Creating an Entra app registration or Access Manager
Creating an Entra app for Access Manager
If you are going to be using Entra to authenticate users with OpenID Connect, if you want to access LAPS passwords stored in Entra ID, or you want to install the Lithnet Access Manager agent on Entra-joined devices, you'll need to create an app registration for Access Manager in your Entra ID portal.
You only need a single app registration for the Access Manager instance. Just ensure that you grant the appropriate directory permissions for the scenarios you want to support.
Step 1: Configure a new application in Entra ID
Log into portal.azure.com with administrative credentials, select
More servicesand selectMicrosoft Entra IDFrom the left hand menu, expand
Manage, selectApp registrationsand clickNew registrationEnter
Lithnet Access Manageror another suitable application name, and selectAccounts in this organizational directory only (Single tenant)as the supported account typeClick
RegisterTake note of the
Application IDvalue, this is ourclient IDTake note of the Directory/Tenant ID
From the
Certificates and secretspage, clicknew client secret, give your secret a name, and then take note of the value provided.
If you want to enable user authentication via OIDC, then you'll also need to complete the following steps
From the left-hand menu, click
ManagethenAuthentication. ClickAdd a platform.Select
Webas the platform typeIn the
redirect URIfield enter the base URL where your Access Manager web app is hosted followed by/auth(e.g.https://accessmanager.lithnet.local/auth)Set the
front-channel logout URLto be the same as your base URL, with/auth/logoutappended to it. (e.g.https://accessmanager.lithnet.local/auth/logout)Click
Configure
Step 2: Grant directory permissions
From the
API permissionspage, clickAdd permission, chooseMicrosoft Graph, followed byApplication permissionsand grant the API permissions shown in the tables below, relevant to your scenarioOnce you have added the permissions, click on
Grant admin consent, and ensure each permission shows a status ofGranted for <tenant name>.
User authentication using OpenID Connect
Organization.Read.All
- All scenarios
Allows Access Manager to read basic tenant information such as the tenant name and tenant ID
User.Read
Allows Access Manager to read information about users in the tenant when they log in
Accessing LAPS passwords stored in Entra
Organization.Read.All
Allows Access Manager to read basic tenant information such as the tenant name and tenant ID
Device.Read.All
Allows Access Manager to read information about devices in the tenant
Group.Read.All
Allows Access Manager to read information about groups and their members
AdministrativeUnit.Read.All
Allows Access Manager to read information about administrative units in the tenant
DeviceLocalCredential.Read.All
Allows Access Manager to read LAPS passwords stored in the Entra directory, when using the Windows LAPS agent. Not required if using the Access Manager Agent to manage LAPS passwords
Deploying the Access Manager Agent to Entra-joined devices
Organization.Read.All
Allows Access Manager to read basic tenant information such as the tenant name and tenant ID
Device.Read.All
Allows Access Manager to read information about devices in the tenant
Group.Read.All
Allows Access Manager to read information about groups and their members
AdministrativeUnit.Read.All
Allows Access Manager to read information about administrative units in the tenant
Last updated
Was this helpful?