Single Sign-On (SSO) - Active Directory or Azure

Modified on Wed, 4 Dec at 3:29 PM

TABLE OF CONTENTS


How to enable Active Directory Authentication

This refers to on-premise Active Directory.

 

Allow Client Login

  • ManagementStudio automatically authenticates the user logging in with the domain that the service account is a member of.
  • No additional configuration is required for login.


Create Accounts / Sync Roles

  • Create an Azure AD Connector (or use an existing one)
  • Go to: Administration\Role Groups
    • Add the name of the Azure Group to read Users to the ‘Az Group’ field.
      • Optionally prefix the group name with “[Azure Conn Name]\[Azure Group Name]”
      • Multiple Group names can be entered but separating them with a ;
      • Optionally tick ‘AD User Source’ to Create accounts in MS  from the AD/Az Group members


Allow Portal Login

Add the Server Role

  • Web Server (IIS)\Web Server\Security\Windows Authentication

Configure Authentication in IIS

  • Anonymous Authentication: Enabled
  • Windows Authentication: Enabled
  • All others present: Disabled

Update appsettings.json

See section at bottom of page.


How to enable Azure Authentication

Azure Application

  • Create an Azure AD Connector (or use an existing one)
  • Required API Permissions (Application Permission)
    • GroupMember.Read.All
    • User.ReadBasic.All
  • Go to Authentication
  • Check the box for 'https://[ManagementStudioUrl]/signin-oidc' 
    • The URI must be HTTPS
    • Replace localhost with your ManagementStudio URLs

  • Tick the option 'ID tokens (used for implicit and hybrid flows)'

  • Configure either a Client Secret or Certificate to use for authentication
  • Save configuration


ManagementStudio Allow Azure Client Login

  • Go to: Administration\Global Settings
    • Enter the Tenant ID / Client ID of the Azure App to authenticate the User with
    • Enter either a Client Secret or Certificate to use to authenticate with the Azure App


Create Accounts / Sync Roles  Used to get ManagementStudio Accounts Setup from Azure groups. Not needed for Portal Access

  • Go to: Administration\Role Groups
    • Add the name of the Azure Group to read Users to the ‘Az Group’ field.
    • Optionally prefix the group name with “[Azure Conn Name]\[Azure Group Name]”
    • Multiple Group names can be entered but separating them with a ;
    • Optionally tick ‘AD User Source’ to Create accounts in MS  from the AD/Az Group members


Allow Portal Login

  • Go to: Administration\Global Settings
  • Enter the Tenant ID / Client ID of the Azure App to authenticate the User with
  • Update the Azure Application
    • Go to Authentication
    • Add a platform, select 'Web'
    • Save configuration

Update appsettings.json

See section below.


Update appsettings.json

The appsettings.json file is located on the ManagementStudio IIS server, in the main website folder. This requires updating with the changes below.


Copy the required settings text from below then place the cursor here and paste in the text.


Example:


The IIS service should be restarted for the changes to take effect. 


For on-prem Active Directory authentication only (no Azure authentication)

    "PortalAuth": {
          "WindowsAuth": {
            "Enabled": true,
            "Comment": "WindowsAuth requires Windows Authentication to be enabled in IIS, without this MS will not launch!"
          }
        },


For Azure authentication only (no on-prem AD authentication)

    "PortalAuth": {
          "AzureAuth": {
            "Enabled": true
          }
        },


For both on-prem Active Directory and Azure authentication

    "PortalAuth": {
          "WindowsAuth": {
            "Enabled": true,
            "Comment": "WindowsAuth requires Windows Authentication to be enabled in IIS, without this MS will not launch!"
          },
          "AzureAuth": {
            "Enabled": true
          }
        },




Further Support

If you require further support, please visit ManagementStudio's Service Desk to search the knowledge base or create a new support ticket.