Azure AD Connect Registration

I have been running through setting up an Azure AD connection with a customer, and have hit a snag.

Steps Completed:

1. Joined Starling

2. Set up Connect, and created Azure AD Connector

3. Created an App Registration on Azure with the Read/Write permissions for User, Directory, and Group as per the documentation.

4. Successfully tested the Connector on Starling, and added the Registered Connector on SPP.

Now when we try to create an asset, we see Azure AD as an option thanks to our Connector. However, testing the connection gives this error:

AD failed with error: Starling Connect API Failure : BadRequest / {  "success": false,  "informationMessages": [    "Insufficient app registration roles to complete this operation"  ]}. Saving task results. Task completed with failure.

There doesn't seem to be any up to date documentation on what permissions are needed or any roles that are needed. What else needs to be done to get this connection working? Permissions we gave were the following:

Parents
  • As per the Starling Connect admin guide here:
    https://support.oneidentity.com/technical-documents/starling-connect/hosted/one-identity-manager-administration-guide/46#TOPIC-1359015

    Azure AD connector for Safeguard for Privileged Passwords

    • For Safeguard for Privileged Passwords, you must assign at least the Helpdesk Administrator role for the application created, but should assign a higher role if you want to manage special accounts (for example, Billing Administrator or Global Administrator).

    • For Safeguard for Privileged Passwords, the Azure AD application registration must be public.


    The Helpdesk Administrator role here is for the Application ServicePrinicipal user which can be added by going to Azure AD > Roles and Administrators > Search for the Helpdesk Administrator > Click on the role > Add Assignments > Search by typing the Enterprise App Name then select the App's ServicePrincipal (which is listed with same name as the App) and click Add 

    To make the application registration public:
    Go to App Registration > Select the application > Expand Manage > Authentication > scroll down to Allow public client flows > set Enable the following mobile and desktop flows: to Yes > Save

    Thanks!

Reply
  • As per the Starling Connect admin guide here:
    https://support.oneidentity.com/technical-documents/starling-connect/hosted/one-identity-manager-administration-guide/46#TOPIC-1359015

    Azure AD connector for Safeguard for Privileged Passwords

    • For Safeguard for Privileged Passwords, you must assign at least the Helpdesk Administrator role for the application created, but should assign a higher role if you want to manage special accounts (for example, Billing Administrator or Global Administrator).

    • For Safeguard for Privileged Passwords, the Azure AD application registration must be public.


    The Helpdesk Administrator role here is for the Application ServicePrinicipal user which can be added by going to Azure AD > Roles and Administrators > Search for the Helpdesk Administrator > Click on the role > Add Assignments > Search by typing the Enterprise App Name then select the App's ServicePrincipal (which is listed with same name as the App) and click Add 

    To make the application registration public:
    Go to App Registration > Select the application > Expand Manage > Authentication > scroll down to Allow public client flows > set Enable the following mobile and desktop flows: to Yes > Save

    Thanks!

Children
No Data