Skip to main content

Technical details

Thomas Schempp
  • Updated

Azure App Registration

The license routine of the axes4 products must have certain permissions in order to perform the check in the Entra ID. These authorizations are configured in an Azure App Registration.

The client ID of the app registration must be entered in the client registry.

Please create and configure the App Registration according to the detailed instructions.

Azure Entra ID Group

The users to be licensed are managed in an Azure Entra ID group.

Create a group in your Entra ID and add the desired users to this group. Tell axes4 the Object ID of this group and the Tenant ID of your Azure directory.

Please note that the Object ID of the Entra ID group cannot be changed after the license has been issued. You can change the name of the group, but you cannot request an updated license for a different group.

Deploying the license token file

Using the Tenant ID and the Object ID, axes4 creates a license token file (Json file) with the data described above and sends this file to the licensees.

This file must be distributed to the axes4 License Manager program folder of the clients using a deployment tool (such as InTune). By default, the path is

C:\Program Files\axes4 License Manager

Modification of the registry value for the license manager and the App Registration

To activate Entra ID licensing, a registry value must be set for one of the following keys (with descending priority during processing):

Computer\HKEY_LOCAL_MACHINE\SOFTWARE\Policies\axes4\Licensing\Manager
Computer\HKEY_CURRENT_USER\Software\Policies\axes4\Licensing\Manager
Computer\HKEY_LOCAL_MACHINE\SOFTWARE\axes4\Licensing\Manager
Computer\HKEY_CURRENT_USER\Software\axes4\Licensing\Manager

Within these keys, the license manager searches for a string value with the name ActiveConnections and the value entraId.

The client ID of the app registration must also be stored in the registry. To do this, create a string value with the name EntraIdClientId. Enter the client ID of your app registration as the value of the string value.

Screenshot of the Windows Registry Editor with two highlighted string values. The first is 'ActiveConnections' and has the value 'entraId', the second is 'EntraIdClientId' and has a random GUID value.

 

Random check of the number of licensed users

The check of the number of members in the Entra ID group is not performant on the part of Entra ID. In order to conserve resources, this check is only carried out sporadically depending on the number of users.

Exceeding the number of licensed users

If the Entra ID group contains more members than specified in the license token file and if the random algorithm selects a client to count the group members, this one client will not be licensed. If the number of group members remains too high, this happens in the same way for subsequent clients. All other clients are not affected.

Flat licenses

Entra ID licensing includes the option of issuing flat licenses if an organization wishes to license all of its employees. There are two options:

Tenant Flat

The system only checks whether a user belongs to the correct Entra ID. The check for membership in an Entra ID group is omitted.

Group Flat

The system checks whether a user belongs to the correct Entra ID and whether the user is a member of the specified Entra ID group. An admin can use this group membership to control who receives a license. With Group Flat, the license manager does not check how many users are in the Entra ID group.

Configuration of the App Registration

  1. Enter “App Registrations” in the search field of the Azure Portal and call up the corresponding widget.
     
  2. Click New Registration.Screenshot of the Azure portal. In the App Registrations widget, the New registration button is highlighted.
     
  3. Enter any name, select Single Tenant, no Redirect URI and no Admin Consent.
    Screenshot of the Azure portal. In the Register an application widget, the Name, Single tenant, Redirect URI, and Grant admin consent sections are highlighted.
     
  4. Copy the Client ID of the Registration app to the clipboard and record it in a note in the meantime.
    Screenshot of the Azure portal. In the App Registrations widget, the Application (client) ID section is highlighted.
     
  5. Navigate to Authentication in the navigation bar and click Add a platform
    Screenshot of the Azure portal. In the 'App Registrations' widget, the 'Authentication' navigation item and the 'Add a platform' button are highlighted.

     
  6. Choose Mobile and desktop applications
    Screenshot of the Azure portal. In the 'Configure platforms' widget, the 'Mobile and desktop applications' button is highlighted.

     
  7. Enter the following value in the Custom redirect URIs field:
    ms-appx-web://microsoft.aad.brokerplugin/Client ID
    Replace Client ID with the value you entered in step 4 and click Configure
    Screenshot of the Azure portal. In the Configure Desktop + devices widget, the Custom redirect URIs text box is highlighted.

     
  8. Navigate to API permissions and click on Add a permission
    Screenshot of the Azure portal. In the 'App Registrations' widget, the navigation item 'API permissions' and the 'Add a permission' button are highlighted.
     
  9. Choose Microsoft Graph
    Screenshot of the Azure portal. In the 'Request API permission' widget, the 'Microsoft Graph' button is highlighted.
     
  10. Choose Delegated permissions
    Screenshot of the Azure portal. In the 'Request API permission' widget, the 'Delegated permissions' button is highlighted.

     
  11. Scroll to the GroupMember section and select GroupMember.Read.All
    alt GroupMember.Read.All' checkbox is highlighted."
     
  12. Scroll to the User chapter. Select User.Read and click on Add permissions
    Note: the User.Read permission is normally set by default.
    alt User.Read' is highlighted."
  13. Click Grant admin consent for Directory
    Screenshot of the Azure portal. In the App registrations widget, the 'Grant admin consent for directory' button is highlighted.
     
  14. Click Yes to confirm
    Screenshot of the Azure portal. In the 'Grant admin consent confirmation' dialog, the 'Yes' button is highlighted.

This completes the configuration.