# Advanced Insights Azure AD (Entra ID) Authentication
*Applies to: Patch My PC Advanced Insights*
Advanced Insights supports authentication using Entra ID credentials using OpenID. To configure this is a two-step process:
1. Create an App Registration in Entra
2. Enter the App Registration details to Advanced Insights
### Creating the App Registration
Navigate to the Entra Admin Centre and log in with an account that has permissions to create App Registrations.
You will add a name for the App Registration (for example *"AdvancedInsights"*).
In Supported Accounts select ***"Accounts in this organizational directory only"***
**Redirect URI**
{% hint style="info" %}
**Redirect URI** is used for Microsoft to return the login token to Advanced Insights.
\
This URI must be configured with the value of the internal FQDN of the server hosting Advanced Insights, including the configured port.
*(https\://**{AdvancedInsightsInternalServerFQDN}:{port}**/account/login)*
{% endhint %}
Example redirect URI:
**
Select ***"Single-Page Application (SPA)"*** from the dropdown list in the **"*****Redirect URI"*** section, and enter the URI.
When you have filled in the required properties click **Register**.
You will be shown the App Registration overview screen. We need to copy some properties from here.
Copy **Application (client) ID** and **Directory (tenant) ID** values into a Notepad document.
Now click the *"**Authentication"*** link on the left in the *"**Manage**"* section.
In the *"**Implicit grant for hybrid flows"*** section, tick both options for:
***"Access tokens (used for implicit flows)"***
***"ID tokens (used for implicit and hybrid flows)"***
This grants the application permissions to issue the tokens used by Advanced Insights to validate login.
To save changes, click **'Save'**.
Click "**Certificates and secrets"**, then within the **"Client secrets"** section, click ***"New client secret"***.
Name the secret and set an expiry duration that is suitable for your environment.
{% hint style="info" %}
On expiry, logins to Advanced Insights using Entra ID credentials will stop working if you don’t update the client secret.
{% endhint %}
Click 'Add' to save the **"Client secret"** configuration.
Now you can copy the **"Value"** of your client secret and add it to your Notepad document:
This completes the configuration work in the Azure Portal.
### Adding settings to Advanced Insights
1. Log into Advanced Insights with an **administrator** role account and navigate to the ***'Administration' > 'Settings'*** menu. Select the ***"AzureAD"*** tab.
2. Clear the ***"Deactivate"*** checkbox.
3. Enter the value for your **Application ID/ClientID**.
4. Enter the value for your **Client Secret**.
5. Enter the value for your **Directory (tenant) ID**.
6. Select ***'Save All'***.
## **New users**
{% hint style="info" %}
By default, new users configured in Advanced Insights **(including new Entra ID logins)** will not be active (and can not login) until an administrator manually activates the account.
{% endhint %}
1. Log into Advanced Insights with an **administrator** role account and navigate to the ***'Administration' > 'Settings'*** menu. Select the ***"User Management"*** tab.
2. Enable ***"New registered users are active by default."*** checkbox.
3. Select ***'Save All'***.
This completes the configuration for adding the Entra ID App Registration details to Advanced Insights.
## **First login - Consent to Permissions**
The Advanced Insights logon screen will now show a ***"Sign in with Microsoft"*** button.
At first logon, an Azure administrator will have to consent to the application registration requested permissions.
{% hint style="info" %}
By default, new users will only be granted access to the Advanced Insights overview home page.
Advanced Insights administrator can then enable access to additional dashboard views.
{% endhint %}
### User requirements
You should check in the Users area in Advanced Insights that there are no existing user accounts with email addresses that match the Entra ID accounts you are going to have logging in. If you do, you can delete these accounts and they will be recreated on first login by that user.
You will always be able to log in as the Advanced Insights "Admin" to make configuration changes.
If the Entra ID account a user logs into Advanced Insights with has a matching on-prem AD Account with the same Email Address set, any RBAC role they have in ConfigMgr for their on-prem AD account will be maintained in Advanced Insights.
For example, if a log in with this Entra ID Account is used:
The on-premises Active Directory object of this account has the users Entra ID UPN set as the email property:
---
# Agent Instructions: Querying This Documentation
If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.
Perform an HTTP GET request on the current page URL with the `ask` query parameter:
```
GET https://docs.patchmypc.com/patch-my-pc-insights/advanced-insights-azure-ad-entra-id-authentication.md?ask=
```
The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.
Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.
{% endhint %}
1. Log into Advanced Insights with an **administrator** role account and navigate to the ***'Administration' > 'Settings'*** menu. Select the ***"User Management"*** tab.
2. Enable ***"New registered users are active by default."*** checkbox.
3. Select ***'Save All'***.
