TABLE OF CONTENTS



Introduction


For ManagementStudio's various connectors to access data inside of Azure an App registration is required in Azure. The App registration provides a group of permissions and access rights to ManagmentStudio. It is recommended (but not required) that a new App registration is created per connector being used. 



App Registration


Creating an Azure App Registration

  1. Open Azure
  2. Navigate to'App registrations' 
  3. Click New Registration'
    1. Name the App e.g. 'ManagementStudio AD Connector'
    2. Select 'Accounts in this organization only'
    3. Leave the redirect url blank
    4. Click 'Register


Authentication and Permissions

Depending on the Auth type (User/Pass or Client Secret) different configurations are required.


Auth: User/Pass

  1. Authentication
    1. Set 'Enable the following mobile and desktop flows' to Yes.
    2. Save
  2. Provision API permissions
    1. Permissions must be added as 'Delegated permissions'
    2. Refer to the list of required permissions from the section below.
    3. Grant Admin consent


Auth: Client Secret

  1. Certificates & secrets
    1. From the left nav bar Click 'Certificates & secrets' 
    2. Click 'New client secret'
      1. Name the secret e.g. 'ManagementStudio Secret'
      2. Set the Expires to 24 months
      3. Click Add
    3. Note the secret 'Value' this will only be displayed once in the UI 
      1. NB: Take note of this value immediately
  2. Provision API permissions
    1. Click API permissions in the left nav bar
    2. Permissions must be added as 'Application permissions'
    3. Refer to the list of required permissions from the section below. So, for User Read select Microsoft Graph 1st from the object list. 
    4. Be sure to select add permissions
    5. Finally grant Admin consent above the list of permissions
  3. Gather Data Needed to populate the ManagementStudio Azure Connector Settings
    1. Click Overview
    2. Copy the Application (Client) ID
    3. Copy the Directory (tenant) ID
    4. The 'Value' saved from step 3.1 above



Permissions

Azure AD Connector


Microsoft Graph Permissions


SectionPermissionNote
DirectoryDirectory.Read.All
UserUser.Read.All
DeviceDevice.Read.All
AuditLogAuditLog.read.AllOptional: To get Users 'Last Login Time'
GroupMemberGroupMember.Read.All
GroupMemberGroupMember.ReadWrite .AllOptional: Allows ESM to Add/Remove items from Azure Groups



InTune Connector (Coming Soon)


Microsoft Graph Permissions


SectionPermissionNote
DeviceManagementManagedDevices DeviceManagementManagedDevices .Read.All



Email Send / Receive


NB: Email only supports Delegate access for permissions.


Microsoft Graph Permissions


SectionPermissionNote
OpenId permissions email
OpenId permissions offline_access
POPPOP.AccessAsUser.All
SMTPSMTP.Send



Single Sign On (Coming Soon)


Microsoft Graph Permissions


SectionPermissionNote
UserUser.Read



Dataverse Connector (Coming Soon)


Dynamics CRM Permissions


SectionPermissionNote
Dynamics Data Integrationuser_impersonationMost of the Dataverse permissions are set inside Dataverse. This permission acts as a bridge