Azure ManagementStudio App Config

Modified on Wed, 31 Jan 2024 at 02:35 PM

TABLE OF CONTENTS



Introduction

For ManagementStudio's various connectors to access data inside of Azure an App registration is required in Azure. The App registration provides a group of permissions and access rights to ManagmentStudio. It is recommended (but not required) that a new App registration is created per connector being used. 



App Registration

Creating an Azure App Registration

  1. Open Azure
  2. Navigate to App registrations 
  3. Click New Registration
    1. Name the App e.g. ManagementStudio AAD Connector
    2. Select Accounts in this organization only
    3. Leave the redirect url blank
    4. Click Register


Authentication and Permissions

Depending on the Auth type (User/Pass or Client Secret) different configurations are required.


Auth: User/Pass

  1. Authentication
    1. Set Enable the following mobile and desktop flows to Yes.
    2. Save
  2. Provision API permissions
    1. Permissions must be added as 'Delegated permissions'
    2. Refer to the list of required permissions from the section below.
    3. Grant Admin consent


Auth: Client Secret

  1. Certificates & secrets
    1. From the left nav bar, click Certificates & secrets 
    2. Click New client secret
      1. Name the secret e.g. ManagementStudio Secret
      2. Set the Expires value to 24 months (ENGAGE assessments should be set to 1 week)
      3. Click Add
    3. Note: the secret 'Value' this will only be displayed once in the UI 
      1. NB: Take note of this value immediately 
  2. Provision API permissions
    1. Click API permissions in the left nav bar
    2. Permissions must be added as Application permissions
    3. Refer to the list of required permissions from the section below. So, for User Read select Microsoft Graph 1st from the object list. 
    4. Be sure to select add permissions
    5. Finally grant Admin consent above the list of permissions
  3. Gather Data Needed to populate the ManagementStudio Azure Connector Settings
    1. Click Overview
    2. Copy the Application (Client) ID
    3. Copy the Directory (tenant) ID
    4. The 'Value' saved from step 3.1 above



Permissions

Azure AD Connector


Microsoft Graph Permissions


SectionPermissionNote
DirectoryDirectory.Read.All
UserUser.Read.All
DeviceDevice.Read.All
AuditLogAuditLog.read.AllOptional: To get Users 'Last Login Time'
GroupMemberGroupMember.Read.All
GroupMemberGroupMember.ReadWrite .AllOptional: Allows ESM to Add/Remove items from Azure Groups (not required for ENGAGE assessments).



InTune Connector


Microsoft Graph Permissions


SectionPermissionNote
DeviceManagementApps


DeviceManagementApps.Read.All


Read Microsoft Intune apps
DeviceManagementManagedDevices
DeviceManagementManagedDevices.Read.All
Read Microsoft Intune devices
Directory


Directory.Read.All


Read AD directory data



Email Send / Receive


NB: Email only supports Delegate access for permissions.


Microsoft Graph Permissions


SectionPermissionNote
OpenId permissions email
OpenId permissions offline_access
POPPOP.AccessAsUser.All
SMTPSMTP.Send



Single Sign On (Coming Soon)


Microsoft Graph Permissions


SectionPermissionNote
UserUser.Read



Dataverse Connector (Coming Soon)


Dynamics CRM Permissions


SectionPermissionNote
Dynamics Data Integrationuser_impersonationMost of the Dataverse permissions are set inside Dataverse. This permission acts as a bridge