Start a conversation

Register service principal in Azure AD when used with Office 365

 

Summary

During the configuration of RealTime Service (RTS) with Active Directory in O365 (Azure AD), we need to create an

application registration with rights to read Active Directory objects in your O365 tenant.

Make sure to fill in the correct tenant name when you add the O365 domain to RTS:

You can either use the built-in “Create/Update” function as described in Option 1 below, or the alternative methods

to register the application in Azure AD described in Options 2 & 3 where you then fill in the “App principal ID” and

“password” manually. We recommend using option 2 or 3.


 

Option 1: Use the built-in Create/Update feature

This feature presents a login dialog, and the app registration will be performed with the permissions of this user.

Ensure that you have the AzureAD powershell module installed on the server.

See this reference: https://docs.microsoft.com/en-us/powershell/module/azuread/?view=azureadps-2.0

These are the requirements for the user entered here:

  1. User cannot have MFA enabled.
  2. Permissions of the user must be either:
    • a. Global Admin
    • b. Regular user with these Azure roles:
      • i. Application administrator
      • ii. Privileged role administrator

 

Option 2: Manually register your web app in Azure AD

1. Log on Azure portal with your Azure account.

2. If your account gives you access to more than one, click your account in the top right corner, and set your portal

session to the desired Azure AD tenant.

3. In the left-hand navigation pane, click the Azure Active Directory service (if it absent, click on All services and find

it by name), click App registrations, and click New registration.

4. When the Register an application page appears, enter your application's registration information:

  • Name: Enter realtimeservice (or any name you want).

Note: Name of the web app must not include spaces or digits.

  • Supported account types: Select ‘Accounts in this organizational directory only’.
  • Redirect URI: Enter your web app URL (the address of a web page where users can sign in and use your app).

The APP ID URI is your Azure Tenant URI followed by your app name (unique identifier for Azure AD to identify your app).

5. When finished, click Register.

6. Go to Certificates & secrets → New client secret (key):

7. Add a description for your key and click [Add]. The right-most column will contain the key value (Password), after you save the configuration changes.

Be sure to copy the key for use in Real Time Service (inside it’s Password field), as it is not accessible once you leave this page.

8. Click [Overview] to go back. The Application ID field will contain App principal ID for Real Time Service.

  • Click the API Permissions section on the menu Add a permission. Select tab Microsoft APIs Azure Active Directory Graph.

  • In the opened panel, click [Application permissions], scroll down to Directory and check on [Directory.Read.All] permission.

  • Click [Add permissions] at the bottom of the panel. Then click [Grant admin consent for VECD] to finish.

 

Option 3: Using Power Shell

Here is example of script (put it into one file) that requires the AzureAD module to be installed on the server.

Note:

- Verify that the correct value is selected for ServiceEnvironment.

- The script is intended to be executed from the application server, since we append the server name to the name of the app in Azure.

- You may need to change your execution policy to allow execution of unsigned scripts.

Once executed the script will return a set of values.

The values must be entered as follows:

  • SPAPPID must be entered in “App principal ID” field.
  • SPPWD must be entered in “password” field. 

 

Properties

Applies to: All versions of RTS

Reference: TFS #16820; 49461; 170047

Knowledge base ID: 0124

Last updated: July 31, 2018

register_app_-_v2.0.ps1

  1. 3219 KB
  2. View
  3. Download
Choose files or drag and drop files