TABLE OF CONTENTS
Introduction
For ManagementStudio's various connectors to access data inside of Azure an App registration is required in Azure. The App registration provides a group of permissions and access rights to ManagementStudio. It is recommended (but not required) that a new App registration is created per connector being used.
App Registration
Creating an Azure App Registration
- Open Azure
- Navigate to App registrations
- Click New Registration
- Name the App e.g. ManagementStudio AAD Connector
- Select Accounts in this organization only
- Leave the redirect url blank
- Click Register
Authentication and Permissions
Depending on the Auth type (User/Pass or Client Secret) different configurations are required.
Auth: User/Pass
- Authentication
- Set Enable the following mobile and desktop flows to Yes.
- Save
- Provision API permissions
- Permissions must be added as 'Delegated permissions'
- Refer to the list of required permissions from the section below.
- Grant Admin consent
Auth: Client Secret
- Certificates & secrets
- From the left nav bar, click Certificates & secrets
- Click New client secret
- Name the secret e.g. ManagementStudio Secret
- Set the Expires value to 24 months (ENGAGE assessments should be set to 1 week)
- Click Add
- Note: the secret 'Value' this will only be displayed once in the UI
- NB: Take note of this value immediately
- From the left nav bar, click Certificates & secrets
- Provision API permissions
- Click API permissions in the left nav bar
- Permissions must be added as Application permissions
- Refer to the list of required permissions from the section below. So, for User Read select Microsoft Graph 1st from the object list. 
- Be sure to select add permissions
- Finally grant Admin consent above the list of permissions
- Gather Data Needed to populate the ManagementStudio Azure Connector Settings
- Click Overview
- Copy the Application (Client) ID
- Copy the Directory (tenant) ID
- The 'Value' saved from step 3.1 above
Permissions
Azure AD Connector
Microsoft Graph Permissions
| Section | Permission | Note |
|---|---|---|
| Directory | Directory.Read.All | |
| User | User.Read.All | |
| Device | Device.Read.All | |
| AuditLog | AuditLog.read.All | Optional: To get Users 'Last Login Time' |
| GroupMember | GroupMember.Read.All | |
| GroupMember | GroupMember.ReadWrite .All | Optional: Allows ESM to Add/Remove items from Azure Groups (not required for ENGAGE assessments). |
Intune Connector
Microsoft Graph Permissions
| Section | Permission | Note |
|---|---|---|
| DeviceManagementApps | DeviceManagementApps.Read.All | Read Microsoft Intune apps |
| DeviceManagementManagedDevices | DeviceManagementManagedDevices.Read.All | Read Microsoft Intune devices |
| Directory | Directory.Read.All | Read AD directory data |
SMTP Email Send / Receive
NB: Email only supports Delegate access for permissions.
Microsoft Graph Permissions
| Section | Permission | Note |
|---|---|---|
| OpenId permissions | ||
| OpenId permissions | offline_access | |
| POP | POP.AccessAsUser.All | |
| SMTP | SMTP.Send |
Azure Email API
Azure Email API
| Section | Permission | Type | Note |
|---|---|---|---|
| Mail.Send | Application | Allow ManagementStudio to send emails as another account, i.e. a project mailbox |
Single Sign On
Microsoft Graph Permissions
| Section | Permission | Note |
|---|---|---|
| User | User.Read |
Was this article helpful?
That’s Great!
Thank you for your feedback
Sorry! We couldn't be helpful
Thank you for your feedback
Feedback sent
We appreciate your effort and will try to fix the article