Azure AD Authentication
Enabling user authentication using Azure Active Directory
Last updated
Enabling user authentication using Azure Active Directory
Last updated
© Patch My PC 2024
Applies to: Advanced Insights
Advanced Insights supports authentication using Azure AD credentials using OpenID. To configure this is a three-step process:
Create an App Registration in Azure.
Copy App Registration properties.
Add App Registration details to Advanced Insights Azure AD Settings tab.
Navigate to the Azure Portal and log in with an account that has permissions to create Azure App Registrations.
You will add a name for the app registration (for example "AdvancedInsights").
In Supported Accounts select "Accounts in this organizational directory only"
Redirect URI
Redirect URI is used for Microsoft to return the login token to Advanced Insights.
This URI must be configured with the value of the internal FQDN of the server hosting Advanced Insights, including the configured port.
(https://{AdvancedInsightsInternalServerFQDN}:{port}/account/login)
Example redirect URI:
https://advinsightsserver01.contoso.local:444/account/login
Select "Single-Page Application (SPA)" from the dropdown list in the "Redirect URI" section, and enter the URI.
When you have filled in the required properties click Register.
You will be shown the App Registration overview screen. We need to copy some properties from here.
Copy Application (client) ID and Directory (tenant) ID values into a Notepad document.
Now click the "Authentication" link on the left in the "Manage" section.
In the "Implicit grant for hybrid flows" section, tick both options for:
"Access tokens (used for implicit flows)"
"ID tokens (used for implicit and hybrid flows)"
This grants the application permissions to issue the tokens used by Advanced Insights to validate login.
To save changes, click 'Save'.
Click "Certificates and secrets", then within the "Client secrets" section, click "New client secret".
Name the secret and set an expiry duration that is suitable for your environment.
On expiry, logins to Advanced Insights using Azure AD credentials will stop working if you don’t update the client secret.
Click 'Add' to save the "Client secret" configuration.
Now you can copy the "Value" of your client secret and add it to your Notepad document:
This completes the configuration work in the Azure Portal.
Log into Advanced Insights with an administrator role account and navigate to the 'Administration' > 'Settings' menu. Select the "AzureAD" tab.
Clear the "Deactivate" checkbox.
Enter the value for your Application ID/ClientID.
Enter the value for your Client Secret.
Enter the value for your Directory (tenant) ID.
Select 'Save All'.
By default, new users configured in Advanced Insights (including new Azure AD logins) will not be active (and can not login) until an administrator manually activates the account.
Log into Advanced Insights with an administrator role account and navigate to the 'Administration' > 'Settings' menu. Select the "User Management" tab.
Enable "New registered users are active by default." checkbox.
Select 'Save All'.
This completes the configuration for adding the Azure AD Application registration details to Advanced Insights.
The Advanced Insights logon screen will now show a "Sign in with Microsoft" button.
At first logon, an Azure administrator will have to consent to the application registration requested permissions.
By default, new users will only be granted access to the Advanced Insights overview home page.
Advanced Insights administrator can then enable access to additional dashboard views.
You should check in the Users area in Advanced Insights that there are no existing user accounts with email addresses that match the Azure AD accounts you are going to have logging in. If you do, you can delete these accounts and they will be recreated on first login by that user.
You will always be able to log in as the Advanced Insights "Admin" to make configuration changes.
If the Azure AD Account a user logs into Advanced Insights with has a matching on-prem AD Account with the same Email Address set, any RBAC role they have in ConfigMgr for their on-prem AD account will be maintained in Advanced Insights.
For example, if a log in with this Azure AD Account is used:
The On-Prem Active Directory object of this account has the users Azure AD UPN set as the email property: