Configure Microsoft authentication with Entra ID

Configure Microsoft Entra ID and Devolutions Server properly to use Microsoft authentication by following the instructions below.

Devolutions Server supports two authentication modes for Microsoft sign-in: Application permissions (recommended default) and Delegated permissions (for tenants where Application permissions are blocked by policy).

• Devolutions Server scheduler installed and running

• A Microsoft Entra ID subscription

• An Entra ID web application for the Devolutions Server web application and the cache

To simplify the configuration steps and to easily copy and paste all the required parameters, keep the Devolutions Server and Azure Portal web pages open side by side throughout the whole process.

1. Log in to your Devolutions Server and navigate to Administration – Server settings – Authentication.

2. Under Authentication modes, ensure Authenticate with Microsoft user is enabled.

3. Under Configuration, click on Microsoft authentication.

4. In the Authentication mode dropdown, select the permission model for your environment:

   • Application permissions (recommended default): Devolutions Server authenticates as the app itself using client credentials.

   • Delegated permissions: Devolutions Server impersonates a service account user to make Microsoft Graph calls. Use this mode only if your tenant policy blocks Application permissions.

5. Log in to your Microsoft Azure Portal using administrator credentials.

6. Once logged in, select Microsoft Entra ID in the Azure services section. If you do not see it, click on More services to make other services appear or search for it in the search bar.

7. On the Overview page, find the Tenant ID in the Basic information section, then click the copy icon next to it.

8. Paste this value in the Tenant ID field of the Microsoft Authentication configuration page.

9. In the left navigation pane, select App registrations.

10. Click + New registration.

11. Enter a significant name for the application. This name will not be used outside of the Azure Portal.

12. Set which Supported account types are allowed to connect. Usually, selecting Single tenant only is more than enough for your Entra ID authentication.

13. Set the Redirect URI based on your authentication mode:

    • Application: Set to Web and enter your Devolutions Server instance URL with /api/external-provider-response appended at the end. No further redirect URI configuration is required.

    • Delegated: Set to Web and enter your Devolutions Server instance URL using the following pattern:

      https://<your-dvls-host>/<instance-path>/api/configuration/authentication/azure/connect-callback
      

      Example for a local instance at /dps:

      http://localhost/dps/api/configuration/authentication/azure/connect-callback
      

      Then, in your app registration, go to Authentication – Redirect URI configuration – + Add Redirect URI – Web, enter the redirect URI, and click Configure.

14. On the app registration Overview page, find the Application (client) ID in the Essentials section and click the copy icon next to it.

15. Paste the Application (client) ID in the Client ID field.

16. Select the app registration you just created. In the Certificates & secrets section, click + New client secret.

17. Enter a description and set an expiry date.

18. Click Add.

19. Copy the Value. Be sure to save it in a safe place before switching to another Azure Portal page, as the copy button will no longer be available.

20. Paste the Value in the Secret value field.

21. In the Type of user interaction on login dropdown, set the Entra ID sign-in prompt behavior:

    • Select account (select_account): Always displays the account picker, even if the user already has an active session.

    • Leave at default for silent sign-in when a valid session already exists.

22. Select the app registration you just created.

23. In the API permissions section, click + Add a permission.

24. Select Microsoft Graph.

25. Select the API permission type and add permissions based on your authentication mode:

    Mode	API Permissions
    Application permissions	User.Read.All, Group.Read.All (type Application) — admin consent required
    Delegated permissions	User.Read (type Delegated, user-consentable) plus User.Read.All, Group.Read.All (type Delegated) for directory reads — admin consent required for *.All

26. Click Add permissions.

Depending on your tenant configuration, one of the following outcomes will occur after consent is handled:

27. For Delegated permissions mode only, in the Service account email field, enter the UPN of the user account Devolutions Server will impersonate for Microsoft Graph calls (e.g., svc-dvls@contoso.com).

28. For Delegated permissions mode only, click Connect to Microsoft. An OAuth sign-in window opens. Sign in with the service account to bind it to Devolutions Server. Once the OAuth flow completes successfully, the Connected status displays the UPN of the bound service account.

29. For Delegated permissions mode only, click Test connection to run a delegated Graph API call and verify the service account token is working correctly.

To revoke the cached token and clear the service account binding at any time, click Disconnect. Do this before changing the service account or rotating credentials.

Rotating the client secret or changing the tenant configuration invalidates the cached delegated token automatically. On service account password change or session revocation, an admin must reconnect from Administration – Server settings – Authentication – Microsoft authentication; the rest of the configuration is preserved.

30. Click Save.

You should now be able to use the Microsoft button on the web interface.

• Login only: PAM (privileged access) and Microsoft 365 email integration require Application permissions. If you use those features, keep Application mode or run a hybrid configuration with separate app registrations.

• Tenant-wide directory reads: User.Read.All and Group.Read.All are tenant-wide scopes. Entra ID has no native subset scope for OAuth. To restrict which users Devolutions Server can auto-create, use the auto-create restriction by group option in Devolutions Server itself.

• Service account dependency: Delegated mode binds Devolutions Server to a single service account's identity. If the service account is disabled, password-rotated, or has its session revoked, an admin must reconnect via Administration – Server settings – Authentication – Microsoft authentication.