Register ControlSuite in Azure Active Directory

Registering ControlSuite in Azure AD establishes a trust relationship between ControlSuite and the Microsoft identity platform.

To register ControlSuite in Azure AD, do the following:
  1. Sign in to the Azure portal.
  2. In the main navigation menu, select Azure Active Directory. You can also use the Search feature.
  3. Under Manage, select App registrations > New registration.
    1. Enter the display Name of the application. For example, ControlSuite. This is a user-facing name and can be changed at any time.
    2. The auto-generated application (client) ID, not its display name, uniquely identifies your app within the identity platform. This is important data needed when configuring ControlSuite.
    3. From the Supported accounts types section, specify who can use this application or has access to this API.
    4. Do not enter anything in the Redirect URI (optional) section as this will be configured after registration.
    5. Select Register to complete the initial app registration.
    6. An App registrations overview pane opens displaying the application information.
    7. Click Save.
  4. Under Manage > Authentication > Advanced settings, enable the Allow public client flows option.
  5. Under Manage > Authentication > Redirect URI, select Web from the Type drop-down list, and add the following redirect URIs:
    • DWS Web Admin: https://<server>/DwsMain/WebAdmin/app. Replace '<server>' with the network address of DWS Web Admin. It can be hostname or IP address. Providing the port number is not necessary.
    • DRS Web Admin: https://<server>/Login/OAuth2Redirect. HTTP/HTTPS/Port must be the same with what was configured on Device Configuration Manager. Replace '<server>' with the network address of DRS Web Admin. It can be hostname or IP address. Providing the port number is not necessary.
    • Equitrac Web Client: https://<server>/EQWebClient/Login/OAuth2Login. Replace '<server>' with the network address of Equitrac Web Client. It can be hostname or IP address. Providing the port number is not necessary.
    • Equitrac Windows Workstation Client: https://localhost:4940/Public/EQSharedEngine/OAuth2Login.
      Workstation Client can be configured to use HTTP URL. In that case use http://localhost:4940/Public/EQSharedEngine/OAuth2Login. (See Configure Azure AD login URL in the Kofax Equitrac Client Installation Guide)
    • Business Connect login: https://<server>:<port>/mobileserver/api/externalauth/logincompleted. Replace ‘<server>’ and ‘<port>’ with the values from the configured Business Connect server URL.
    • Business Connect Admin: https://<server>:<port>/AdminTool/ExternalAuth/LoginCompleted. Replace ‘<server>’ and ‘<port>’ with the values from the configured Business Connect server URL.
      Select the ID tokens (used for implicit and hybrid flows) checkbox in the Implicit grant and hybrid flows section when setting up URIs for Business Connect.
    • AutoStore: https://<server>:<port>/. The port must be the same as configured in the Interactive Capture component’s Preferences tab. If you have multiple AutoStore servers configured to use Azure Active Directory authentication in your deployment, then each one is listed here.
    • Output Manager: https://localhost:8069/OM/ExternalAuth/LoginCompleted.
  6. Go to Manage > Certificates & secrets to generate a client ID:
    1. Under Client secrets, click New client secret.
    2. Enter a description of the secret and an expirey date and click Add. After saving the client secret, the value of the client secret is displayed. This information is needed when configuring ControlSuite.
  7. Go to Manage > API permissions to give API permissions to the application:
    1. Under Configured permissions, click Grant admin consent for …
    2. Set the following permissions:
      • Microsoft.Graph.Domain.Read.All – Both Application and Delegated type
      • Microsoft.Graph.Group.Read.All – Both Application and Delegated type
      • Microsoft.Graph.User.Read.All – Both Application and Delegated type
  8. Go to Manage > App roles to create an application role for 'ControlSuite.Admin'.

    Application roles are used to assign permissions to users. Users in ControlSuite.Admin are administrators of all ControlSuite products (AutoStore, Business Connect, Equitrac, and Output Manager).

    1. Click Create app role and set the following:
      • Display name - This is the name for the app role that appears in the admin consent and app assignment experiences. For example: ControlSuite Admin.
      • Allowed member types - Select Users/Groups.
      • Value - Enter ControlSuite.Admin. This is the name of the Azure AD application role needed for administrative permissions in ControlSuite. This name is case sensitive and must be entered as 'ControlSuite.Admin'.
      • Description - A description of the app role displayed during admin app assignment.
      • Do you want to enable this app role? - Select this checkbox to enable the app role. Uncheck it to delete the role.
    2. Click Apply.
  9. In the main navigation menu, go to Azure Active Directory > Manage > Enterprise applications to assign the application role to a user.
    1. Open the ControlSuite application.
    2. Select Assign users and groups.
    3. Select Add user/group.
    4. Select Users and choose a user from the list.
    5. Select Role and choose a role for the user (e.g. 'ControlSuite.Admin').
    6. Click Assign.