TABLE OF CONTENTS
- How to enable Active Directory Authentication
- How to enable Azure Authentication
- Update appsettings.json
- Further Support
How to enable Active Directory Authentication
This refers to on-premise Active Directory.
Allow Client Login
- ManagementStudio automatically authenticates the user logging in with the domain that the service account is a member of.
- No additional configuration is required for login.
Create Accounts / Sync Roles
- Create an Azure AD Connector (or use an existing one)
- Go to: Administration\Role Groups
- Add the name of the Azure Group to read Users to the ‘Az Group’ field.
- Optionally prefix the group name with “[Azure Conn Name]\[Azure Group Name]”
- Multiple Group names can be entered but separating them with a ;
- Optionally tick ‘AD User Source’ to Create accounts in MS from the AD/Az Group members
- Add the name of the Azure Group to read Users to the ‘Az Group’ field.
Allow Portal Login
Add the Server Role
- Web Server (IIS)\Web Server\Security\Windows Authentication
Configure Authentication in IIS
- Anonymous Authentication: Enabled
- Windows Authentication: Enabled
- All others present: Disabled
Update appsettings.json
See section at bottom of page.
How to enable Azure Authentication
Azure Application
- Create an Azure AD Connector (or use an existing one)
- Required API Permissions (Application Permission)
- GroupMember.Read.All
- User.ReadBasic.All
- Check the box for 'https://[ManagementStudioUrl]/signin-oidc'
- Note the url must be HTTPS
- Tick the option 'ID tokens (used for implicit and hybrid flows)'
- Configure either a Client Secret or Certificate to use for authentication
Allow Client Login
- Go to: Administration\Global Settings
- Enter the Tenant ID / Client ID of the Azure App to authenticate the User with
- Enter either a Client Secret or Certificate to use to authenticate with the Azure App
- Update the Azure Application Configuration
- Go to Authentication
- Add a platform, select 'Modile and desktop applications'
- Check the box for 'https://login.microsoftonline.com/common/oauth2/nativeclient'
- Save configuration
Create Accounts / Sync Roles
- Go to: Administration\Role Groups
- Add the name of the Azure Group to read Users to the ‘Az Group’ field.
- Optionally prefix the group name with “[Azure Conn Name]\[Azure Group Name]”
- Multiple Group names can be entered but separating them with a ;
- Optionally tick ‘AD User Source’ to Create accounts in MS from the AD/Az Group members
Allow Portal Login
- Go to: Administration\Global Settings
- Enter the Tenant ID / Client ID of the Azure App to authenticate the User with
- Update the Azure Application
- Go to Authentication
- Add a platform, select 'Web'
- Save configuration
Update appsettings.json
See section below.
Update appsettings.json
The appsettings.json file is located on the ManagementStudio IIS server, in the main website folder. This requires updating with the changes below.
Copy the required settings text from below then place the cursor here and paste in the text.
Example:
The IIS service should be restarted for the changes to take effect.
For on-prem Active Directory authentication only (no Azure authentication)
"PortalAuth": {
"WindowsAuth": {
"Enabled": true,
"Comment": "WindowsAuth requires Windows Authentication to be enabled in IIS, without this MS will not launch!"
}
},For Azure authentication only (no on-prem AD authentication)
"PortalAuth": {
"AzureAuth": {
"Enabled": true
}
},For both on-prem Active Directory and Azure authentication
"PortalAuth": {
"WindowsAuth": {
"Enabled": true,
"Comment": "WindowsAuth requires Windows Authentication to be enabled in IIS, without this MS will not launch!"
},
"AzureAuth": {
"Enabled": true
}
},Further Support
If you require further support, please visit ManagementStudio's Service Desk to search the knowledge base or create a new support ticket.