Configure Microsoft Entra ID

Beginning with FactoryTalk Services Platform version 6.40.00, FactoryTalk Security supports Microsoft Entra ID (as known as Azure Active Directory) authentication. Microsoft Entra ID provides flexible and secure authentication in different security deployment schemes including those requiring multi-factor authentication (MFA). Once Microsoft Entra ID has been configured in the Microsoft Azure portal, Microsoft Entra ID user groups can be used within the FactoryTalk Security system.
IMPORTANT:
Microsoft renamed Azure Active Directory (Azure AD) to Microsoft Entra ID.
Prerequisite
  • Add users to an Microsoft Entra ID user group
To configure Microsoft Entra ID
  1. Sign in to the Microsoft Azure portal at https://portal.azure.com.
  2. Register an application.
    1. On the Azure portal menu or the Home page, select
      Azure Active Directory
      .
    2. Under
      Manage
      , select
      App registrations
      , and then select
      New registration
      .
    3. On
      Register an application
      , only enter a display name for your application. Select
      Accounts in this organizational directory only (<Tenant name> only - Single tenant)
      , which is the only application type that FactoryTalk Services Platform supports. Don’t set the Redirect URI at this time. You will configure it in
      step 5
      .
    4. Select
      Register
      . The app registration’s
      Overview
      pane appears, which displays your
      Application (client) ID
      and
      Directory (tenant) ID
      .
  3. Add permission to use Microsoft Graph notifications.
    1. In the left pane, select
      API permissions
      , and then select
      Add a permission
      .
    2. Under
      Microsoft APIs
      , select
      Microsoft Graph
      , and then select
      Delegated permissions
      .
    3. In the
      Select permissions
      search box, enter the word
      group
      , and then expand
      Group
      .
    4. Select
      Group.Read.All
      , and then select
      Add permissions
      . The selected permission appears under
      Configured permissions
      .
  4. Select
    Yes
     to complete the grant.
  5. Add a redirect URI. A redirect URI (reply URL) is the location where Microsoft Entra ID will send the authentication code to the application. For the FactoryTalk Services Platform Microsoft Entra ID authentication to work, do one of the following:
    Redirect URIs for mobile and desktop applications
    • Add a Redirect URI automatically:
      1. In the left pane, select
        Quickstart
        >
        Mobile and desktop application
         >
        Windows desktop
        . The
        Acquire a token and call Microsoft Graph API from a desktop application
         pane appears.
      2. Select
        Make this change for me
        , and then select
        Make updates
        .
    • Add a Redirect URI manually:
      1. Select your application and select
        Add a Redirect URI
        .
      2. Add
        https://login.microsoftonline.com/common/oauth2/nativeclient and ms-appx web://microsoft.aad.brokerplugin/{client_id}
        .
      3. Select
        Save
        .
    Redirect URIs for Web
    1. In the left pane, under
      Manage
      , select
      Authentication
      .
    2. Under
      Platform configurations
      , select
      Add a platform
      , and then select
      Web
      .
    3. Under
      Redirect URIs
      ,
      • If HTTPS is enabled, enter
        https://<FactoryTalk Directory computer name>:<Reverse Proxy port>/FTSecurity/api/v1/aad/redirect
        .
      • If HTTP is enabled, enter
        http://localhost:<FactoryTalk Web Authentication port>/FTSecurity/api/v1/aad/redirect
        . For example, http://localhost:80/FTSecurity/api/v1/aad/redirect.
    TIP:
    Redirect URIs for Web
     is required for web authentication from FactoryTalk-enabled products' web client to work properly, such as FactoryTalk AssetCentre version 13.00 or later web client.
Provide Feedback
Have questions or feedback about this documentation? Please submit your feedback here.
Normal