Setup Microsoft Entra ID (formerly Azure Active Directory)

In order for IBI-aws to communicate with a Microsoft Azure Active Directory, the following steps are required.

Before setting up Microsoft Azure Active Directory access, we recommend enabling certificate-based encryption of the message file.

This ensures that only authorized clients are granted access.

IBI-aws Admin (Part 1)

Generate certificate for client authentication

1. Launch IBI-aws Admin

2. Navigate to Settings > Directory Services

3. Click on Add > Microsoft Azure Active Directory...

4. Choose an appropriate name

5. Tenant ID and Application ID can first be assigned a placeholder, e.g. "tbd"

6. Under Certificates click on Generate

7. Then on Activate

8. Click on Export (Public Key Only)... and save the public key of the certificate to a desired location.

9. Click on Save

10. Click on Save

Azure Portal

Register application

1. Open Azure Portal

2. Navigate to Azure Active Directory > App registrations

3. Click on New registration

4. Choose an appropriate name. E.g. IBI-aws

5. Select an appropriate account type (if in doubt, select Accounts in this organizational directory only)

6. Click on Register

Setup certificate authentication

1. Open Azure Portal

2. Navigate to Azure Active Directory > App registrations

3. Select the previously registered application

4. Click on Certificates & secrets

5. Select the Certificates tab

6. Upload the previously saved certificate (Public Key) using Upload certificate

Setup API permissions

In order for IBI-aws to query the required information, the following API permissions must be assigned:

• Device.Read.All

• User.Read.All

• GroupMember.Read.All

These permissions are assigned as follows.

1. Open Azure Portal

2. Navigate to Azure Active Directory > App registrations

3. Select the previously registered application

4. Click on API permissions

5. Click on Add a permission

6. Select the Microsoft APIs tab

7. Select Microsoft Graph

8. Click on Application permissions

9. Select the above mentioned permissions using the search function.

10. Confirm the operation by clicking on Add permissions

11. The Admin consent must be requested via the menu (...) of the respective permission

Dertermine Tenant ID and Application ID

1. Open Azure Portal

2. Navigate to Azure Active Directory > App registrations

3. Select the previously registered application

4. Note Directory (tenant) ID and Application (client) ID

IBI-aws Admin (Part 2)

Finalize setup

Once the application has been registered in the Azure Portal and all permissions have been granted, the remaining information can be transferred in the IBI-aws Admin and a connection test can be performed.

1. Launch IBI-aws Admin

2. Navigate to Settings > Directory Services

3. Edit the previously added Microsoft Azure Active Directory entry

4. Enter the previously noted information as follows:
   Directory (tenant) ID: Tenant ID
Application (client) ID: Application ID

5. Click on Test connection to make sure that a connection and the authentication could be performed successfully

6. Click on Save

7. Click on Save