implicit grant and hybrid flows section.

    Enable ID tokens
    Enable ID tokens

  15. Click Save.

  16. Select the Certificates & secrets tab and click New client secret.

    Certificates & secrets – New client secret
    Certificates & secrets – New client secret

  17. Enter a description and set an expiry date. Then, click on the Add button.

    Client secret setup
    Client secret setup

  18. Click on the Copy to clipboard button of the Value. Be sure to save the Value in a safe place as once you will switch to another page of the Azure portal, the copy button will no longer be available.

    Copy the client secret value
    Copy the client secret value

  19. Paste the Value in the Secret key field of the web application section in the Devolutions Server Microsoft Authentication configuration page.

    Paste the client secret value
    Paste the client secret value

  20. Select the API permissions tab of the Azure web application and click on Add a permission.

    API permissions – Add a permission
    API permissions – Add a permission

  21. Select Microsoft Graph.

    Microsoft Graph
    Microsoft Graph

  22. Select Application permissions.

    Application permissions
    Application permissions

  23. Select Group.Read.All under the Group section and User.Read.All under the User section.

    Group.Read.All permission
    Group.Read.All permission

    User.Read.All permission
    User.Read.All permission

  24. Click on Add permissions.

  25. Select the User.Read permission and delete it using the Remove permission button.

    Remove the User.Read permission
    Remove the User.Read permission

  26. Confirm the removal by clicking Yes, remove since this permission is not required for the sync application.

  27. If the Status of the User.Read.All and Group.Read.All permissions is Not granted, an administrator must grant consent.

    It may be possible that the newly added permissions require an Azure administrator to consent. If the account used to create the application is already an administrator in Azure, click on Grant admin consent for <your organization>.

    Grant admin consent for your organization
    Grant admin consent for your organization

  28. Your configuration page should look similar to the screenshot below. Click Save.

    Save your configuration
    Save your configuration

You should now be able to use the Microsoft button on the web interface.

After activating the Microsoft authentication, it may take a while for the cache to load before being able to import users and user groups. If the issue persists, please consult Unable to import Azure AD users or groups for troubleshooting.

Microsoft authentication method
Microsoft authentication method

Following the login process, you may get this prompt to authorize the application to read the user accounts and groups. You need to check the Consent on behalf of your organization option and then click Accept.

Consent on behalf of your organization
Consent on behalf of your organization