Management Console integration with Entra ID

Starting with Resilio Active Everywhere v3.3.2, the Resilio Management Console supports sign in with Entra AD users with assigned local roles. Starting with v3.5.1 Azure API authorization is available for Resilio API.

Configure connection to Entra AD

1. Register an application in the Microsoft Entra admin center. For details, see Register an application.
   Note : When registering an application, make sure to provide the redirect URI: https://mc_address:8443/login/azuread/redirect, where mc_address is the IP address or the hostname of your Management Console.

2. Create application roles, equivalent to user roles found in the Management Console:

   • super_administrator
   • administrator
   • view_only

   For details, see Add app roles to your application and receive them in the token.
   

   Note: For information on custom roles, see Configuring custom user roles.

3. Assign app roles to users. For details, see Assign users and groups to Microsoft Entra roles.
   

4. Verify application's API permissions under Manage > API permissions. The User.Read permission is required.

   It should be granted automatically when creating the application. If it's not the case, click Add permissions >Microsoft Graph > Delegated permission , then in the Select permissions input field, enter user.read and in the User section, select the User.Read permission.

5. (Optional) Add the email claim to Token configuration , which will allow you to enable e-mail notifications from MC for Entra AD users:

   1. In the Manage section, select Token configuration.
   2. Click + Add optional claim.

   3. Select the ID token type, then select email and click Add.
      

   4. Select the Turn on the Microsoft Graph email permission option, then click Add.

6. (Optional) Add an Application URI ID to expose an API if you plan to integrate with Resilio API:

   1. In the Manage section, select Expose an API.
   2. Next to Application URI ID, click Add.
   3. Click Save.
      

7. In the Resilio Management Console, select Settings > General > Advanced settings and add https://mc_address:8443 (the same mc_address as in the step 1) for Management Console address parameter.
   

8. Configure connection to the Entra AD:

   1. In the Resilio Management Console, select Settings > General.
   2. In the AZURE AD AUTHENTICAITON section, click Configure.

   3. Provide Entra ID Authentication configuration parameters:

      • Client ID - Application (client) ID of the registered Resilio application.
      • Tenant ID - Directory (tenant) ID or the registered Resilio application.
        

   4. Select Use Entra ID Authenticaiton for Users , then provide:

      • Authority - https://login.microsoftonline.com/<tenant>/
      • Client secret - Application's secret key used for authorizing connection to Entra ID. You can find it under Certificates and secrets menu, but the value is available only when you initialize the secret.
        

   5. Click Save.
      

      Note : The Management Console doesn't validate or test the connection based on the provided parameters.

Once the Entra ID connection is configured, option to sign in with Entra ID will appear on the login screen.

A logged in Entra ID user will appear on the list of MC users. Such users cannot be edited from MC.

Configure custom user roles

Custom roles also work, but are not guaranteed for all the roles. Custom role name must be all lowercase with spaces replaced with underscore. Single-word roles are not supported.

1. Create a custom user group on the Management Console, for example Test Group.
2. Transform its name: replace spaces with underscore (_) and make all letters lower case. In the example it will be test_group.
3. In Microsoft Entra admin center, create a role with such value and assign it to the users.

The logged in user will appear in the corresponding group on MC.

Configure API integration with Entra ID

Starting with Resilio Active Everywhere v3.5.1 Azure API authentication can be used for MC API. Follow the steps below to configure it.

1. Register an application as instructed above. Ensure that API URI is set in "Expose an API" for that application.

2. In the Management Console, select Settings > General > Entra ID configuration. Select option "Use Entra ID Authentication for API" (API integration is not dependent on authentication for users and can be configured separately).

• Client ID: taken from the details of the registered application.
• Tenant ID: tenant of the registered application.

• OpenID URI: https://login.microsoftonline.com/common/v2.0/.well-known/openid-configuration (see details for API token version below, you might need to remove v2.0).

  

3. Register a new application - API client daemon that will be calling the Resilio API. The client API app must be in same tenant as the main application. Leave redirect URI empty.

4. Select Expose an API and set API URI.

5. Select API permissions > Add a permission > My APIs Select the main application and one of the groups - super_administrator, administrator or view_only - from the groups created in the main application. That will be the access level that will be used when calling API.

   No app in the My APIs list

   You may not find your application in the list. In such a case, navigate to Manage > Owners and check that your user has been added as the Owner of your application.

   

6. Select Certificates and secrets and create a new client secret. Give it some name and copy its value right away as it will be unavailable for copying later.

7. Recheck the supported token version. By default Resilio Active Everywhere supports token versions 1 and 2. Check with the main applications's manifest which of the versions is used, parameter accessTokenAcceptedVersion, see here for more details.

   Note

   If version 1 is only supported, remove 'v2.0' from OpenID URI in the Management Console in Entra ID configuration.

   

8. Generate the token itself. It's possible to use any well know script or tool to generate it. Else, use the simple flow from Microsoft Access token request with a shared secret. Replace the parameters from example as follows:

   • client_id = id from the API client application.
   • scope = API URI from the main application with /.default prefix. Don't forget to encode symbols in the URI, for example scope=api%3A%2F%2F2e9f....%2F.default If token v1.0 is used, api:// shall not be added to the scope.
   • client_secret = is the secret value from the API client application.
   • requested URL - be sure to put the valid tenant ID. If token v1.0 is used, remove v2.0 from the URL.

   You shall receive a JWT token.

9. Use the generated token to make API calls to the Management Console. Put the token in the header "Authorization: Bearer token ".

Peculiarities and limitations

• Management Console does not validate the configured connection and does not test connection to the endpoint.
• Only these roles are officially supported: super_administrator, administrator, view_only. Custom roles also work, but are not guaranteed for all the roles. Custom role name need to be all lowercase with spaces replaced with underscore.
• Entra ID user will be forcibly logged out from the MC if its role is changed in the Entra ID.

Related topics:

• Management Console Entra ID integration: Authentication Security Overview