Configure Azure AD to Recognize a New Orchestrator Instance

📘

Note

The below steps are valid for Azure AD authentication setup. Please note that the below procedure is a broad description of a sample configuration. For a fully detailed how-to, visit the official Microsoft Documentation.

1. Access Microsoft Azure App Registrations page and click New Registration.
2. In the Register an application page, fill the Name field with the desired name of your Orchestrator instance.
3. In the Supported account types section, select who can use the Orchestrator application. The recommended value is Accounts in this organizational directory only.
4. Set the Redirect URI by selecting Web from the drop-down and filling in the URL of the Orchestrator instance plus the suffix /identity/azure-signin-oidc. For example, https://orchestratorURL/identity/azure-signin-oidc.

📘

Note

Replace all occurrences of https://orchestratorURL with the URL of your Orchestrator instance.

Whenever filling in the URL of the Orchestrator instance, make sure it does not contain a trailing slash. Always fill it in as https://orchestratorURL, not https://orchestratorURL/.

5. Click Register to register your Orchestrator instance in Azure AD.
6. Save the Application (Client) ID. You'll use it later in Identity Server.

Set Orchestrator/Identity Server to Use Azure AD Authentication

1. Define a user in Orchestrator and have a valid Microsoft email address set on the Users page.
2. Make sure that the following configuration is present in Identity Server's AzureAD settings within External Providers page (read here how to access Identity Server):
   • Select the Enabled check box.
   • Set the Client ID parameter to the value of the Application (client) ID parameter obtained by configuring AzureAD authentication.
   • (Optionally) Set the Client Secret parameter to the value obtained by configuring AzureAD authentication.
     • Set the Authority parameter to one of the values:
       • https://login.microsoftonline.com/<tenant>, where is the tenant ID of the Azure AD tenant or a domain associated with this Azure AD tenant. Used only to sign in users of a specific organization.
       • https://login.microsoftonline.com/common. Used to sign in users with work and school accounts or personal Microsoft accounts.
     • (Optionally) Set the Logout URL parameter to the value used while configuring AzureAD authentication.

3. Click Save to save the changes to the external identity provider settings.
4. Restart the IIS site after performing any configuration changes within Identity Server.