During the configuration of Digital Sign Service for Server with Active Directory in O365 (Azure AD), we need to create an application registration with rights to read Active Directory objects in your O365 tenant.
You can either use the built-in “Create/Update” function as described in Option 1 below, or the alternative methods to register the application in Azure AD described in Options 2 & 3.
Ensure that you have the AzureAD powershell module installed on the server. See this reference:
Option 1: Use the built-in Create/Update feature
Go to DSS 4 manager → Connections → Exchange Online. When you have all 3 fields (Tenant Name, App Principal ID and Password) filled with proper details, clicking [Create/Update] button will open the Microsoft login authorization page.
If you enter correct login details, this page will be closed.
- To register an application, you need Application administrator and Privileged role administrator or Global Admin right.
- To grant Admin consent, you need Global Admin right.
- To obtain and refresh token to read information, this requires the corresponding application to have appropriate granted permissions from Step 2.
Option 2: Manually register your web app in Azure AD
1. Log on Azure portal with your Azure account.
2. If your account gives you access to more than one, click your account in the top right corner, and set your portal session to the desired Azure AD tenant.
3. In the left-hand navigation pane, click the Azure Active Directory service (if it absent, click on All services and find it by name), click App registrations → New registration.
4. When the Register an application page appears, enter your application's registration information:
- Name: Enter DigitalSignService.MachineName (or any name you want).
Note: Name of the web app must not include spaces or digits.
- Supported account types: Select ‘Accounts in this organizational directory only’.
- Redirect URI: Enter your web app URL (the address of a web page where users can sign in and use your app). The APP ID URI is your Azure Tenant URI followed by your app name (unique identifier for Azure AD to identify your app).
5. When finished, click Register.
6. Go to Authentication, select No for ‘Treat application as a public client’
7. Go to Certificates & secrets → New client secret (key):
Note: Select ‘Never’ for Expires
8. Add a description for your key and click [Add]. The right-most column will contain the key value (Password), after you save the configuration changes. Be sure to copy the key for use in DSS4 (inside it’s Password field), as it is not accessible once you leave this page.
9. Click [Overview] to go back. The Application (Client) ID field will contain App principal ID for DSS.
- Click the API Permissions section on the menu → Add a permission. Select tab Microsoft APIs → Click [Microsoft Graph].
- In the opened panel, click [Delegated permissions], scroll down to Directory and check on permissions as shown in the following figures:
NOTE: The ’User.Read’ permission is only needed if the ’keyboard’ is to be used in DSS Client.
- After that, click [Application permissions], scroll down to Directory and check on permissions as shown in the following figures:
- Click [Add permissions] at the bottom of the panel.
- Then click [Grant admin consent for Add-On Development] to finish.
10. Use PowerShell to set Redirect URL(s) for the app in [Authentication] tab
NOTE: It is required to use HTTPS protocol when using O365/Azure.
Option 3: Use Power Shell to register service principal in Azure AD
1. Open PowerShell as Administrator
2. Run the attached script. Remember to enter valid input to this section in the script:
|$MyTenantName= 'addonproducts.onmicrosoft.com' ## Add your tenant name here
$DSSSiteName= 'acceptance.add-on.com' ## Add DNS name associated with DSS
$DSSAppName= 'DigitalSignService4' ## Name of app registered in Azure
3. Once executed, the script will return a set of values:
The values must be entered as follows:
- Application (Client) ID must be entered in “App principal ID” field.
- Secret Key must be entered in “Password” field.
- Tenant Name must be entered in “Tenant name” field
1. If you use Power Shell to register application on Azure using Multi-Factor Authentication account, there should be a minor change in the above script. In which, this line:
$domainInfo = Connect-AzureAD -Credential $Credential
… must be changed to:
$domainInfo = Connect-AzureAD
2. After running the script, you need to implement the point 6 described in Option 2 once again.
Applies to: DSS for Server 4
Reference: TFS #204048
Knowledge base ID: 0262
Last updated: July 04, 2019