Setting up Azure Active Directory
In order to use Microsoft's identity service in Dime.Scheduler, we need to set up a few things in Azure first. In this guide, we'll walk you through the process manually.
If you wish to automate this process and run a script, proceed right to the end of the guide.
Registering a new application in Azure AD
First things first: you need to log on. Sign in to the Azure portal via this link. Make sure to select the correct account and subscription.
Next up is for you to navigate to the Azure Active Directory service. Once you've done that, navigate to the 'Manage' submenu and click on 'App registrations'.
In the panel on the right hand side, click the button called 'New registration'. A new window appears with a form that requires you to fill out the following information:
Name: Dime.Scheduler would be a good start
Supported account types: select 'Accounts in this organizational directory only'
Redirect URI: select web and then enter the redirect URI (or reply URL) for your application. Provide the base URL of your app, for example:
https://uritodimescheduler/Account/AzureADCallback
. Make sure to append the suffix 'Account/AzureADCallback' to the URI.There are restrictions to the redirect URI:
- The publicly accessible URI must begin with the schema
https
. - For local testing, Azure accepts an unprotected endpoint such as
http://localhost
.
- The publicly accessible URI must begin with the schema
Adding permissions
From the app's Overview page, select API permissions.
Select the Add a permission button.
Add the Microsoft Graph User.Read (https://graph.microsoft.com/User.Read) permission, if it hasn't already been added.
The result should be something like this:
Obtaining the client id and secret
Three pieces of information are required in order to connect Dime.Scheduler with Azure AD:
- Azure Client Id
- Azure Client Secret
- Azure Authorization Endpoint
The client id can be found on the app's home page, as depicted in this image:
The client secret can be obtained by navigating to the 'Certificates & secrets' submenu and creating a new client secret:
You will notice that there is an expiration date to this secret, so make sure to update the key in Dime.Scheduler before it expires. Alternatively, pick a date that's a long time away from now.
Finally, navigate to the Overview section. In the center of the blade, click the "Endpoints" button. This will open a panel on the right hand side of the screen with a series of URIs. Click on the clipboard button of the first item labelled by 'OAuth 2.0 authorization endpoint (v2)'.
Configure Dime.Scheduler
Navigate to Administration -> Application and locate the 'Security' tab. This tab exposes two sets of configuration groups:
- Windows AD
- Azure AD
It is important to know that these are very different technologies. At this point we're only interested in connecting with Azure AD.
Copy the three values you just retrieved from the previous section, and paste them in their corresponding form values in Dime.Scheduler. Don't forget to hit the save button. Now you are ready to add some Azure AD users.
Adding a Azure AD User
Adding an Azure AD user is as simple as adding a new record in the User administration view. Two columns are particularly important:
- The type must be 'Azure AD'
- The user's e-mail address must correspond to the e-mail address stored in Azure AD.
Logging in Dime.Scheduler
User logging in via the 'Azure AD' button are redirected to Azure to authenticate to this service. Usually the user name will be already populated and often the password as well if the user logged in on Azure earlier.
If the user logs in Dime.Scheduler for the first time, a window similar to the one below will be prompted. It asks for consent by the user if the requested permissions may be used by Dime.Scheduler:
Script
If you prefer scripting, all you need to do is gather a few parameters and run the script below.
[Net.ServicePointManager]::SecurityProtocol = "tls12, tls11, tls"
iex "& { $(irm https://gist.githubusercontent.com/hbulens/ba4a5812af7ff8fd1d8fa88ff2346691/raw) } -tenantId YOUR-TENANT-ID -tenantName YOUR-TENANT-NAME"
You'll need to provide two pieces of information:
- The Azure tenant ID
- The Azure tenant name
To obtain this information, follow Microsoft's instructions here.
This script, by default, assigns three permissions to the app:
- Calendars.ReadWrite
- MailBoxSettings.ReadWrite
- User.Read.All
This permission set is enough to run both the authentication and Exchange connector. However, if you wish to override this, you can append the applicationPermissions
parameter that accepts a PowerShell array such as @('Calendars.ReadWrite', 'MailBoxSettings.ReadWrite', 'User.Read.All')
.
Finally, the appName
parameter allows you to override the name of the app registration.