Connect Microsoft Entra ID with Relution

Introduction

By connecting Microsoft Entra ID with Relution, you create the foundation for Microsoft-based integrations in your organization. This includes, for example, connecting Windows devices and using additional Microsoft services together with Relution. In addition, users and groups from Microsoft Entra ID can be synchronized with Relution. This allows user accounts to be managed centrally in Microsoft and automatically provisioned in Relution. In order for synchronized users to sign in to Relution afterwards, OIDC authentication must also be configured. If access is to be secured using Conditional Access, both the connection to Microsoft Entra ID and the configuration of OIDC are required. The required settings are configured partly in Relution and partly in the Microsoft Entra admin center.

Requirements

The following requirements must be met in order to connect Microsoft Entra ID with Relution:

  • an existing Microsoft Entra ID or Azure environment
  • sufficient permissions in Microsoft Entra, usually the Global Administrator role
  • a reachable Relution server
  • the Relution server URL, which will later be stored in Microsoft Entra

Open the connection settings in Relution

In the Relution portal, you can find the setup area under Settings > User management > Entra ID. There, a guide supports you in configuring and connecting Microsoft Entra. Entra ID Verknüpfung in Relution Einstellungen unter Benutzerverwaltung öffnen

Add the MDM application

First, a new MDM application is created in Microsoft Entra and completed with the details from the Relution guide. Neue MDM-Anwendung in Azure Active Directory anlegen und konfigurieren Add the domain of the corresponding Relution server in Microsoft Entra ID under Custom domain names. This may take some time. Further information can be found in the Microsoft documentation. Microsoft documentation → Benutzerdefinierte Domäne des Relution-Servers in Azure Active Directory hinzufügen Under Mobility (MDM and MAM), the desired MDM application is then added and enabled: MDM-Anwendung unter Mobilität in Azure Active Directory aktivieren

  1. Select the On-Premises MDM application tile in the lower right.
  2. Assign a name.
  3. Click Add. On-Premises MDM Applikation in Azure auswählen und benennen The new MDM application is then configured with the details from the Relution guide:
  4. Select the desired setting for MDM user scope.
  5. Enter the URL for the MDM terms of use from Relution:
https://serverurl/api/device/v1/windows/termsOfUse

Microsoft queries this URL before each enrollment. No webpage is opened.

  1. Enter the MDM discovery URL.
https://serverurl
  1. Click Save. MDM-Benutzerbereich und Discovery-URL für Relution in Azure MDM-Anwendung konfigurieren

Configure the MDM application settings

After the new MDM application has been created, the local MDM application settings can be configured in Microsoft Entra. The following values from Microsoft Entra must be transferred to the Relution guide:

  1. Application (client) ID
  2. Directory (tenant) ID
  3. Value of the Client secret Anwendungs-ID und Verzeichnis-ID der Azure MDM-Anwendung für Relution kopieren Then click Application ID URI in the local MDM application settings to edit it. Anwendungs-ID-URI der Azure MDM-Anwendung bearbeiten In the following view, enter the corresponding server URL for the Application ID URI. Server-URL als Anwendungs-ID-URI in Azure MDM-Anwendung eintragen Next, add a Client secret under Certificates & secrets:
  4. Click New client secret in the Client secrets tab.
  5. In the Add a client secret dialog, enter a description and select the validity period.
  6. Click Add.

If the validity period expires, the connection is no longer available and Relution can no longer communicate with Microsoft Entra. In this case, a new Client secret must be created for the application in Microsoft Entra and transferred again to Relution. Geheimen Clientschlüssel unter Zertifikate und Geheimnisse in Azure hinzufügen The new entry is then displayed in the list under the Client secrets tab. The corresponding Value is displayed only once and must be copied immediately and transferred to Relution.

Configure API permissions

In the next step, the API permissions are configured: API-Berechtigungen für Azure Autopilot MDM-Anwendung in Relution konfigurieren

Additional permissions may need to be added later if further Microsoft functions are used in the future. The following settings must be configured in Microsoft Entra:

  1. Under API permissions > Configured permissions, click Add a permission.
  2. In the Request API permissions dialog, select Microsoft Graph under Microsoft APIs. Microsoft Graph unter Microsoft-APIs für API-Berechtigungen in Azure auswählen
  3. In the next step, select the Application permissions tile. Anwendungsberechtigungen für Microsoft Graph in Azure Autopilot auswählen
  4. Select User.Read.All for User. User.Read.All Berechtigung für Microsoft Graph in Azure Autopilot aktivieren
  5. Select Group.Read.All for Group. Group.Read.All Berechtigung für Microsoft Graph in Azure Autopilot aktivieren
  6. Select Device.ReadWrite.All for Device and confirm the selection with Add permissions. Device.ReadWrite.All Berechtigung für Microsoft Graph in Azure Autopilot hinzufügen For newly added API permissions, an exclamation mark is initially shown as the status. An administrator must grant consent once so that Microsoft Graph actually receives the permissions. Afterwards, the status is displayed with a green check mark as Granted, and the permissions are active. API-Berechtigungen in Azure nach Administrator-Zustimmung als erteilt anzeigen

Define the redirect URI

In the Relution guide, the Redirect URI is then configured in Microsoft Entra: Authentifizierungsplattform für Umleitungs-URI in Azure Autopilot hinzufügen

  1. Under Authentication, click Add a platform.
  2. In the Configure platforms dialog, select the Web tile. Web als Plattformtyp für Umleitungs-URI in Azure App-Registrierung auswählen
  3. In the next step, under Web, enter the server URL in Add a Redirect URI.
  4. Disable the ID tokens checkbox.
  5. Click Save. Server-URL als Umleitungs-URI in Azure Autopilot hinterlegen und ID-Token deaktivieren

Geräteeinstellungen in Azure Active Directory für Autopilot-Einschreibung prüfen This completes the setup in Microsoft Entra.

Select the Relution service options and complete the setup

In the Relution guide, you can optionally choose whether Microsoft Entra ID users and Microsoft Entra ID groups should be synchronized with Relution: Azure AD-Benutzer und Gruppen mit Relution synchronisieren aktivieren Click Save to complete the setup and connection of Microsoft Entra ID in Relution.

Summary

After completing these steps, Microsoft Entra ID is connected with Relution. This allows users and groups from Microsoft Entra ID to be synchronized with Relution and enables the use of additional Microsoft-related functions. In order for synchronized users to sign in to Relution, OIDC authentication must also be configured. This also applies to the use of Conditional Access.