Setup Azure AD/Entra ID for MyWorkDrive


Azure AD/Entra ID for MyWorkDrive Setup Guide

MyWorkDrive 7 Server Version or Higher Required:

The MyWorkDrive server supports native Entra ID (formerly Azure AD) for user authentication as an alternative to Active Directory. Authentication works by utilizing an Entra ID App Registration with permissions to view users and groups in Active Directory.

There are three options for the Entra ID App Registration with MyWorkDrive.

Our server post-setup wizard allows you to choose your preferred option.

Ensure that you plan to publish MyWorkDrive using your own hostname, and that the hostname is fully configured before proceeding with the setup wizard.

If you are not prepared to configure your own hostname, you can use our built-in Cloud Web Connector to publish your server. You can always move to your own hostname later. See Publishing your MyWorkDrive Server for additional options and details.

API Permissions

The permissions recommended for your app in Azure, in the chart below, support the common functions MyWorkDrive accesses in Azure.

-Entra ID Identity for Authentication
-Data Storage for OneDrive/SharePoint
-Office Online Editing with Office 365 and OneDrive/SharePoint for Temporary Storage
-Azure Storage (Azure File Shares, Azure Blob)

They are what is used in the MyWorkDrive managed App, what is set up in the automated setup option, and what we recommend you set up if choosing the manual setup option.

API Permission Type Description
Azure Storage
user_impersonation Delegated Access Azure Storage
Microsoft Graph
email Delegated View users' email address
Files.ReadWrite Delegated Have full access to user files
Files.ReadWrite.All Delegated Have full access to all files user can access
Group.Read.All Application Read all groups
GroupMember.Read.All Application Read all group memberships
GroupMember.Read.All Delegated Read group memberships
offline_access Delegated Maintain access to data you have given it access to
openid Delegated Sign users in
profile Delegated View users' basic profile
Sites.Read.All Delegated Read items in all site collections
User.Read Delegated Sign in and read user profile
User.Read.All Application Read all users' full profiles
SharePoint
MyFiles.Write Delegated Read and write user files

Reply URIs

Several reply URIs are required for the proper functioning of your app registration. If you use the wizard to create an app in your tenant (Option 2) or choose to manually create your own app (Option 3), please make sure these 5 URIs are present on the authentication page of your app. The base domain of the URI will be the public URL of your MyWorkDrive server.

URI Usage
https://your-server.example.com/ Logins from the home page
https://your-server.example.com/GraphAPITokenPage.aspx Logins generated dynamically by the application for token renewals, access to storage
https://your-server.example.com/OfOnShPo/Home/SignInRedirect Logins used in the Web client or when editing with office online
https://www.myworkdrive.com/success-azure-app-registration-approval Approval URL for Adding and modifying Entra ID / Graph API access configuration in MyWorkDrive server admin.

Option 1: MyWorkDrive Auth App Registration

When utilizing the MyWorkDrive Cloudflare Web Connector (*.myworkdrive.net web address), the MyWorkDrive managed app registration will be presented as an option.

With this option, you will be prompted by the wizard to sign in as an Azure AD/Entra ID Global admin account.

In the next step, log in with an Azure AD Global Admin to continue automated setup.

To sign in, follow the prompts to sign in using the Microsoft device login method and enter the code (you may copy the code to the clipboard for ease of entry) as presented during setup.

Authenticate with your Azure AD/Entra ID Global admin account when prompted, then click continue to sign in to the Microsoft Azure CLI and close the page when requested to continue to the next step.

After a few moments, the MyWorkDrive admin panel will recognize that you are logged in with an Azure AD Global Admin:

You with then be provided with the option of using the MyWorkDrive hosted Azure AD App.

Leaving that option selected, approve the MyWorkDrive hosted app registration.

Option 2: Custom Azure App Registration (Automated Setup)

With this option, you will be prompted by the wizard to sign in as an Azure AD/Entra ID Global Admin account.

You will be approving the "MyWorkDrive App" Azure AD, which has Microsoft Graph API permission to create/read/write Azure AD Apps on your behalf.

Note: The temporary "MyWorkDrive App" may be removed from Entra AD once setup is complete (Located in Entra ID Enterprise Applications).

Begin by following the wizard to log in to Azure AD and set it up automatically.

In the next step, log in with an Azure AD Global Admin to continue automated setup.

To sign in, follow the prompts to sign in using the Microsoft device login method and enter the code (you may copy the code to the clipboard for ease of entry) as presented during setup:

Authenticate with your Azure AD/Entra ID Global Admin account when prompted, then click continue to sign in to the Microsoft Azure CLI and close the page when requested to continue to the next step:

After a few moments, the MyWorkDrive admin panel will recognize that you are logged in with an Azure AD Global Admin.

You with then be provided with the option of creating your own Azure AD app.

Deselect the Office 365 and Azure Storage options (not shown in this image) if you do not intend to use those features. If you select those features but they are not available in your tenant, or you do not have permission to grant consent for them, you may not be able to complete the wizard.

Leaving that option selected, once created, back up, then approve the MyWorkDrive hosted app registration that we created for you in your tenant.

Make note of the Application ID and securely store your Application Secret for future reference.

Option 3: Custom Azure App Registration (manual setup)

Your organization will need its Azure AD Global Admin to create an Azure AD App Registration with the necessary permissions noted at the beginning of this article.

Create a new Azure AD App Registration in the same Azure AD as your user’s Office 365 Subscription.

On portal.azure.com, log in using the Global Admin Account. Bring up Azure Active Directory/Entra ID https://portal.azure.com/#blade/Microsoft_AAD_IAM/ActiveDirectoryMenuBlade, then click App Registrations.

Create New Registration

Provide a Name, Selected Account Types, and insert your public MyWorkDrive URL.

Click Register

Web Redirect URIs

Set the four Web Redirect URIs, as described in the section above, on the Manage | Authentication page of your new app.

https://your-server.example.com/OfOnShPo/Home/SignInRedirect
https://your-server.example.com/GraphAPITokenPage.aspx
https://your-server.example.com/
https://www.myworkdrive.com/success-azure-app-registration-approval

API Permissions

Click API permissions.

If you are using all the features of MyWorkDrive, add the permission below.

You may omit Azure Storage |user_impersonation if you do not intend to use Azure Storage with EID Auth, and will either not be using Azure Storage, or will be using it with Connection String.

You may omit SharePoint | MyFiles.Write if you will not be using Office 365 Online editing.

If you only want to use MyWorkDrive for identity purposes, without any additional features in Azure (such as SharePoint/OneDrive storage, Office Online editing, or Azure Storage), then only these five permissions are needed.

Go to: Create Client Secret > Certificates & Secrets > New client secret

Take note of the Calendar Secret Expiration Date, as it will need to be regenerated at that time and updated on all MyWorkDrive Servers.

Click Authentication and enable Access Tokens and ID tokens.

Copy the Client Secret Value (not the secret ID). Keep this backed up and secured, as it will only display briefly.

Click Overview: Copy the Application (client) ID. Retain this value for use in the MyWorkDrive admin panel.

Copy the Directory (tenant) ID. Retain this value for use in the MyWorkDrive admin panel.

Note the Client Secret Expiration – this will need to be renewed before it expires and updated on each MyWorkDrive Server in the future.

Update branding on your custom Azure AD App Registration to verify the app or add a company logo as desired.

MyWorkDrive Server Configuration

Under Integrations or during the wizard when prompted, paste the values of your Tenant ID, Application ID, Application Secret, and your Server URL into Azure AD Integration.


We appreciate your feedback. If you have any questions, comments, or suggestions about this article please contact our support team at support@myworkdrive.com.