Azure AD Management Beta

EV Reach’s Azure AD Management aims to change the way IT operators manage Azure AD accounts, providing a seamless experience comparable to managing On-Premise AD. With EV Reach, IT operators gain an intuitive and user-friendly interface that that EV Reach is famous for.

Azure AD Beta Program

The Azure AD features will be added progressively over time. We aim to add functionality every release and then move those features in to the main EV Reach Console release version.

Customers wanting early access to the features can download the EV Reach Console Beta in the EV Reach Portal. Locate the Labs section and download the EV Reach Console Beta. Reference the feature log to see what features are available for each Beta release.

Road Map

New Features will be added to the Azure AD Beta frequently. Each Beta Release will have a changelog going over the features that were added and bugs that were fixed.

Improving on the Administration & Diagnostics modules Azure AD Features

• Administration and Diagnostic access to Azure AD Users, Groups and Computers
  • User Account Modification (Resetting user passwords, MFA Settings, Group Membership Configuration, Sign in Logs).
  • Devices (Viewing Group Membership, Windows LAPS integration)
  • Groups (Viewing User members, adding and removing User Members)
  • Searching Azure AD
  • Adding Devices to EV Reach Favorites
  • Identifying Mobile Devices.

Endpoint Manager (Formerly Intune) Integrations:

Discover how Azure AD management integrates with Microsoft Endpoint Manager (formerly known as Intune), unlocking MDM (Mobile Device Management) based features such as remote wipe, geolocation, and application deployments.

• Administration and Diagnostic access to MS Endpoint Manager features
  • Quick MDM Actions like Geo Locate, Remote Wipe, Restart, Autopilot Reset.
• Process Automation actions for MS Endpoint Manager

Integrating into Process Automation

Reporting and Bulk Actions: Seamlessly integrate Azure AD management into your process automation workflows for efficient reporting and bulk actions.

• Process Automation
  • Reporting on Azure AD Specific Attributes
  • Setting Bulk Properties on Azure AD objects

Setting up EV Reach in your Azure AD Tenant

Creating an Enterprise Application

The EV Reach Console will require you to create an Azure App Registration. This section will guide you through the necessary steps and help you obtain the Application ID.

Creating the App Registration for the EV Reach Console

An Azure AD user with the Cloud Application Administrator Role or Global Administrator Role will be required to make the following changes.

1. Log in to the Azure Portal. https://portal.azure.com
2. Select your Azure AD Tenant
3. Navigate to App Registrations
4. Click “New registration”
5. Enter a name for the application. This can be anything but should identify the EV Reach Console. For example: “EV Reach Console v11”
6. Select “Accounts in any organizational directory (Any Azure AD Directory – Multitenant)”⚠️ This setting is required. This does not expose your application to other non-related Azure AD tenants.
7. For the Redirect URI, select Public Client/Native (Mobile and Desktop)
8. Enter the following for the Reply URI – https://login.microsoftonline.com/common/oauth2/nativeclient
9. Click Register
10. Once the App Registration has been created, take note of the Application (client) ID. You will need to enter this in the EV Reach Console settings later.

Configuring the Expose API Setting

1. Click “Expose an API” on the left hand side
2. Click “Add” for the Application ID URI
3. Leave the default entry filled in and click Save
4. Click Add a scope.
5. Enter “access_as_user” in the Scope Name
6. Select “” in the “Who can Consent?” section
7. Enter the following for the Admin Consent Display Name
8. Enter the following for the Admin Consent Description
9. Click Add Scope
10. Click “Add a client application.”
11. Paste the Client ID (From Step 10 Above) in the Client ID field.
12. Select the Authorized Scopes (There should only be 1).
13. Click Add Application

Granting the required Access

Discover the permissions needed for EV Reach and how to grant the necessary access to ensure proper functionality within your Azure AD tenant. Customers may limit these permissions as they see fit. However, limiting these permissions may impact the functionality of the features.

It is recommended that you allow the following permissions but control what EV Reach Operators can access with Azure AD Roles.

The following permissions need to be configured in the API Permissions section of the App Registration

1. Click API Permissions
2. Click the Add a permission button
3. Click Microsoft Graph
4. Click “Delegated Permissions”
5. Search and select each of the following Permissions.
   1. AuditLog.Read.All (Located in: Auditlog)
   2. BitlockerKey.Read.All (Located in: BitlockerKey)
   3. Device.Read.All (Located in: Device)
   4. Directory.Read.All (Located in: Directory)
   5. User.Read (Located in: User)
   6. User.Read.All (Located in: User)
   7. User.ReadWrite (Located in: User)
   8. User.ReadWrite.All (Located in: User)
   9. UserAuthenticationMethod.Read.All (Located in: UserAuthenticationMethod)
   10. UserAuthenticationMethod.ReadWrite.All (Located in: UserAuthenticationMethod)
6. Click “Add permissions”
7. Once the Permissions have been added to the list, click Grant Admin Consent for (Your Tenant Name).
8. Click Yes

These permissions allow the EV Reach Console to operate as the user when requesting these permissions for various functions. However, the user must still possess the necessary Azure AD Roles to perform the tasks.

Configuring the EV Reach Console for Azure AD Access

Once the configuration has been completed, you must perform the following in the EV Reach Console.

1. Go to the Application Tab —> General Settings
2. Select Active Directory
3. Enter the Application ID for the App Registration in the Client ID field.
4. Click on the Login to Azure AD button.
5. Enter your credentials when asked.
6. You may be asked to consent for permissions if you are the administrator.

You will now be logged in to Azure AD.

Azure AD Features

Azure AD Account Browsing

Explore the options for browsing Azure AD accounts, including managing user accounts, computer accounts, and group accounts.

Browsing your Azure AD Tenant in the EV Reach Console

1. Click on the Administration and Diagnostics module
2. Select the Object Types you wish to view with the tabs below (Users, Groups, Computers)
3. You will see the Azure Network node.
4. Expand it and right click your Tenant Name. Select Open Container

Users

EV Reach operators can view Azure AD User details in the same way EV Reach handles On-Prem AD objects.

Locate a user in the list, double click the user and double click Account Information.

Account Information Tab

Editing user properties

Most user property fields can be directly modified. Simply edit the field and click Apply.

Managing Account Authentication

The following Authentication properties can be modified:

• Enable or Disable the Account
• Reset User Password
• Revoke Sign in Sessions

Groups Tab

The Groups tab allows you to see what group the user is a member of. Currently this is a read only list.

Statistic

The account Statistics tab shows the Azure AD Interactive Sign in log. This log indicates successful or Failed log in attempts where a user password was used.

Computer

Access Bit locker keys for computers in your Azure AD tenant. This information is valuable for managing device encryption and recovery.

Account Information Tab

The account information tab contains data about he Azure AD Device properties such as Owner, MDM Type and Azure AD Join Type.

Groups Tab

The Groups tab allows you to see what group the device is a member of. Currently this is a read only list.

BitLocker Tab

Displays the BitLocker recovery key for Windows Drive Encryption.

Groups

Displays Azure AD Group properties and memberships. This is currently a read-only list.