Create Azure App Registration

The steps provided can be used to create the App Registration required for configuring Azure Active Directory integration.

This integration requires .NET Framework version 4.8 or later.

Azure Portal Method

Create the Application Registration

  1. Log on the Azure Portal

  2. If needed, switch to the intended directory.

  3. Navigate to the Azure Active Directory blade.

  4. Click App registrations on the left pane in the Manage section.

  5. Click the New registration button. The App Registrations page appears.

  6. Type Thycotic Secret Server in the Name text box.

  7. Click to select the Accounts in the organizational directory only selection button to choose single tenant.

  8. In the Redirect URI (optional) section, click to select Web in the dropdown list.

  9. Type https://<Your Secret Server URL>/signin-oidc in the text box to the right of the list.

  10. Click the Register button. Once the app registration is created, the Azure portal opens the blade to this object.

  11. In the blade for this app registration, take note of the Application (client) ID and Directory (tenant) ID. These will be needed for Secret Server configuration.

Add Client Secret to the Application Registration

  1. Click Certificates & secrets on the left panel in the Manage section. The Certificates & Secrets page appears.

  2. Go to the Client Secrets section.

  3. Click the New Client Secret button. The Add a Client Secret section appears.

  4. Type Secret Server in the Description text box.

  5. Click to select your desired expiration in the Expires selection button.

    Note: If the client secret is set to expire, Secret Server must updated upon or before expiration for this integration to function correctly.

  6. Click the Add button. The client secret appears in the Client Secrets section.

  7. Record the text string in the Value column for that secret.

Add API Permissions to the Application Registration

  1. Click API Permissions on the left panel in the Manage section. The API Permissions page appears.

  2. If any default permissions appear in the unlabeled configured permissions table, click the button and select Remove Permission.

  3. Click the Add a Permission button. The Request API Permissions page appears.

  4. Click the Microsoft Graph panel button. A wizard begins.

  5. Click Application Permissions when asked What type of permissions does your application require? The Select Permissions section appears.

  6. In the search text box, type Group. A GroupMember section appears.

  7. Click to expand the section.

  8. Click to select the GroupMember.Read.All check box.

  9. Repeat the process for the following application permissions:

    • Group.Read.All
    • GroupMember.Read.All
    • Member.Read.Hidden
    • User.Read.All

    Do the same for the User.Read delegated permission.

  10. Click the Add Permissions button. A prompt appears.

  11. Click the Yes button to grant consent to all accounts in the directory. You will receive a notification for "grant consent," and a green check mark appears in the Status column on the Configure Permissions page.

This requires a local account with at least one of these roles: "Administer Active Directory," "Unlimited Administrator," or "Administer Configuration Unlimited Admin."

Script Method

The script below is provided as-is, and future use may require adjustment if Microsoft changes the AzureAD PowerShell module.

At the time of writing, there is no command in the AzureAD module granting admin consent to the app. That step has to be performed via the Azure Portal.

Copy 
<#
    Connect to your tenant
#>
$tenantId = ''
Connect-AzureAd -TenantId $tenantId

<#
    Variables - Adjust for your environment/requirements
#>
$appName = "Thycotic Secret Server2"
$appRedirect = "https://vault.company.com/signin-oidc"

<#
    DO NOT CHANGE
#>
$appPerms = 'Group.Read.All','GroupMember.Read.All','Member.Read.Hidden','User.Read.All'

<#
    Pull the Service App ID for Microsoft Graph
#>
$msGraphService = Get-AzureADServicePrincipal -Filter "DisplayName eq 'Microsoft Graph'"

<#
    Create object for Resource Access - assigning app role permissions
#>
$msGraphResourceAccess = New-Object -TypeName "Microsoft.Open.MSGraph.Model.RequiredResourceAccess"
$msGraphResourceAccess.ResourceAppId = $msGraphService.AppId

<#
    This grabs the ID for each permission listed in $appPerms variable
#>
$permissions = $msGraphService.AppRoles.Where({$_.Value -in $appPerms})
foreach ($p in $permissions) {
    $appPermissions = New-Object -TypeName "Microsoft.Open.MSGraph.Model.ResourceAccess" -ArgumentList $p.Id,"Role"
    <# Add the role to the resource access object #>
    $msGraphResourceAccess.ResourceAccess += $appPermissions
}

<#
    Create the App Registration
#>
$paramsApp = @{
    DisplayName = $appName
    Web = @{ RedirectUris = $appRedirect }
    RequiredResourceAccess = $msGraphResourceAccess
}
$thycoticApp = New-AzureADMSApplication @paramsApp

<#
    Create the Client Secret and assign to the App Registration created

    !!NOTE!! MSGraph only supports the expiration being set to 2 years, no configuration option is provided
#>
$paramsClientSecret = @{
    ObjectId = $thycoticApp.Id
    PasswordCredential = @{ displayName = "#{PRODUCTNAME}# $(Get-Date -Format yyyy-MM-dd)"}
}
$clientSecret = New-AzureADMSApplicationPassword @paramsClientSecret

<#
    Output object data needed for configuring$1#{PRODUCTNAME}#$2
#>
[pscustomobject]@{
    Details = "These values required for #{PRODUCTNAME}# Configuration"
    TenantId = (Get-AzureADTenantDetail).ObjectId
    ClientID = $thycoticApp.AppId
    ClientSecret = $clientSecret.SecretText
} | Format-List