.. _ms-shared-central-app-registration: Shared central app registration ----------------------------------- .. _24.2|EKB-21842: .. _24.2-PB2|EKB-23669: .. _25.1|EKB-24169: Introduction ............... This topic describes how to set up shared central application (app) registration authentication for Microsoft Graph, Microsoft Teams PowerShell, and Microsoft Exchange PowerShell, for a new Microsoft tenant. This task includes assigning permissions and roles. Your authentication methods and permissions come from the central app registration. Roles must assigned to the app registration manually. When adding a new tenant and you wish to use Microsoft Exchange, you must either generate a certificate or import an existing certificate and have Automate manage it. Automate pushes the certificate to the PowerShell proxy. * To generate a certificate in Automate, see :ref:`generate-cert-for-app-reg` * To use an existing certificate, see :ref:`upload-own-cert-app-management` .. note:: Microsoft requires that you use app registration for authentication. If you wish to use basic authentication with service account credentials, please contact VOSS support for assistance. Until Microsoft implements changes to their resource account infrastructure, basic auth is required to create, update, and delete resource accounts. List (import/sync) of resource accounts is supported with app registration authentication in Automate 24.1. .. _central-app-registration: About shared central app registration .......................................... In shared central app registration, either VOSS (for hosted and general customers) or a Service Provider Partner (in a reseller environment), builds and maintains the app registration in their Microsoft Entra ID tenant, and performs organizational and application validation with Microsoft. Users from multiple tenants/Entra ID organizations are allowed to leverage the application. VOSS or the Service Provider Partner (SPP) provides the customer with an admin grant link, for example, ``https://login.microsoftonline.com/common/adminconsent?client_id={client-id}``. The customer clicks on the link and agrees, using their Global Admin user. Then they need to assign the Teams and Exchange Administrator roles to the application, like any other user in Entra ID. VOSS or the SPP maintains the certificate and/or secrets securely, and ensures that they're added to VOSS when renewal is required. Once updated, PowerShell proxies automatically receive the updated certificates from Automate. These settings are maintained at a global or reseller level in Automate, with customer/tenant-level overrides, if required. Configure shared central app registration ............................................ This procedure configures Central App Auth and assigns the Teams Administrator role and the Exchange Administrator role (if you're using MS Exchange) to the app. 1. Authorize the app in the relevant Microsoft tenant to add Central App to your tenant (VOSS hosted app): ``https://login.microsoftonline.com/common/adminconsent?client_id=bbaa714a-a571-4d13-a6e1-4758621b7460`` 2. Assign the *Teams Administrator* role and the *Exchange Administrator* role to the app: a. Go to the **Entra ID** section of the Microsoft Azure Portal: ``https://portal.azure.com/#view/Microsoft_AAD_IAM/ActiveDirectoryMenuBlade/~/Overview`` b. Navigate to **Roles & Administrators**. |image0| c. Search for *Teams Administrator*. |image1| d. Open **Teams Administrator**, then click **Add Assignments**. |image2| e. Select **No member selected**. |image3| f. Search for *VOSS*, then select the checkbox for **VOSS Automate App**. |image4| g. Click **Next**. h. At **Enter justification**, fill out a reason for the assignment in the text field. .. note:: You can add any description in this field. |image5| i. Click **Assign**. The new assignment may take a few minutes to complete before it appears in the assignment list (**Teams Administrator | Assignments**). j. Repeat step 2 from the **Teams Administrator | Assignments** page, but this time, on **Teams Administrator | Assignments**, search for the **Exchange Administrator** role. 3. Install the certificate on the Automate server. .. note:: If you're using VOSS (hosted) Central App, the "Default Central App Authentication" certificate is already installed. You can replace this certificate with a new PFX file that replaces an expired certificate/key pair when the certificate expires. When upgrading, the "Default Central App Authentication" certificate is automatically updated. 4. Configure the Automate Microsoft tenant to use the "customer" Tenant ID you approved for earlier, along with the App ID (Client ID) and certificate as necessary. For example, for VOSS Central App customers: * App Name: VOSS Automate Central App * Client Id: bbaa714a-a571-4d13-a6e1-4758621b7460 * App Created Date Time: 6/4/2024 3:24:31 PM * CertificateThumbprint : 2BF36F11BE9317C9217BE6847BEDXXXXXXXXXXXX .. |image0| image:: /src/images/CentralAppRegistration_html_43f36466abbbb69d.png .. |image1| image:: /src/images/CentralAppRegistration_html_a68bfc492999833e.png .. |image2| image:: /src/images/CentralAppRegistration_html_706a6147e0a14df0.png .. |image3| image:: /src/images/CentralAppRegistration_html_9563d320e64047dc.png .. |image4| image:: /src/images/CentralAppRegistration_html_9a6e3ab314819adb.png .. |image5| image:: /src/images/CentralAppRegistration_html_7a82226406fc258b.png .. |image6| image:: /src/images/CentralAppRegistration_html_9161fb3c38049343.png .. |image7| image:: /src/images/CentralAppRegistration_html_d93799c49ae3f582.png .. |image8| image:: /src/images/tenant-AppRegistration-8.png .. |image9| image:: /src/images/tenant-AppRegistration-9.png .. |image10| image:: /src/images/tenant-AppRegistration-10.png .. |image11| image:: /src/images/tenant-AppRegistration-11.png .. |image12| image:: /src/images/tenant-AppRegistration-12.png .. |image13| image:: /src/images/tenant-AppRegistration-13.png