Configuring Azure Active Directory with FME Server
In order for FME Server to communicate with Azure AD, you must create and register FME Server as an enterprise application in Azure AD.
Note:
In most cases, Azure AD requires the redirect URI for FME Server to begin with https. To configure FME Server to use HTTPS, see Configuring for HTTPS.
For more information about application management in Azure AD, see https://docs.microsoft.com/en-us/azure/active-directory/manage-apps/what-is-application-management.
- From the Azure Active Directory portal, select Manage > App registrations > + New Registration, and complete the following fields:
- Name: Provide a name for the registration, such as FMEServer.
- Supported Account Types: Specify whether to allow FME Server to interact with a single Azure AD tenant or multiple Azure AD tenants.
- Redirect URI:
- type: Web
- URI: <FMEServerWebURL>/fmesso/azuread/redirect, where <FMEServerWebURL> is the fully-qualified hostname for your FME Server, including both the hostname and domain. For example: https://fmeserver.domain.com/fmesso/azuread/redirect
Note: In most cases, Azure AD requires URI to begin with https. To configure FME Server to use HTTPS, see Configuring for HTTPS.
- Click Register.
- An overview page of the application registration opens. Navigate to Overview > Essentials, and record the Application (client) ID and Directory (tenant) ID.
- Navigate to Certificates & secrets, and select + New client secret.
- Record the client secret.
- (Optional) Navigate to Authentication > Web > Add URI, and add any other necessary URI redirects, according to the format specified above for Redirect URI.
- Navigate to API permissions, and select + Add a permission. Add the following permissions:
- Microsoft Graph > Application permissions > Group.Read.All, User.Read.All
- Microsoft Graph > Delegated permissions > User.Read
- Grant admin consent for Name.
WARNING: The client secret cannot be viewed after this step.
Note: Admin consent is required to proceed, and can be granted only by an Azure AD admin.
What's Next?
Proceed to Creating an Authentication Service Connection.