Introduction
This guide details the steps required to configure ReadyWorks as an Azure Enterprise Application, enabling integration with Azure Active Directory (AAD) via the Microsoft Graph API. This document targets IT professionals already proficient with ReadyWorks, Azure, and AAD, seeking to enhance their organization’s asset management capabilities through secure and efficient API integrations.
Setting up ReadyWorks in Azure establishes API connectivity, facilitating secure data exchange between ReadyWorks and your Microsoft tenant. This guide provides configuration instructions, security best practices, and troubleshooting steps.
Important Security Considerations
Please review these security guidelines before proceeding:
- Permissions requested herein are highly privileged, providing extensive access to Azure resources (e.g., users, groups, devices).
- Adhere strictly to the principle of least privilege: consider read-only permissions wherever applicable.
- Securely manage and regularly rotate the client secret following organizational security policies.
- Apply Conditional Access policies to restrict the application’s access according to location, network, or device criteria.
- Regularly audit application activity and permissions via Azure’s monitoring and audit capabilities.
Configuration Steps
1. Register ReadyWorks as an Application in Azure
- Sign in to Azure Active Directory Admin Center.
- Navigate to Azure Active Directory > App Registrations.
- Select New Registration.
- Enter application details:
-
- Name: Descriptive name (e.g., ‘ReadyWorks Graph Integration’)
- Supported account types: Accounts in this organizational directory only (Single tenant)
- Redirect URI: (Leave blank unless specifically required)
-
- Click Register.
- Record the Application (client) ID from the overview page.
2. Configure Microsoft Graph API Permissions
- From the app’s registration page, select API Permissions > Add a Permission.
- Select Microsoft Graph, then Application Permissions.
- Carefully choose permissions aligned to your organization’s needs:
| Permission | Type | Purpose | Recommended Alternative |
|---|---|---|---|
| Device.ReadWrite.All | Application | Manage device lifecycle |
Device.Read.All if write access unnecessary
|
| Group.ReadWrite.All | Application | Manage Azure AD groups |
Group.Read.All if write access unnecessary
|
| GroupMember.ReadWrite.All | Application | Manage group memberships |
GroupMember.Read.All if write access unnecessary
|
| User.ReadWrite.All | Application | Manage Azure AD users |
User.Read.All if write access unnecessary
|
- After selecting required permissions, click Add Permissions.
- Click Grant Admin Consent for [Your Organization] and confirm with Yes.
-
- Note: This action impacts tenant-wide; ensure clarity on scope and necessity before proceeding.
-
3. Generate and Secure Client Secret
- Select Certificates & Secrets > New Client Secret.
- Enter a clear description (e.g., “ReadyWorks Graph Client Secret”).
- Select an appropriate expiration aligned with organizational security requirements.
- Click Add.
- Immediately copy and securely store the client secret’s Value. (This is your sole opportunity to access this credential.)
4. Information Required for ReadyWorks Integration
Ensure the following information is securely documented for ReadyWorks connector setup:
- Tenant ID: Azure Tenant ID (found in Azure Active Directory overview)
- Application (Client) ID: From Step 1 registration
- Client Secret: From Step 3 secret generation
Recommended Permissions and Their Uses
| Permission | Type | Detailed Purpose |
|---|---|---|
| DeviceManagementManagedDevices.Read.All | Application |
Access detailed Intune-managed device information (compliance, hardware, security)
|
| User.Read.All | Application |
Retrieve comprehensive user profile details (UPN, email, department, roles)
|
| Group.Read.All | Application |
Access group details within Azure AD
|
| GroupMember.Read.All | Application |
Read membership details of all Azure AD groups
|
| Directory.Read.All | Application |
Broad read access across Azure AD directory objects
|
Maintenance and Security Best Practices
- Secret Rotation: Proactively rotate client secrets before expiry; schedule reminders accordingly.
- Permission Reviews: Regularly audit permissions to confirm necessity and alignment with current business requirements.
- Access Reviews: Implement periodic access reviews for continued security compliance.
- Monitoring: Activate Azure monitoring tools for auditing and alerts to detect unauthorized or anomalous activity.
Troubleshooting Guidance
If integration issues arise:
- Confirm admin consent for all permissions.
- Verify client secret validity and expiration status.
- Check accuracy of Tenant ID and Application ID in ReadyWorks.
- Confirm sufficient permissions for personnel configuring ReadyWorks.
- Consult Azure AD audit logs for authentication errors or permission issues.
- Open a support ticket with ReadyWorks at: support.readyworks.com
This guide emphasizes secure, minimal-permission integrations aligned with best practices to maximize the utility of ReadyWorks while maintaining rigorous security compliance.