Create Azure App Registration

The steps provided can be used to create the App Registration required for configuring Azure Active Directory integration.

This integration requires .NET Framework version 4.8 or later.

For this procedure, you need a local account with the Administer Active Directory role.

Azure Portal Method

Create the Application Registration

Follow the steps in Register an application with the Microsoft identity platform to register an app on Azure Portal.

Use Thycotic Secret Server as a Name for your application, and https://<Your Secret Server URL>/signin-oidc as Redirect URL.

Once the app registration is created, take note of the Application (client) ID and Directory (tenant) ID, that will be needed for Secret Server configuration.

Add Client Secret to the Application Registration

Follow the steps in the Add a client secret section of the Register an application with the Microsoft identity platform guide, to learn how to add Client Secret to the application registration.

Use Secret Server as the Description and record the text string in the Value column for that secret when it is successfully added.

Add API Permissions to the Application Registration

Follow the steps in Configure an application to expose a web API guide to add API Permissions to the Application Registration.

This requires a local account with at least one of these roles: "Administer Active Directory," "Unlimited Administrator," or "Administer Configuration Unlimited Admin."

Script Method

The script below is provided as-is, and future use may require adjustment if Microsoft changes the AzureAD PowerShell module.

At the time of writing, there is no command in the AzureAD module granting admin consent to the app. That step has to be performed via the Azure Portal.

Copy

<#
    Connect to your tenant
#>
$tenantId = ''
Connect-AzureAd -TenantId $tenantId

<#
    Variables - Adjust for your environment/requirements
#>
$appName = "Thycotic Secret Server2"
$appRedirect = "https://vault.company.com/signin-oidc"

<#
    DO NOT CHANGE
#>
$appPerms = 'Group.Read.All','GroupMember.Read.All','Member.Read.Hidden','User.Read.All'

<#
    Pull the Service App ID for Microsoft Graph
#>
$msGraphService = Get-AzureADServicePrincipal -Filter "DisplayName eq 'Microsoft Graph'"

<#
    Create object for Resource Access - assigning app role permissions
#>
$msGraphResourceAccess = New-Object -TypeName "Microsoft.Open.MSGraph.Model.RequiredResourceAccess"
$msGraphResourceAccess.ResourceAppId = $msGraphService.AppId

<#
    This grabs the ID for each permission listed in $appPerms variable
#>
$permissions = $msGraphService.AppRoles.Where({$_.Value -in $appPerms})
foreach ($p in $permissions) {
    $appPermissions = New-Object -TypeName "Microsoft.Open.MSGraph.Model.ResourceAccess" -ArgumentList $p.Id,"Role"
    <# Add the role to the resource access object #>
    $msGraphResourceAccess.ResourceAccess += $appPermissions
}

<#
    Create the App Registration
#>
$paramsApp = @{
    DisplayName = $appName
    Web = @{ RedirectUris = $appRedirect }
    RequiredResourceAccess = $msGraphResourceAccess
}
$thycoticApp = New-AzureADMSApplication @paramsApp

<#
    Create the Client Secret and assign to the App Registration created

    !!NOTE!! MSGraph only supports the expiration being set to 2 years, no configuration option is provided
#>
$paramsClientSecret = @{
    ObjectId = $thycoticApp.Id
    PasswordCredential = @{ displayName = "#{PRODUCTNAME}# $(Get-Date -Format yyyy-MM-dd)"}
}
$clientSecret = New-AzureADMSApplicationPassword @paramsClientSecret

<#
    Output object data needed for configuring$1#{PRODUCTNAME}#$2
#>
[pscustomobject]@{
    Details = "These values required for #{PRODUCTNAME}# Configuration"
    TenantId = (Get-AzureADTenantDetail).ObjectId
    ClientID = $thycoticApp.AppId
    ClientSecret = $clientSecret.SecretText
} | Format-List