Create Azure App Registration

The steps provided can be used to create the app registration required for configuring Azure Active Directory integration.

This integration requires .NET Framework version 4.8 or later.
For this procedure, you need a local account with the Administer Active Directory role.

Azure Portal Method

Create the Application Registration

Follow the steps in Register an application with the Microsoft identity platform to register an app on Azure Portal.

Use Delinea Secret Server as a Name for your application, and https://<Your Secret Server URL>/signin-oidc as Redirect URL.

Once the app registration is created, take note of the Application (client) ID and Directory (tenant) ID, these will be needed for Secret Server configuration.

Add Client Secret to the Application Registration

Follow the steps in the Add a client secret section of the Register an application with the Microsoft identity platform guide, to learn how to add a Client Secret to the application registration.

Use Secret Server as the Description and record the text string in the Value column for that secret when it is successfully added.

Add API Permissions to the Application Registration

Follow the steps in Configure an application to expose a web API guide to add API Permissions to the Application Registration.

This requires a local account with at least one of these roles: Administer Active Directory, Unlimited Administrator, or Administer Configuration Unlimited Admin.

  1. Click API Permissions in the left panel in the Manage section. The API Permissions page appears.

  2. If any default permissions appear in the unlabeled configured permissions table, click the button and select Remove Permission.

  3. Select the Add a Permission button. The Request API Permissions page appears.

  4. Select the Microsoft Graph panel button. A wizard begins.

  5. Choose Application Permissions when asked What type of permissions does your application require?. The Select Permissions section appears.

  6. In the search text box, type Group. A GroupMember section appears.

  7. Click to expand the section.

  8. Check the box for the following application permissions:

    • Group.Read.All

    • GroupMember.Read.All

    • Member.Read.Hidden

    • User.Read.All

  9. Choose Delegated Permissions when asked "What type of permissions does your application require?". The Select Permissions section appears.

  10. Check the box for the following Delegated permissions:

    • Group.Read.All

  11. Select the Add Permissions button. A prompt appears.

  12. Click Yes to grant consent to all accounts in the directory. You will receive a notification for grant consent, and a green check mark appears in the Status column on the Configure Permissions page.

Script Method

The script below is provided as-is, and future use may require adjustment if Microsoft changes the AzureAD PowerShell module.

At the time of writing, there is no command in the AzureAD module granting admin consent to the app. That step has to be performed via the Azure Portal.

Copy 
<#
    Connect to your tenant
#>
$tenantId = ''
Connect-AzureAd -TenantId $tenantId
<#
    Variables - Adjust for your environment/requirements
#>
$appName = "Delinea Secret Server"
$appRedirect = "https://vault.company.com/signin-oidc"
<#
    DO NOT CHANGE
#>
$appPerms = 'Group.Read.All','GroupMember.Read.All','Member.Read.Hidden','User.Read.All'
<#
    Pull the Service App ID for Microsoft Graph
#>
$msGraphService = Get-AzureADServicePrincipal -Filter "DisplayName eq 'Microsoft Graph'"
<#
    Create object for Resource Access - assigning app role permissions
#>
$msGraphResourceAccess = New-Object -TypeName "Microsoft.Open.MSGraph.Model.RequiredResourceAccess"
$msGraphResourceAccess.ResourceAppId = $msGraphService.AppId
<#
    This grabs the ID for each permission listed in $appPerms variable
#>
$permissions = $msGraphService.AppRoles.Where({$_.Value -in $appPerms})
foreach ($p in $permissions) {
    $appPermissions = New-Object -TypeName "Microsoft.Open.MSGraph.Model.ResourceAccess" -ArgumentList $p.Id,"Role"
    <# Add the role to the resource access object #>
    $msGraphResourceAccess.ResourceAccess += $appPermissions
}
<#
    Create the App Registration
#>
$paramsApp = @{
    DisplayName = $appName
    Web = @{ RedirectUris = $appRedirect }
    RequiredResourceAccess = $msGraphResourceAccess
}
$thycoticApp = New-AzureADMSApplication @paramsApp
<#
    Create the Client Secret and assign to the App Registration created
    !!NOTE!! MSGraph only supports the expiration being set to 2 years, no configuration option is provided
#>
$paramsClientSecret = @{
    ObjectId = $thycoticApp.Id
    PasswordCredential = @{ displayName = "#{PRODUCTNAME}# $(Get-Date -Format yyyy-MM-dd)"}
}
$clientSecret = New-AzureADMSApplicationPassword @paramsClientSecret
<#
    Output object data needed for configuring$1#{PRODUCTNAME}#$2
#>
[pscustomobject]@{
    Details = "These values required for #{PRODUCTNAME}# Configuration"
    TenantId = (Get-AzureADTenantDetail).ObjectId
    ClientID = $thycoticApp.AppId
    ClientSecret = $clientSecret.SecretText
} | Format-List