Starting with Resilio Connect v3.3.2, the Resilio Management Console supports sign in with Azure AD users with assigned local roles.
Configure connection to Azure AD
1. Register an application in the Azure portal using this guide Register an application
Add this redirect URI:
https://mc_address:8443/login/azuread/redirect in the application. Be sure to use the correct mc_address.
2. Create the application roles using the guide Add app roles to your application and receive them in the token and assign the roles to users.
These values are supported:
view_only and stand for corresponding user roles on the MC. See below to configure custom user roles.
3. Check application's API permissions. Permission
user.read is required. It shall be grated automatically when creating the application. if it's not, t add this permissions click Add permissions ->Microsoft Graph -> Delegated permission -> type in user.read and select from Users section
Additionally, it's possible to add e-mail claim, type ID, to Token Configuration in Azure. This will allow to configure e-mail notifications from MC for Azure AD users. Be sure to grant permissions.
Both these permissions shall appear in the list of API permissions for the application.
4. On the Resilio Management Console open Settings -> General -> Advanced and add
https://mc_address:8443 (same mc_address as in step 1) as "Management Console address".
5. Configure connection to the Azure AD. Open MC settings -> General -> Azure AD Authentication
Enter the the connection information
Client ID: is the "Application (client) ID" from the created application
Client secret: is the Secret "Certificates and secrets" menu. Please note, that Client secret is not saved in UI and needs to be entered again after changing the configuration.
Management Console does not validate the fields and does not test connection to the endpoint though.
Once the Azure AD connection is configured, option to sigh in with Azure AD will appear on the login screen.
A logged in Azure AD user will appear in the list of MC users. Such users cannot be edited from MC.
Configuring custom user roles
Custom roles also work, but are not guaranteed for all the roles. Custom role name need to be all lowercase with spaces replaced with underscore. Single-word roles are not supported.
1. Create a custom user group on the Management Console, for example Test Group.
2. Transform its name: replace spaces with underscore (_) and make all letters lower case. In the example it will be test_group
3. Create a role with such value on the Azure AD and assign it on the users.
The logged in user will appear in the corresponding group on MC.
Peculiarities and limitations:
Management Console does not validate the configured connection and does not test connection to the endpoint.
Only these roles are officially supported:
view_only. Custom roles also work, but are not guaranteed for all the roles. Custom role name need to be all lowercase with spaces replaced with underscore.
Azure AD user will be forcibly logged out from MC if its role is changed on Azure AD.