Azure ManagementStudio App Config

Modified on Thu, 26 Jan 2023 at 10:33 AM



For ManagementStudio's various connectors to access data inside of Azure an App registration is required in Azure. The App registration provides a group of permissions and access rights to ManagmentStudio. It is recommended (but not required) that a new App registration is created per connector being used. 

App Registration

Creating an Azure App Registration

  1. Open Azure
  2. Navigate to'App registrations' 
  3. Click New Registration'
    1. Name the App e.g. 'ManagementStudio AD Connector'
    2. Select 'Accounts in this organization only'
    3. Leave the redirect url blank
    4. Click 'Register

Authentication and Permissions

Depending on the Auth type (User/Pass or Client Secret) different configurations are required.

Auth: User/Pass

  1. Authentication
    1. Set 'Enable the following mobile and desktop flows' to Yes.
    2. Save
  2. Provision API permissions
    1. Permissions must be added as 'Delegated permissions'
    2. Refer to the list of required permissions from the section below.
    3. Grant Admin consent

Auth: Client Secret

  1. Certificates & secrets
    1. From the left nav bar Click 'Certificates & secrets' 
    2. Click 'New client secret'
      1. Name the secret e.g. 'ManagementStudio Secret'
      2. Set the Expires to 24 months
      3. Click Add
    3. Note the secret 'Value' this will only be displayed once in the UI 
      1. NB: Take note of this value immediately 
  2. Provision API permissions
    1. Click API permissions in the left nav bar
    2. Permissions must be added as 'Application permissions'
    3. Refer to the list of required permissions from the section below. So, for User Read select Microsoft Graph 1st from the object list. 
    4. Be sure to select add permissions
    5. Finally grant Admin consent above the list of permissions
  3. Gather Data Needed to populate the ManagementStudio Azure Connector Settings
    1. Click Overview
    2. Copy the Application (Client) ID
    3. Copy the Directory (tenant) ID
    4. The 'Value' saved from step 3.1 above


Azure AD Connector

Microsoft Graph Permissions

DeviceDevice.Read.All To get Users 'Last Login Time'
GroupMemberGroupMember.ReadWrite .AllOptional: Allows ESM to Add/Remove items from Azure Groups

InTune Connector (Coming Soon)

Microsoft Graph Permissions

DeviceManagementManagedDevices DeviceManagementManagedDevices .Read.All

Email Send / Receive

NB: Email only supports Delegate access for permissions.

Microsoft Graph Permissions

OpenId permissions email
OpenId permissions offline_access

Single Sign On (Coming Soon)

Microsoft Graph Permissions


Dataverse Connector (Coming Soon)

Dynamics CRM Permissions

Dynamics Data Integrationuser_impersonationMost of the Dataverse permissions are set inside Dataverse. This permission acts as a bridge