Azure ManagementStudio App Config

Modified on Thu, 26 Jan 2023 at 10:33 AM

TABLE OF CONTENTS

Introduction
App Registration
- Creating an Azure App Registration
- Authentication and Permissions
  - Auth: User/Pass
  - Auth: Client Secret
Permissions

Introduction

For ManagementStudio's various connectors to access data inside of Azure an App registration is required in Azure. The App registration provides a group of permissions and access rights to ManagmentStudio. It is recommended (but not required) that a new App registration is created per connector being used.

App Registration

Creating an Azure App Registration

Open Azure
Navigate to'App registrations'
Click New Registration'
1. Name the App e.g. 'ManagementStudio AD Connector'
2. Select 'Accounts in this organization only'
3. Leave the redirect url blank
4. Click 'Register

Authentication and Permissions

Depending on the Auth type (User/Pass or Client Secret) different configurations are required.

Auth: User/Pass

Authentication
1. Set 'Enable the following mobile and desktop flows' to Yes.
2. Save
Provision API permissions
1. Permissions must be added as 'Delegated permissions'
2. Refer to the list of required permissions from the section below.
3. Grant Admin consent

Auth: Client Secret

Certificates & secrets
1. From the left nav bar Click 'Certificates & secrets'
2. Click 'New client secret'
  1. Name the secret e.g. 'ManagementStudio Secret'
  2. Set the Expires to 24 months
  3. Click Add
3. Note the secret 'Value' this will only be displayed once in the UI
  1. NB: Take note of this value immediately
Provision API permissions
1. Click API permissions in the left nav bar
2. Permissions must be added as 'Application permissions'
3. Refer to the list of required permissions from the section below. So, for User Read select Microsoft Graph 1st from the object list.
4. Be sure to select add permissions
5. Finally grant Admin consent above the list of permissions
Gather Data Needed to populate the ManagementStudio Azure Connector Settings
1. Click Overview
2. Copy the Application (Client) ID
3. Copy the Directory (tenant) ID
4. The 'Value' saved from step 3.1 above

Permissions

Azure AD Connector

Microsoft Graph Permissions

Section	Permission	Note
Directory	Directory.Read.All
User	User.Read.All
Device	Device.Read.All
AuditLog	AuditLog.read.All	Optional: To get Users 'Last Login Time'
GroupMember	GroupMember.Read.All
GroupMember	GroupMember.ReadWrite .All	Optional: Allows ESM to Add/Remove items from Azure Groups

InTune Connector (Coming Soon)

Microsoft Graph Permissions

Section	Permission	Note
DeviceManagementManagedDevices	DeviceManagementManagedDevices .Read.All

Email Send / Receive

NB: Email only supports Delegate access for permissions.

Microsoft Graph Permissions

Section	Permission	Note
OpenId permissions	email
OpenId permissions	offline_access
POP	POP.AccessAsUser.All
SMTP	SMTP.Send

Single Sign On (Coming Soon)

Microsoft Graph Permissions

Section	Permission	Note
User	User.Read

Dataverse Connector (Coming Soon)

Dynamics CRM Permissions

Section	Permission	Note
Dynamics Data Integration	user_impersonation	Most of the Dataverse permissions are set inside Dataverse. This permission acts as a bridge