Creating an Entra app registration or Access Manager
Creating an Entra app for Access Manager
If you are going to be using Entra to authenticate users with OpenID Connect, if you want to access LAPS passwords stored in Entra ID, or you want to install the Lithnet Access Manager agent on Entra-joined devices, you'll need to create an app registration for Access Manager in your Entra ID portal.
You only need a single app registration for the Access Manager instance. Just ensure that you grant the appropriate directory permissions for the scenarios you want to support.
Step 1: Configure a new application in Entra ID
Log into portal.azure.com with administrative credentials, select
More services
and selectMicrosoft Entra ID
From the left hand menu, expand
Manage
, selectApp registrations
and clickNew registration
Enter
Lithnet Access Manager
or another suitable application name, and selectAccounts in this organizational directory only (Single tenant)
as the supported account typeClick
Register
Take note of the
Application ID
value, this is ourclient ID
Take note of the Directory/Tenant ID
From the
Certificates and secrets
page, clicknew client secret
, give your secret a name, and then take note of the value provided.
If you want to enable user authentication via OIDC, then you'll also need to complete the following steps
From the left-hand menu, click
Manage
thenAuthentication
. ClickAdd a platform
.Select
Web
as the platform typeIn the
redirect URI
field enter the base URL where your Access Manager web app is hosted followed by/auth
(e.g.https://accessmanager.lithnet.local/auth
)Set the
front-channel logout URL
to be the same as your base URL, with/auth/logout
appended to it. (e.g.https://accessmanager.lithnet.local/auth/logout
)Click
Configure
Step 2: Grant directory permissions
From the
API permissions
page, clickAdd permission
, chooseMicrosoft Graph
, followed byApplication permissions
and grant the API permissions shown in the tables below, relevant to your scenarioOnce you have added the permissions, click on
Grant admin consent
, and ensure each permission shows a status ofGranted for <tenant name>
.
User authentication using OpenID Connect
Organization.Read.All
- All scenarios
Allows Access Manager to read basic tenant information such as the tenant name and tenant ID
User.Read
Allows Access Manager to read information about users in the tenant when they log in
Accessing LAPS passwords stored in Entra
Organization.Read.All
Allows Access Manager to read basic tenant information such as the tenant name and tenant ID
Device.Read.All
Allows Access Manager to read information about devices in the tenant
Group.Read.All
Allows Access Manager to read information about groups and their members
AdministrativeUnit.Read.All
Allows Access Manager to read information about administrative units in the tenant
DeviceLocalCredential.Read.All
Allows Access Manager to read LAPS passwords stored in the Entra directory, when using the Windows LAPS agent. Not required if using the Access Manager Agent to manage LAPS passwords
Deploying the Access Manager Agent to Entra-joined devices
Organization.Read.All
Allows Access Manager to read basic tenant information such as the tenant name and tenant ID
Device.Read.All
Allows Access Manager to read information about devices in the tenant
Group.Read.All
Allows Access Manager to read information about groups and their members
AdministrativeUnit.Read.All
Allows Access Manager to read information about administrative units in the tenant
Last updated