Starting with Resilio Connect v3.3.2, the Resilio Management Console supports sign in with Azure AD users with assigned local roles. Starting with v3.5.1 Azure API authorization is available for Resilio API.
- Configure connection to Azure AD
- Configure custom user Roles
- Configure API integration with Azure AD
- Peculiarities and limitations
Configure connection to Azure AD
- Register an application in the Microsoft Entra admin center. For details, see Register an application.
Note: When registering an application, make sure to provide the redirect URI:https://mc_address:8443/login/azuread/redirect
, where mc_address is the IP address or the hostname of your Management Console. - Create application roles, equivalent to user roles found in the Management Console:
super_administrator
administrator
view_only
Note: For information on custom roles, see Configuring custom user roles. - Assign app roles to users. For details, see Assign users and groups to Microsoft Entra roles.
-
Verify application's API permissions under Manage > API permissions. The
User.Read
permission is required.
It should be granted automatically when creating the application. If it's not the case, click Add permissions >Microsoft Graph > Delegated permission, then in the Select permissions input field, enteruser.read
and in the User section, select the User.Read permission. -
(Optional) Add the
email
claim to Token configuration, which will allow you to enable e-mail notifications from MC for Azure AD users:- In the Manage section, select Token configuration.
- Click + Add optional claim.
- Select the ID token type, then select email and click Add.
- Select the Turn on the Microsoft Graph email permission option, then click Add.
-
(Optional) Add an Application URI ID to expose an API if you plan to integrate with Resilio API:
- In the Manage section, select Expose an API.
- Next to Application URI ID, click Add.
- Click Save.
-
In the Resilio Management Console, select Settings > General > Advanced settings and add
https://mc_address:8443
(the same mc_address as in the step 1) for Management Console address parameter. -
Configure connection to the Azure AD:
- In the Resilio Management Console, select Settings > General.
- In the AZURE AD AUTHENTICAITON section, click Configure.
- Provide Azure AD Authentication configuration parameters:
- Client ID - Application (client) ID of the registered Resilio application.
- Tenant ID - Directory (tenant) ID or the registered Resilio application.
- Select Use Azure AD Authenticaiton for Users, then provide:
- Authority -
https://login.microsoftonline.com/<tenant>/
- Client secret - Application's secret key used for authorizing connection to Azure AD. You can find it under Certificates and secrets menu, but the value is available only when you initialize the secret.
- Authority -
- Click Save.
Note: The Management Console doesn't validate or test the connection based on the provided parameters.
Once the Azure AD connection is configured, option to sign in with Azure AD will appear on the login screen.
A logged in Azure AD user will appear on the list of MC users. Such users cannot be edited from MC.
Configuring custom user roles
Custom roles also work, but are not guaranteed for all the roles. Custom role name must be all lowercase with spaces replaced with underscore. Single-word roles are not supported.
1. Create a custom user group on the Management Console, for example Test Group.
2. Transform its name: replace spaces with underscore (_) and make all letters lower case. In the example it will be test_group
3. Create a role with such value on the Azure AD and assign it on the users.
The logged in user will appear in the corresponding group on MC.
Configure API integration with Azure AD
Starting with Resilio Connect v3.5.1 Azure API authentication can be used for MC API. Follow the steps below to configure it.
1. Register an application as instructed above. Ensure that API URI is set in "Expose an API" for that application.
2. On the Management Console go to settings -> General -> Azure AD configuration. Select option "Use Azure AD Authentication for API" (API integration is not dependent on authentication for users and can be configured separately).
Client ID: taken from the details of the registered application.
Tenant ID: tenant of the registered application.
OpenID URI: https://login.microsoftonline.com/common/v2.0/.well-known/openid-configuration (see details for API token version below, you might need to remove v2.0).
3. Register a new application - API client daemon that will be calling the Resilio API. The client API app must be in same tenant as the main application. Leave redirect URI empty.
4. Go to "Expose an API" menu and set API URI
5. Go to API permissions -> Add a permission > My APIs Select the main application and one of the groups - super_administrator, administrator or view_only - from the groups created in the main application. That will be the access level that will be used when calling API.
No app in the My APIs list
You may not find your application in the list. In such a case, go to Manage > Owners view and check that your user has been added as the Owner of your application.6. Go to Certificates and secrets - > create new client secret. Give it some name and copy its value right away as it will be unavailable for copying later.
7. Recheck the supported token version. By default Resilio Connect supports token versions 1 and 2. Check with the main applications's manifest which of the versions is used, parameter accessTokenAcceptedVersion
, see here for more details.
If version 1 is only supported, remove 'v2.0' from OpenID URI in the Management Console in Azure AD configuration.
8. Generate the token itself. It's possible to use any well know script or tool to generate it. Else, use the simple flow from Microsoft Access token request with a shared secret. Replace the parameters from example as follows:
client_id = id from the API client application.
scope = API URI from the main application with /.default
prefix. Don't forget to encode symbols in the URI, for example scope=api%3A%2F%2F2e9f....%2F.default
If token v1.0 is used, api://
shall not be added to the scope.
client_secret = is the secret value from the API client application.
requested URL - be sure to put the valid tenant ID. If token v1.0 is used, remove v2.0
from the URL.
You shall receive a JWT token.
9. Use the generated token to make API calls to the Management Console. Put the token in the header "Authorization: Bearer token".
Peculiarities and limitations:
Management Console does not validate the configured connection and does not test connection to the endpoint.
Only these roles are officially supported: super_administrator
, administrator
, view_only
. Custom roles also work, but are not guaranteed for all the roles. Custom role name need to be all lowercase with spaces replaced with underscore.
Azure AD user will be forcibly logged out from MC if its role is changed on Azure AD.