Home

Awesome

Setting up an AAD application to work with IoT Central

An Azure Active Directory Application is an Azure resource that deploys as part of your ecosystem and enables users with an identity to authenticate and be authorized to Azure services/resources/APIs.

Why would you need one? If there is a need to build a custom user experience as a compliment to the IoT Central user experience, e.g., a fit for purpose app for a specific type of role/usage. Alternatively, you might want to embed IoT Central functionality directly into your existing application.

Prerequisites

To complete the instructions in this guide you must have an Azure account with a Subscription and permissions to add services to that account. Click here to learn more about Azure Subscriptions.

Services to add to your Subscription

You will be adding two to three services.

* When you initially set up your Azure account, you will have a Directory created for you. You can use this directory or create a new one.

Topology

The following diagram outlines how all the services and supporting concepts are related.

Drag Racing

The sign-in account represents the identity used to create the Azure account, Subscription and Directory.

Setting up an Azure Active Directory using the Azure Portal

Creating a Directory is a lightweight exercise. Therefore, if you make a mistake delete and start again.

See also "Quickstart : Setup a tenant"

  1. Visit Azure Portal and sign-in using the admin account.

    figure1

  2. Using the global search type in ‘Azure Active Directory’ and click on result returned.

  3. Review the current directory setup. In most scenarios using the Directory created with the account is recommended. However, if you have existing AAD Applications configured to use the default directory then creating a new one is recommended as test users can be added without affecting the default Directory.

    If you are creating a new, select “Create a tenant” from the Overview section and follow the instructions in the create wizard. Ensure you select the tenant type as “Azure Active Directory”. The rest of the information required is your choice.

    figure3

Setting up the Azure Active Directory application

Creating an Application is a lightweight exercise. Therefore, if you make a mistake delete and start again.

  1. Visit Azure Portal and sign-in using the user account.

  2. Using the global search type in ‘Azure Active Directory’ and click on result returned.

  3. If you are not in the correct Directory/Tenant use the “Switch Tenant” option and select the correct Directory. This will ensure you are using the correct Directory+Subscription combination.

  4. From the left menu, select “App registrations” and “New registration” from the content area menu bar.

  5. Complete the highlighted section in the form in the following way. Select your own desired name (this is never a reference).

    figure4

  6. Register the application and on success you will be presented with an Overview of the application. Ensure the Tenant ID matches that of the logged in user’s Directory+Subscription.

    figure5

    From the Overview, there are two options that will be needed to be configured.

  7. From the left menu, select “Authentication” and then use the “Add a platform” option. This will setup the application type.

  8. From the returned options, pick “Single-page application”

    figure6

  9. From the selected result, configure the Redirect URI. This is the location AAD will return to after the user has authenticated. When configuring the client code to use this app, this will need to be matching. During the dev cycle this should be set up to return to the dev environment (port is not required and can be configured in the code). However, when deploying to production, this should be the final production Url. Please review the inline help to learn more about Redirect URI(s).

    figure7

  10. Once returned, select “API permissions” from the left menu. This allows you to add references to Azure’s set of API - Public, Org, Custom. Each API / Permission combination is known as a Scope. API providers will provide multiple Scopes. It is up to the API provider to decide how to implement each Scope within their services. Therefore, it is essential to understand the Scopes you are consuming. Microsoft Graph has an excellent Scope implementation and worth reviewing to understand more about how scopes are utilized.

  1. Select the “Add a permission” option and then “APIs my organization uses”. To find it using the search box, enter “Microsoft IoT Central”

    figure9

    Configure the Scope you wish to have access to. For IoT Central, the “user_impersonation” Scope is the only one required. You will be using “Delegated permissions”

    figure10

    Complete the form. This is the final step.

    figure11

Congratulations! You have now configurated an AAD application to use Azure IoT Central REST APIs.


Testing the AAD application setup

To test that this has been configured correctly, visit this repo and follow the setup and install instructions. You will need to use your Tenant/Directory ID and Application/Client ID from the created AAD application. The codebase is an interactive walkthrough that demonstrates the API calls and payloads returned and can be refactored in the base of your own application.

figure12