Azure Portal configuration guide for Microsoft authentication

On this page
Contribute

Configure Azure and Devolutions Server properly to use Microsoft authentication by following the instructions below.

Requirements

  • Devolutions Server scheduler installed and running
  • A Microsoft Azure AD subscription
  • An Azure AD web application for the Devolutions Server web application and the cache

Creation of Azure AD applications and Devolutions Server Microsoft configuration

To simplify the configuration steps and to easily copy and paste all the required parameters, keep the Devolutions Server and Azure Portal web pages open side by side throughout the whole process.

In Devolutions Server

  1. Log in to your Devolutions Server and navigate to Administration – Server settings – Authentication.
  2. Under Authentication modes, ensure Authenticate with Microsoft user is enabled.
  3. Under Configuration, click on Microsoft authentication.
    Administration – Server settings – Authentication – Microsoft authentication
    Administration – Server settings – Authentication – Microsoft authentication

In the Azure Portal

  1. Log in to your Microsoft Azure Portal using administrator credentials.
  2. Once logged in, select Microsoft Entra ID in the Azure services section. If you do not see it, click on More services to make other services appear or search for it in the search bar.
    Microsoft Entra ID service
    Microsoft Entra ID service
  3. In Properties, copy the Tenant ID value.
    Copy the Tenant ID
    Copy the Tenant ID

In Devolutions Server

  1. Paste this value in the Tenant ID field of the Devolutions Server Microsoft Authentication configuration page.

    The Use specific client ID for users and user groups cache option should only be check to support configurations when migrating from an older Devolutions Server version.

    Paste the Tenant ID
    Paste the Tenant ID

In the Azure Portal

  1. In the Manage menu section, click App registrations then New registration.
    App registrations – New registration
    App registrations – New registration
  2. Enter a significant name for the application. This name will not be used outside of the Azure Portal.
  3. Set which Supported account types are allowed to connect. Usually, selecting Accounts in this organizational directory only is more than enough for your Azure AD authentication.
  4. Set the Redirect URI to Web and enter a valid URL, the URL to reach your Devolutions Server instance, with /api/external-provider-response at the end.
    Register an application
    Register an application
  5. Click on Register.
  6. Click on Copy to clipboard next to Application (client) ID.
    Copy the application ID
    Copy the application ID

In Devolutions Server

  1. Paste the Application (client) ID in the Client ID field.
    Paste the application ID
    Paste the application ID

In the Azure Portal

  1. In the Authentication section, under Implicit grant and hybrid flows, enable Access tokens and ID tokens.
    Enable access tokens and ID tokens
    Enable access tokens and ID tokens
  2. Click Save.
  3. In the Certificates & secrets section, click New client secret.
    Certificates & secrets – New client secret
    Certificates & secrets – New client secret
  4. Enter a description and set an expiry date.
    Add a client secret
    Add a client secret
  5. Click Add.
  6. Copy the Value. Be sure to save the Value in a safe place before switching to another Azure Portal page, as the copy button will no longer be available.
    Copy the client secret value
    Copy the client secret value

In Devolutions Server

  1. Ensure the Use only the TokenID for authentication setting is disabled. This setting should only be activated if you have enabled ID tokens in Azure, but not access tokens, for retrocompatibility reasons.
  2. Paste the Value in the Secret value field.
    Paste the client secret value
    Paste the client secret value

In the Azure Portal

  1. In the API permissions section, click on Add a permission.
    API permissions – Add a permission
    API permissions – Add a permission
  2. Select Microsoft Graph.
    Microsoft Graph
    Microsoft Graph
  3. Select Application permissions.
    Application permissions
    Application permissions
  4. Select Group.Read.All under the Group section and User.Read.All under the User section.
    Group.Read.All permission
    Group.Read.All permission
    User.Read.All permission
    User.Read.All permission
  5. Click on Add permissions.
  6. Click the three dots next to the User.Read permission and remove it.
    Remove the User.Read permission
    Remove the User.Read permission
  7. Confirm the removal by clicking Yes, remove since this permission is not required for the sync application.
  8. If the Status of the User.Read.All and Group.Read.All permissions is set to Not granted, an administrator must grant consent. If the account used to create the application is already an administrator in Azure, click on Grant admin consent for <your organization>.
    Grant admin consent for your organization
    Grant admin consent for your organization

In Devolutions Server

  1. Click Save.

You should now be able to use the Microsoft button on the web interface.

After activating the Microsoft authentication, it may take a while for the cache to load before being able to import users and user groups. If the issue persists, please consult Unable to import Azure AD users or groups for troubleshooting via the Devolutions Server Console.

Microsoft authentication method
Microsoft authentication method

Following the login process, you may get a prompt to authorize the application to read the user accounts and groups. Check the Consent on behalf of your organization box then click Accept.

Accept permissions
Accept permissions

Give us Feedback