Sales
Denmark +45 7944 7000
Europe +45 7944 7000
North America +1 (202)-536-4165
Support
Denmark +45 7944 7002
Europe +44 203 002 3889
North America +1 (202)-536-4165
Start a conversation
  1. Add-On Products Support
  2. Workspace, Digital Sign Client and DS Service
  3. Knowledgebase

Create Azure app for reservation management

Summary

During the configuration of Digital Sign Service (DSS) for the Server with Active Directory in O365 (Azure AD), we need to create an application registration with rights to read Active Directory objects in your O365 tenant.

Create Azure app for reservation management

Ensure that you have the AzureAD powershell module installed on the server. See this reference:

https://docs.microsoft.com/en-us/powershell/module/azuread/?view=azureadps-2.0

Option 1: Manually register your web app in Azure AD

1. Log on Azure portal with your Azure account. 

2. If your account gives you access to more than one, click your account in the top right corner, and set your portal session to the desired Azure AD tenant. 

3. Click View the Manage Microsoft Entra ID service, click Manage > App registrations > New registration. You can also find App registrations by searching in the search box.


4. When the Register an application page appears, enter your application's registration information:

- Name: Enter DSService.MachineName (or any name you want). 

Note: Name of the web app must not include spaces or digits. 

- Supported account types: Select ‘Accounts in this organizational directory only’. 


5. When finished, click Register

6. Go to Authentication, select No for ‘Allow public client flows’ and click [Save]:

Set Redirect URL(s) in [Authentication] tab.

In [Authentication] tab, click [Add a platform] then select Web on the right panel to open the following screen:

In this screen, perform 2 steps:

- Enter the Redirect URI of the application.

Note: It is required to use HTTPS protocol when adding a Redirect URI using O365/Azure Portal. In case HTTP protocol is used, you need to use PowerShell to set Redirect URL(s) for the app in [Authentication] tab.


The following two redirect URLs must be added by clicking [Add URI]:

  • https://[YourDomainName]/DigitalSignService/Domain/Authorize
  • https://[YourDomainName]/DigitalSignService/Admin/LoginWithSSOCallback

- Click on ID tokens (used for implicit and hybrid flows).

Click [Configure] → [Save].


7. Go to Certificates & secrets → New client secret (key): 

Note: Select ‘24 months’ for Expires.

8. Add a description for your key and click [Add]. The right-most column will contain the key value (Password), after you save the configuration changes. Be sure to copy the Value for use in Digital Sign Service (inside it’s Password field), as it is not accessible once you leave this page.


9. Click [Overview] to go back. The Application (Client) ID field will contain App principal ID for Digital Sign Service.


10. Click the API Permissions section on the menu → Add a permission. Select tab Microsoft APIs → Click [Microsoft Graph].

- In the opened panel, click [Delegated permissions], check on permissions as shown in the following figures:

NOTE: The User.Read permission is needed for use of NFC card reader in DSS Client and for retrieving token thanks to which the system can work normally.

- After that, click [Application permissions], scroll down to Calendars, Domain, GroupMember, User, and Place and check on permissions as shown in the following figures:


NOTE: If you only want to set permissions for viewing appointments on client side (i.e. user cannot create, extend, and end meetings), the Calendars.ReadWrite permission should be replaced by Calendars.Read permission.

- Click [Add permissions] at the bottom of the panel. 

- Then click [Grant admin consent for ...] to finish.

Important Note: For user who utilizes Microsoft Intune devices, please add the following permission DeviceManagementManagedApps.ReadWrite besides the above permissions.

On APIs my organization uses tab, search, and select Microsoft Mobile Application Management. Then, check on DeviceManagementManagedApps.ReadWrite permission under [Delegated permissions] type.

Hit [Add permissions] and [Grant admin consent for …] to finish.


Once the app described above has been created, you must collect this information for configuration in DS Service.

  • Tenant Name must be entered in “Tenant name” field. (xx.onmicrosoft.com)
  • Application (Client) ID must be entered in “Application Client ID” field.
  • Secret Key must be entered in “Client Secret” field.


Option 2: Use Power Shell to register service principal in Azure AD

1. Open PowerShell as Administrator

2. Run the attached script. Remember to enter valid input to this section in the script:

$MyTenantName= 'addonproducts.onmicrosoft.com' ## Add your tenant name here
$DSSSiteName = 'acceptance.add-on.com'           ## Add DNS name associated with DSS
$DSSAppName = 'DigitalSignService4'             ## Name of app registered in Azure


3. Once executed, the script will return a set of values:

The values must be entered as follows:

  • Application (Client) ID must be entered in the “App principal ID” field.
  • Secret Key must be entered in the “Password” field.
  • Tenant Name must be entered in the “Tenant name” field

Note:

  • If you use Power Shell to register application on Azure using Multi-Factor Authentication account, there should be a minor change in the above script. In which, this line:  
$domainInfo= Connect-AzureAD -Credential $Credential

… must be changed to:

$domainInfo= Connect-AzureAD


  • After running the script, you need to implement point 2 described in Option 2 once again.

Properties

Applies to: DSS for Server 4+
Reference: TFS #204048
Knowledge base ID: 0297
Last updated: Jul 01, 2024

Choose files or drag and drop files