Skip to main content
Matrix42 Self-Service Help Center

Azure Portal Configuration


This page shows how to add and register an application in Microsoft Azure Portal and configure authentication. The configuration must be made with at least Application Administrator role. Also, a Global Administrator one-time consent is required.

 Use Azure Active Directory / Office365 page as a starting point and introduction to the set of articles related to the Azure integration with Matrix42 DWP (DWP)

Configure a client application to access web API

This quickstart shows you how to add and register an application using the App registrations experience in the Azure portal so that your app can be integrated with the Microsoft identity platform.

Register Digital Workspace Platform in AAD

Azure App Registration is required for further integration Digital Workspace Platform with Azure Active Directory. It allows Digital Workspace Platform to import Azure Active Directory data (Users and Groups) and provides authentication with Azure Active Directory users using SAML2 protocol.

To register DWP in Microsoft Azure portal:

  • Navigate to the Azure AD Portal. Login using a personal account (aka Microsoft Account) or Work or School Account with permissions to create app registrations.

    If you do not have permissions to create app registrations contact your Azure AD domain administrators.

  • If your account gives you access to more than one tenant, select your account in the top right corner, and set your portal session to the Azure AD tenant that you want.
  • Select the Azure Active Directory service, and then select App registrations > New registration to add a new application.
  • When the Register an application page appears, enter your application's registration information:


    • Name: Enter a meaningful application name that will be displayed to users of the app.
    • Supported account types: Select which accounts you would like your application to support.

For more information on the supported account types and their description see Microsoft Azure Active Directory documentation.

Supported account types

Azure Active Directory (Azure AD) organizes objects like users and apps into groups called tenants. Tenants allow an administrator to set policies on the users within the organization and the apps that the organization owns to meet their security and operational policies.

Tenant types:


Single-tenant applications are only available in the tenant they were registered in, also known as their home tenant.

By default, when you register an application on Azure Portal the accounts of the organizational directory only can have access to such applications.


Multi-tenant applications are available to users in both their home tenant and other tenants:


With such configuration, it is not possible to prevent login for users from one of imported Azure Active Directory tenants to the Service Store.  If further you will need the possibility to limit login access to the application for a specific tenant, use single-tenant configuration, and configure login for each of them separately. This option is available since 10.0.1 Matrix42 Digital Workspace Platform

  • When finished, select Register.
  • Once the app is created, copy the Application (client) ID and Directory (tenant) ID from the overview page and store it temporarily as you will need both later. These secure keys are required for the configuration of DWP:


To add additional capabilities to your application, you can select other configuration options including branding, certificates and secrets, API permissions, and more.

Add credentials to your web application

For a web/confidential client application to be able to participate in an authorization grant flow that requires authentication (and obtain an access token), it must establish secure credentials. The default authentication method supported by the Azure portal is client ID + secret key.

From the app's Overview page, select the Certificates & secrets section.

  1. To add a client secret, follow these steps:
    • Select New client secret.
    • Add a description of your client secret.
    • Select a duration.
    • Select Add.
  2. After the screen has updated with the newly created client secret copy the VALUE of the client secret and store it temporarily as you will need it later as this secure key is required for configuration of DWP Azure Active Directory integration.

This secret string is never shown again, so make sure you copy it now. In production apps, you should always use certificates as your application secrets, but for this sample, we will use a simple shared secret password.


Add permissions to access web API

To add permission(s) to access resource API from your client:

  • From the app's Overview page, select API permissions.
  • Select the Add a permission button.
  • On the Request API permissions panel select Microsoft Graph.


  • Select the type of permissions used by the application to access Azure.  
    • Application permissions - the application runs as a background or daemon without a signed-in user. Ideally fits for background services like AAD Import.
    • Delegated permissions. - all the requests from the integrated application (Matrix42 AAD Import) are executed under specific signed-in user. 
      Hint: Please make sure to peak the correspondent Application Permission type when setup the Service Connection in Matrix42
  • In the "Select permissions" search box type "User".
  • Select User.Read.All.


  • Click Add permissions at the bottom of the flyout.
  • Add the similar permission of Group.Read.All but only for Group.
  • When finished, select Add permissions. You will return to the API permissions page, where the permissions have been saved and added to the table.
  • Get Global Administrator consent on selected Permissions. It can be done later. Thus, the only action required from the Global Administrator role is to access the target application and grant consent to requested permissions:


Configuring Authentication with Azure AD Account

Upon importing AAD users, Digital Workspace Platform provides authentication possibility using Azure Active Directory account directly into DWP.

In this case, SAML2 protocol should be configured on both AAD and DWP sides.


Setting up SAML Application in AAD (Free Azure subscription)

Log in to the appropriate Azure Portal tenant with at least Application Administrator role user ( More details about the built-in Azure AD roles you can find here.

  1. Navigate to Azure Active Directory → App Registration.
  2. Click on application registration created earlier, as described in the previous section.
  3. From the app's Overview page, select Expose API:
  4. Set Application ID URI:
    Single-tenant application: Application ID URI
     must be equal to the domain hostname where Digital Workspace Platform is hosted.
    Multi-tenant application: for a multi-tenant application, Application ID URI must be globally unique so Azure AD can find the application across all tenants. Global uniqueness is enforced by requiring the App ID URI to have a host name that matches a verified domain of the Azure AD tenant.
  5. From the app's Overview page, navigate to Authentication
  6. Click Add a Platform → Web application:
  7. Define redirect URIs to DWP authentication service. Azure Active Directory will redirect user to DWP login/logout service by defined URLs:
    Redirect URIs: https://<HOST_NAME>/m42services/authorize/login
     Logout URL:  https://<HOST_NAME>/m42services/authorize/logout
  8. Navigate to Azure Active Directory → App Registration
  9. Navigate to the Overview page and click Endpoints. Store URLs to the identity provider and sign-on/sign-out endpoints.
    These URLs need to be defined in Digital Workspace Platform configuration as follows:
    Azure Portal (Free Subscription) DWP settings & corresponding fields
    WS-Federation sign-on endpoint Identity Provider ID
    SAML-P sign-on endpoint Single Sign-on URI Endpoint
    SAML-P sign-out endpoint Single Sign-out URI Endpoint
  10.  To get Identity Provider Certificate just open Federation Metadata Document URL using any browser.
  11. Store Identity Provider Certificate: use “x509Certificate” in recently opened Federation Metadata Document XML file. This certificate is required for Digital Workspace Platform configuration. There are several certificates under the same tag in the file and it is supposed that the first one should work, for example:

Proceed to Matrix42 Digital Workspace Platform configuration:

In Multi-tenant configuration, when a user from a different tenant signs in to the application for the first time, Azure AD asks them to consent to the permissions requested by the application: 



Setting up SAML Application in AAD (Premium P2 license)

Log in to the appropriate Azure Portal tenant with at least Application Administrator role user ( More details about the built-in Azure AD roles you can find here.

Azure and Office 365 subscribers need to buy Azure Active Directory Premium P2 license for the following feature.

  1. Navigate to Azure Active Directory → Enterprise Applications
  2. Create New  “Non-gallery ” Application. It will be used to integrate SAML2 authentication on Azure side.
  3. Upon creating an application, navigate to ManageSingle Sign-on
  4. Select "SAML" single sign-on method:


5. On the Single sign-on page Set up Single Sign-On with SAML. This requires the next information about your DWP application endpoints:

  • Identifier(Entity ID): usually, the hostname of your DWP application should be provided in there, e.g. https://<discoveryHostName>
  • Reply URL: the value depends on your Matrix42 system version. For more details, see Universal STS/SAML2 for all WM applications: ACS URL value section.
  • Sign on URL: the URL where the user will be redirected after sign-on, e.g. https://<discoveryHostName>/wm
  • Logout URL: https://<discoveryHostName>/M42Services/api/sts/logout/


6. Save the configuration.

7. Edit User Attributes & Claims. Define user.mail as a source Attribute for the claim. Thus the matching between DWP and Azure AD will be done via user email address:


8. Click Save.

9. Download Federation Metadata XML. It will be used later for configuration on the DWP side:


10. Store URLs to the identity provider and sign-on/sign-out endpoints:

These URLs need to be defined in Digital Workspace Platform configuration as follows:

Azure Portal (Premium Subscription) DWP settings & corresponding fields
Azure AD Identifier SAML2 Identity Provider ID
Login URL Single Sign-on URI Endpoint
Logout URL DWP: Single Sign-out URI Endpoint


11. Assign users to the application or disable User assignment in application properties via Manage Properties:


Proceed to Matrix42 Digital Workspace Platform configuration:

  • Was this article helpful?