TABLE OF CONTENTS
Introduction
For ManagementStudio's various connectors to access data inside of Azure an App registration is required in Azure. The App registration provides a group of permissions and access rights to ManagmentStudio. It is recommended (but not required) that a new App registration is created per connector being used.
App Registration
Creating an Azure App Registration
- Open Azure
- Navigate to'App registrations'
- Click New Registration'
- Name the App e.g. 'ManagementStudio AD Connector'
- Select 'Accounts in this organization only'
- Leave the redirect url blank
- Click 'Register
Authentication and Permissions
Depending on the Auth type (User/Pass or Client Secret) different configurations are required.
Auth: User/Pass
- Authentication
- Set 'Enable the following mobile and desktop flows' to Yes.
- Save
- Provision API permissions
- Permissions must be added as 'Delegated permissions'
- Refer to the list of required permissions from the section below.
- Grant Admin consent
Auth: Client Secret
- Certificates & secrets
- From the left nav bar Click 'Certificates & secrets'
- Click 'New client secret'
- Name the secret e.g. 'ManagementStudio Secret'
- Set the Expires to 24 months
- Click Add
- Note the secret 'Value' this will only be displayed once in the UI
- NB: Take note of this value immediately
- From the left nav bar Click 'Certificates & secrets'
- Provision API permissions
- Click API permissions in the left nav bar
- Permissions must be added as 'Application permissions'
- Refer to the list of required permissions from the section below. So, for User Read select Microsoft Graph 1st from the object list. 
- Be sure to select add permissions
- Finally grant Admin consent above the list of permissions
- Gather Data Needed to populate the ManagementStudio Azure Connector Settings
- Click Overview
- Copy the Application (Client) ID
- Copy the Directory (tenant) ID
- The 'Value' saved from step 3.1 above
Permissions
Azure AD Connector
Microsoft Graph Permissions
Section | Permission | Note |
---|---|---|
Directory | Directory.Read.All | |
User | User.Read.All | |
Device | Device.Read.All | |
AuditLog | AuditLog.read.All | Optional: To get Users 'Last Login Time' |
GroupMember | GroupMember.Read.All | |
GroupMember | GroupMember.ReadWrite .All | Optional: Allows ESM to Add/Remove items from Azure Groups |
InTune Connector (Coming Soon)
Microsoft Graph Permissions
Section | Permission | Note |
---|---|---|
DeviceManagementManagedDevices | DeviceManagementManagedDevices .Read.All |
Email Send / Receive
NB: Email only supports Delegate access for permissions.
Microsoft Graph Permissions
Section | Permission | Note |
---|---|---|
OpenId permissions | ||
OpenId permissions | offline_access | |
POP | POP.AccessAsUser.All | |
SMTP | SMTP.Send |
Single Sign On (Coming Soon)
Microsoft Graph Permissions
Section | Permission | Note |
---|---|---|
User | User.Read |
Dataverse Connector (Coming Soon)
Dynamics CRM Permissions
Section | Permission | Note |
---|---|---|
Dynamics Data Integration | user_impersonation | Most of the Dataverse permissions are set inside Dataverse. This permission acts as a bridge |