Advanced Insights supports authentication using Azure AD credentials using OpenID. To configure this is a three-step process:

1. Create an App Registration in Azure.

2. Copy App Registration properties.

3. Add App Registration details to Advanced Insights Azure AD Settings tab.

Creating the App Registration

Navigate to the Azure Portal and log in with an account that has permissions to create Azure App Registrations.

You will add a name for the app registration (for example "AdvancedInsights").

In Supported Accounts select "Accounts in this organizational directory only"

Redirect URI

Example redirect URI:

https://advinsightsserver01.contoso.local:444/account/login

Select "Single-Page Application (SPA)" from the dropdown list in the "Redirect URI" section, and enter the URI.

When you have filled in the required properties click Register.

You will be shown the App Registration overview screen. We need to copy some properties from here.

Copy Application (client) ID and Directory (tenant) ID values into a Notepad document.

Now click the "Authentication" link on the left in the "Manage" section.

In the "Implicit grant for hybrid flows" section, tick both options for:

"Access tokens (used for implicit flows)"

"ID tokens (used for implicit and hybrid flows)"

This grants the application permissions to issue the tokens used by Advanced Insights to validate login.

To save changes, click 'Save'.

Click "Certificates and secrets", then within the "Client secrets" section, click "New client secret".

Name the secret and set an expiry duration that is suitable for your environment.

Click 'Add' to save the "Client secret" configuration.

Now you can copy the "Value" of your client secret and add it to your Notepad document:

This completes the configuration work in the Azure Portal.

Adding settings to Advanced Insights

1. Log into Advanced Insights with an administrator role account and navigate to the 'Administration' > 'Settings' menu. Select the "AzureAD" tab.

2. Clear the "Deactivate" checkbox.

3. Enter the value for your Application ID/ClientID.

4. Enter the value for your Client Secret.

5. Enter the value for your Directory (tenant) ID.

6. Select 'Save All'.

New users

1. Log into Advanced Insights with an administrator role account and navigate to the 'Administration' > 'Settings' menu. Select the "User Management" tab.

2. Enable "New registered users are active by default." checkbox.

3. Select 'Save All'.

This completes the configuration for adding the Azure AD Application registration details to Advanced Insights.

First login - Consent to Permissions

The Advanced Insights logon screen will now show a "Sign in with Microsoft" button.

At first logon, an Azure administrator will have to consent to the application registration requested permissions.

User requirements

You should check in the Users area in Advanced Insights that there are no existing user accounts with email addresses that match the Azure AD accounts you are going to have logging in. If you do, you can delete these accounts and they will be recreated on first login by that user.

You will always be able to log in as the Advanced Insights "Admin" to make configuration changes.

If the Azure AD Account a user logs into Advanced Insights with has a matching on-prem AD Account with the same Email Address set, any RBAC role they have in ConfigMgr for their on-prem AD account will be maintained in Advanced Insights.

For example, if a log in with this Azure AD Account is used:

The On-Prem Active Directory object of this account has the users Azure AD UPN set as the email property: