TABLE OF CONTENTS
Introduction
For ManagementStudio's various connectors to access data inside of Azure an App registration is required in Azure. The App registration provides a group of permissions and access rights to ManagmentStudio. It is recommended (but not required) that a new App registration is created per connector being used.
App Registration
Creating an Azure App Registration
- Open Azure
- Navigate to App registrations
- Click New Registration
- Name the App e.g. ManagementStudio AAD Connector
- Select Accounts in this organization only
- Leave the redirect url blank
- Click Register
Authentication and Permissions
Depending on the Auth type (User/Pass or Client Secret) different configurations are required.
Auth: User/Pass
- Authentication
- Set Enable the following mobile and desktop flows to Yes.
- Save
- Provision API permissions
- Permissions must be added as 'Delegated permissions'
- Refer to the list of required permissions from the section below.
- Grant Admin consent
Auth: Client Secret
- Certificates & secrets
- From the left nav bar, click Certificates & secrets
- Click New client secret
- Name the secret e.g. ManagementStudio Secret
- Set the Expires value to 24 months (ENGAGE assessments should be set to 1 week)
- Click Add
- Note: the secret 'Value' this will only be displayed once in the UI
- NB: Take note of this value immediately
- From the left nav bar, click Certificates & secrets
- Provision API permissions
- Click API permissions in the left nav bar
- Permissions must be added as Application permissions
- Refer to the list of required permissions from the section below. So, for User Read select Microsoft Graph 1st from the object list. 
- Be sure to select add permissions
- Finally grant Admin consent above the list of permissions
- Gather Data Needed to populate the ManagementStudio Azure Connector Settings
- Click Overview
- Copy the Application (Client) ID
- Copy the Directory (tenant) ID
- The 'Value' saved from step 3.1 above
Permissions
Azure AD Connector
Microsoft Graph Permissions
| Section | Permission | Note |
|---|---|---|
| Directory | Directory.Read.All | |
| User | User.Read.All | |
| Device | Device.Read.All | |
| AuditLog | AuditLog.read.All | Optional: To get Users 'Last Login Time' |
| GroupMember | GroupMember.Read.All | |
| GroupMember | GroupMember.ReadWrite .All | Optional: Allows ESM to Add/Remove items from Azure Groups (not required for ENGAGE assessments). |
InTune Connector
Microsoft Graph Permissions
| Section | Permission | Note |
|---|---|---|
| DeviceManagementApps | DeviceManagementApps.Read.All | Read Microsoft Intune apps |
| DeviceManagementManagedDevices | DeviceManagementManagedDevices.Read.All | Read Microsoft Intune devices |
| Directory | Directory.Read.All | Read AD directory data |
Email Send / Receive
NB: Email only supports Delegate access for permissions.
Microsoft Graph Permissions
| Section | Permission | Note |
|---|---|---|
| OpenId permissions | ||
| OpenId permissions | offline_access | |
| POP | POP.AccessAsUser.All | |
| SMTP | SMTP.Send |
Single Sign On (Coming Soon)
Microsoft Graph Permissions
| Section | Permission | Note |
|---|---|---|
| User | User.Read |
Dataverse Connector (Coming Soon)
Dynamics CRM Permissions
| Section | Permission | Note |
|---|---|---|
| Dynamics Data Integration | user_impersonation | Most of the Dataverse permissions are set inside Dataverse. This permission acts as a bridge |