Configure Azure Active Directory App Registration

This document provides instructions to create an Application Registration on your Microsoft Azure Active Directory (AAD) instance, and to allow connection of User Workspace Manager Consoles and Agents to your AAD instance.

Instructions

The endpoint and console require an application registration to be set up in the AAD domain. This application uses a client certificate to allow the endpoint to access AAD without any user interaction. Steps to create the application are performed in the AAD portal using a suitably privileged account and are as follows:

  1. Go to 'Azure Active Directory’ page for the tenant. Click on ‘App Registrations’ in the left pane then ‘New Registration’ on the right.

  2. Enter a name for the registration and ‘single tenant’ for the account type. A redirect URI is not required at this stage. Click on ‘Register’.

  3. Click on ‘Authentication’ on the left pane. On the right pane, click ‘Add a platform’ then click ‘Mobile and Desktop Applications’. Tick the first redirect URL:

    https://login.microsoftonline.com/common/oauth2/nativeclient

  4. Create or acquire a certificate for use by the endpoint. The application registration on the portal requires only the public key. Each endpoint needs the certificate with the private key installed in the Local Computer - Personal store. The certificate may be self-signed if required. A simple method to create the certificate is via PowerShell 'New-SelfSignedCertificate' cmdlet (see later).

  5. Add the certificate to the application by going to the overview page and clicking on ‘Add certificate or secret’ and uploading the .cer file. The portal will display the certificate thumbprint, which is needed by the console when adding AAD conditions.

  6. Click on ‘API Permissions’ and add permissions as detailed below. Grant administrative consent for them where required.

  • Device.Readall

  • Group.Readall

  • User.Readall

  • Offline_access
    (openid)

  • Openid
    (openid)

  • Profile
    (openid)

  • Group
    Readall

  • User
    readall

Creating a Self-Signed Certificate

From an elevated PowerShell prompt, enter:

$certname = "My UWM Certificate"

$cert = New-SelfSignedCertificate -Subject "CN=$certname"

-CertStoreLocation "Cert:\CurrentUser\My"

-KeyExportPolicy Exportable -KeySpec Signature -KeyLength 2048

-KeyAlgorithm RSA -HashAlgorithm SHA256

This will create the certificate in the current user personal store with an exportable private key. It can be exported either by using certmgr.msc or with the following PowerShell commands (using the $cert variable from above):

Export-Certificate -Cert $cert -FilePath "$certname.cer"

  • Exports the .cer file for upload to the portal

$pwd = ConvertTo-SecureString -String "myPassword" -Force -AsPlainText

Export-PfxCertificate -Cert $cert -FilePath "$certname.pfx"

-Password $pwd

  • Exports a .pfx file protected by the specified password. This contains the private key needed by endpoints.

The certificate may be deleted from the current user personal store after generating the .pfx and .cer files.

Console AAD Condition Support

The configuration contains Azure AD Tenant details providing connection information for endpoints. The information can be entered via the Manage tab for Environment Manager, the Global Settings tab for Application Control, and the Resources Setup tab for Performance Manager. The following links pertain to specific AAD functionality for each product.

Application Control:

Creating a connection to Azure Active Directory

Group Rules

User Rules

Environment Manager:

Creating a connection to Azure Active Directory

Performance Manager:

Creating a connection to Azure Active Directory