v3.0
Request a trial or quote

Creating an Entra app registration or Access Manager

Creating an Entra app for Access Manager

If you are going to be using Entra to authenticate users with OpenID Connect, if you want to access LAPS passwords stored in Entra ID, or you want to install the Lithnet Access Manager agent on Entra-joined devices, you'll need to create an app registration for Access Manager in your Entra ID portal.

You only need a single app registration for the Access Manager instance. Just ensure that you grant the appropriate directory permissions for the scenarios you want to support.

Step 1: Configure a new application in Entra ID

  1. Log into portal.azure.com with administrative credentials, select More services and select Microsoft Entra ID

  2. From the left hand menu, expand Manage, select App registrations and click New registration

  3. Enter Lithnet Access Manager or another suitable application name, and select Accounts in this organizational directory only (Single tenant) as the supported account type

  4. Click Register

  5. Take note of the Application ID value, this is our client ID

  6. Take note of the Directory/Tenant ID

  7. From the Certificates and secrets page, click new client secret, give your secret a name, and then take note of the value provided.

If you want to enable user authentication via OIDC, then you'll also need to complete the following steps

  1. From the left-hand menu, click Manage then Authentication. Click Add a platform.

  2. Select Web as the platform type

  3. In the redirect URI field enter the base URL where your Access Manager web app is hosted followed by /auth (e.g. https://accessmanager.lithnet.local/auth)

  4. Set the front-channel logout URL to be the same as your base URL, with /auth/logout appended to it. (e.g. https://accessmanager.lithnet.local/auth/logout)

  5. Click Configure

Step 2: Grant directory permissions

  1. From the API permissions page, click Add permission, choose Microsoft Graph, followed by Application permissions and grant the API permissions shown in the tables below, relevant to your scenario

  2. Once you have added the permissions, click on Grant admin consent, and ensure each permission shows a status of Granted for <tenant name>.

User authentication using OpenID Connect

PermissionRequire scenariosDescription

Organization.Read.All

- All scenarios

Allows Access Manager to read basic tenant information such as the tenant name and tenant ID

User.Read

Allows Access Manager to read information about users in the tenant when they log in

Accessing LAPS passwords stored in Entra

PermissionRequire scenariosDescription

Organization.Read.All

Allows Access Manager to read basic tenant information such as the tenant name and tenant ID

Device.Read.All

Allows Access Manager to read information about devices in the tenant

Group.Read.All

Allows Access Manager to read information about groups and their members

AdministrativeUnit.Read.All

Allows Access Manager to read information about administrative units in the tenant

DeviceLocalCredential.Read.All

Allows Access Manager to read LAPS passwords stored in the Entra directory, when using the Windows LAPS agent. Not required if using the Access Manager Agent to manage LAPS passwords

Deploying the Access Manager Agent to Entra-joined devices

PermissionRequire scenariosDescription

Organization.Read.All

Allows Access Manager to read basic tenant information such as the tenant name and tenant ID

Device.Read.All

Allows Access Manager to read information about devices in the tenant

Group.Read.All

Allows Access Manager to read information about groups and their members

AdministrativeUnit.Read.All

Allows Access Manager to read information about administrative units in the tenant

PreviousAdvanced help topicsNextSetting up agent policies

Last updated