During the configuration of RealTime Service (RTS) with Active Directory in O365 (Azure AD), we need to create an
application registration with rights to read Active Directory objects in your O365 tenant.
Make sure to fill in the correct tenant name when you add the O365 domain to RTS:
You can either use the built-in “Create/Update” function as described in Option 1 below, or the alternative methods
to register the application in Azure AD described in Options 2 & 3 where you then fill in the “App principal ID” and
“password” manually. We recommend using option 2 or 3.
Option 1: Use the built-in Create/Update feature
This feature presents a login dialog, and the app registration will be performed with the permissions of this user.
Ensure that you have the AzureAD powershell module installed on the server.
See this reference: https://docs.microsoft.com/en-us/powershell/module/azuread/?view=azureadps-2.0
These are the requirements for the user entered here:
- User cannot have MFA enabled.
- Permissions of the user must be either:
- a. Global Admin
- b. Regular user with these Azure roles:
- i. Application administrator
- ii. Privileged role administrator
Option 2: Manually register your web app in Azure AD
1. Log on Azure portal with your Azure account.
2. If your account gives you access to more than one, click your account in the top right corner, and set your portal
session to the desired Azure AD tenant.
3. In the left-hand navigation pane, click the Azure Active Directory service (if it absent, click on All services and find
it by name), click App registrations, and click New registration.
4. When the Register an application page appears, enter your application's registration information:
- Name: Enter realtimeservice (or any name you want).
Note: Name of the web app must not include spaces or digits.
- Supported account types: Select ‘Accounts in this organizational directory only’.
- Redirect URI: Enter your web app URL (the address of a web page where users can sign in and use your app).
The APP ID URI is your Azure Tenant URI followed by your app name (unique identifier for Azure AD to identify your app).
5. When finished, click Register.
6. Go to Certificates & secrets → New client secret (key):
7. Add a description for your key and click [Add]. The right-most column will contain the key value (Password), after you save the configuration changes.
Be sure to copy the key for use in Real Time Service (inside it’s Password field), as it is not accessible once you leave this page.
8. Click [Overview] to go back. The Application ID field will contain App principal ID for Real Time Service.
- Click the API Permissions section on the menu → Add a permission. Select tab Microsoft APIs → Azure Active Directory Graph.
- In the opened panel, click [Application permissions], scroll down to Directory and check on [Directory.Read.All] permission.
- Click [Add permissions] at the bottom of the panel. Then click [Grant admin consent for VECD] to finish.
Option 3: Using Power Shell
Here is example of script (put it into one file) that requires the AzureAD module to be installed on the server.
- Verify that the correct value is selected for ServiceEnvironment.
- The script is intended to be executed from the application server, since we append the server name to the name of the app in Azure.
- You may need to change your execution policy to allow execution of unsigned scripts.
Once executed the script will return a set of values.
The values must be entered as follows:
- SPAPPID must be entered in “App principal ID” field.
- SPPWD must be entered in “password” field.
Applies to: All versions of RTS
Reference: TFS #16820; 49461; 170047
Knowledge base ID: 0124
Last updated: July 31, 2018