Start a conversation

Options when creating the Azure app for Digital Sign Service


Summary

During the configuration of Digital Sign Service (DSS) for Server with Active Directory in O365 (Azure AD), we need to create an application registration with rights to read Active Directory objects in your O365 tenant.

In this article, there are two App Registrations in Azure covered:

Create Azure app for reservation management (this is required for the system to work) 

Create Azure app for Keyboard function in DSS Client and Log in function in Workspace (this is optional, it is used for Workspace app and user authentication from the door signs)

Create Azure app for reservation management

You can either use the built-in “Create/Update” function as described in Option 1 below, or the alternative methods to register the application in Azure AD described in Options 2 & 3.

Ensure that you have the AzureAD powershell module installed on the server. See this reference:

https://docs.microsoft.com/en-us/powershell/module/azuread/?view=azureadps-2.0


Option 1: Use the built-in Create/Update feature

Go to DSS 4 manager → Connections → Exchange Online. When you have all 3 fields (Tenant Name, App Principal ID and Password) filled with proper details, clicking [Create/Update] button will open the Microsoft login authorization page.

If you enter correct login details, this page will be closed.


Note:

  • To register an application, you need Application administrator and Privileged role administrator or Global Admin right. 
  • To grant Admin consent, you need Global Admin right. 
  • To obtain and refresh token to read information, this requires the corresponding application to have appropriate granted permissions from Step 2.


Option 2: Manually register your web app in Azure AD

1. Log on Azure portal with your Azure account. 

2. If your account gives you access to more than one, click your account in the top right corner, and set your portal session to the desired Azure AD tenant. 

3. In the left-hand navigation pane, click the Azure Active Directory service (if it absent, click on All services and find it by name), click App registrations → New registration.

4. When the Register an application page appears, enter your application's registration information:

- Name: Enter DigitalSignService.MachineName (or any name you want). 

Note: Name of the web app must not include spaces or digits. 

- Supported account types: Select ‘Accounts in this organizational directory only’. 

- Redirect URI: Enter your web app URL (the address of a web page where users can sign in and use your app). The APP ID URI is your Azure Tenant URI followed by your app name (unique identifier for Azure AD to identify your app). 

5. When finished, click Register

6. Go to Authentication, select No for ‘Treat application as a public client

7. Go to Certificates & secrets → New client secret (key): 

Note: Select ‘Never’ for Expires

8. Add a description for your key and click [Add]. The right-most column will contain the key value (Password), after you save the configuration changes. Be sure to copy the key for use in DSS4 (inside it’s Password field), as it is not accessible once you leave this page.

9. Click [Overview] to go back. The Application (Client) ID field will contain App principal ID for Digital Sign Service.

- Click the API Permissions section on the menu → Add a permission. Select tab Microsoft APIs → Click [Microsoft Graph].

- In the opened panel, click [Delegated permissions], scroll down to Directory and check on permissions as shown in the following figures:



NOTE: The User.Read permission is needed for use of NFC card reader in DSS Client and for retrieving token thanks to which the system can work normally. 

- After that, click [Application permissions], scroll down to Directory and check on permissions as shown in the following figures:


NOTE: If you only want to set permissions for viewing appointments on client side (i.e. user cannot create, extend, and end meetings), the Calendars.ReadWrite permission should be replaced by Calendars.Read permission.

- Click [Add permissions] at the bottom of the panel. 

- Then click [Grant admin consent for ...] to finish.

10. Set Redirect URL(s) in [Authentication] tab

In [Authentication] tab, click [Add a platform] then select Web applications/Web on the right panel. Click [Add URI] and enter the Redirect URI of the application.

NOTE: It is required to use HTTPS protocol when using O365/Azure. In case HTTP protocol is used, you need to use PowerShell to set Redirect URL(s) for the app in [Authentication] tab. 


The following two redirect URLs must be added by clicking [Add URI]:

  • https://[YourDomainName]/DigitalSignService/Domain/Authorize
  • https://[YourDomainName]/DigitalSignService/Admin/LoginWithSSOCallback

Once the app described above has been created, you must collect this information for configuration in Digital Sign Service.

  • Application (Client) ID must be entered in “App principal ID” field.
  • Secret Key must be entered in “Password” field.
  • Tenant Name must be entered in “Tenant name” field. (xx.onmicrosoft.com)


Option 3: Use Power Shell to register service principal in Azure AD

1. Open PowerShell 5.1 as Administrator

2. Run the attached script. Remember to enter valid input to this section in the script:

$MyTenantName= 'tenant.onmicrosoft.com' ## Add your tenant name here
$DSSSiteName= 'DomainName.com'           ## Add DNS name associated with DSS
$DSSAppName= 'DigitalSignService4'             ## Name of app registered in Azure

3. Once executed, the script will return a set of values:

The values must be entered as follows: 

  • Application (Client) ID must be entered in “App principal ID” field. 
  • Secret Key must be entered in “Password” field. 
  • Tenant Name must be entered in “Tenant name” field 

Note:

1. If you use Power Shell to register application on Azure using Multi-Factor Authentication account, there should be a minor change in the above script. In which, this line:

$domainInfo = Connect-AzureAD -Credential $Credential

… must be changed to:

$domainInfo = Connect-AzureAD

2. After running the script, you need to implement the point 6 described in Option 2 once again.

Create Azure app for Keyboard function in DSS Client and Log in function in Workspace

1. Log on Azure portal with your Azure account.

2. If your account gives you access to more than one, click your account in the top right corner, and set your portal session to the desired Azure AD tenant.

3. In the left-hand navigation pane, click the Azure Active Directory service (if it absent, click on All services and find it by name), click App registrations --> New registration.

4. When the Register an application page appears, enter your application's registration information:

  • Name: Enter WorkSpace.Authentication (or any name you want).
  • Note: Name of the web app must not include spaces or digits.
  • Supported account types: Select ‘Accounts in this organizational directory only’.
  • Redirect URI: Enter your web app URL (the address of a web page where users can sign in and use your app). The APP ID URI is your Azure Tenant URI followed by your app name (unique identifier for Azure AD to identify your app).

5. When finished, click Register. You are presented with the details of the app that you created. Copy the Application (client) ID for later use:

6. Go to Authentication, select Yes for ‘Treat application as a public client’ and click [Save] button:

7. Click [Add a platform], select iOS or Android (based on your platform) in ‘Mobile and desktop applications’ section, fill in Package Name/Bundle ID and Signature Hash as in the following figure:

     Package name/Bundle ID: com.addonproducts.dssworkspace 

     Signature hash: poAABcrJsErhK+75cpexqM+tk9g=


For iOS

For Android


8. Go to API Permissions, grant admin consent to the app

9. Go to Digital Sign Service Manager/SYSTEM/Connections. Copy the Application (client) ID retrieved at Step 5 to the field Application (client) ID for Keyboard or Workspace, and fill in the code provided in Step 7 for Signature hash for logging in with Single Sign On (SSO) in Workspace:


10. Go to Digital Sign Service Manager/SYSTEM/Settings. Check on options as shown in the figure below:

11. Click [Save] to finish

Properties

Applies to: DSS for Server 4+
Reference: TFS #204048
Knowledge base ID: 0262
Last updated: Sep 08, 2020

DSS_GraphAppRegV3ReadWrite.zip

  1. 1 KB
  2. View
  3. Download
Choose files or drag and drop files