Register and Configure an Application in Azure Active Directory

Before you can create Azure Active Directory (AD) credentials and add Azure AD groups and users into BeyondInsight, you must first register and configure an application in the Azure AD tenant where the user accounts reside. The below steps walk through creating a registered application in Azure AD, creating a client secret for the registered app, and configuring API permissions for the registered app.

Create a Registered Application in Azure AD

Sign into Azure and connect to the Azure AD tenant where the credentials you wish to add into BeyondInsight reside. Then follow these steps:

  1. On the left menu, select App registrations.
  2. Click + New Registration.

Screenshot of registering an application in Azure Active Directory

  1. Under Name, enter a unique application name.
  2. Under Supported account types, select Accounts in this organizational directory only.
  3. Click Register.

 

Create a Client Secret for the Registered App

  1. Select the newly created app from the list of App Registrations (if not already visible).

Azure AD create new client secret screenshot

  1. Select Certificates & secrets from the left menu.
  2. Click + New Client Secret.
  3. Provide a Description and appropriate Expiry. If you select 1 or 2 years, the directory credential must be refreshed in BeyondInsight with a new client secret on the anniversary of its creation.
  4. Click Add.

 

Azure AD copy client secret screenshot

  1. Copy the client secret and store it in a safe place. It is required when creating directory credentials for Azure AD in BeyondInsight.

This is the only time this client secret value is displayed.

 

Assign API Permissions to the Registered Application

  1. Select the newly created app from the list of App Registrations
  2. Select API Permissions from the left menu.

Azure add api permission to read all users screenshot

  1. Click + Add a permission.
  2. Click Microsoft Graph.
  3. Click Application Permissions.
  4. Search for User.Read.All and check the box in the search results.

 

Azure add api permission to read all groups screenshot

  1. Search for Group.Read.All and check the box in the search results.
  2. Click Add permissions.

 

Azure add domain permission to read all groups screenshot

  1. Search for Domain.Read.All and check the box in the search results.
  2. Click Add permissions.

 

Azure grant admin consent for user and group read all permissions screenshot

  1. Click Grant Admin Consent for <directory name> to give consent to the app to have those permissions you just added.
  2. Click Yes to confirm.

 

Screenshot of App Registration Overview page highlighting the client ID and tenant ID for copying.

Now that your registered app is created, has a client secret, and has API permissions assigned, select Overview from the left menu and copy the Application (client) ID and the Directory (tenant) ID. Store these in a safe place as these are required when creating directory credentials for Azure AD in BeyondInsight.

 

For more information on directory credentials, please see Create and Edit Directory Credentials.