What is this?

This knowledgebase contains questions and answers about PRTG Network Monitor and network monitoring in general. You are invited to get involved by asking and answering questions!

Learn more

PRTG Network Monitor

Intuitive to Use. Easy to manage.
300.000 administrators have chosen PRTG to monitor their network. Find out how you can reduce cost, increase QoS and ease planning, as well.

Free Download

Top Tags


View all Tags

How to integrate Azure Active Directory into PRTG?

Votes:

1

Your Vote:

Up

Down

I want to use Azure AD as SSO provider for PRTG. How can I do this? What steps are necessary?

active-directory azure-ad prtg sso

Created on Sep 4, 2020 10:10:42 AM by  Brandy Greger [Paessler Support]



10 Replies

Accepted Answer

Votes:

1

Your Vote:

Up

Down

This article applies as of PRTG 21

Important: The following article only applies to PRTG Network Monitor. It does not apply to PRTG Hosted Monitor.

How to integrate Azure Active Directory into PRTG

As of PRTG 21.2.68, you can use Azure Active Directory (Azure AD) as single sign-on (SSO) provider in PRTG. For the integration to work seamlessly, follow the steps in this article.

Steps to take:

  • Step 1: Configure Azure AD
  • Step 2: Configure SSO in PRTG
  • Step 3: Add a user group in PRTG

Step 1: Configure Azure AD

Follow these steps to configure Azure AD to work as SSO provider in PRTG.

  • Step 1.1: Register your app
  • Step 1.2: Create a client secret
  • Step 1.3: Add a platform
  • Step 1.4: Create a groups claim
  • Step 1.5: Add a scope
  • Step 1.6: Edit accessTokenAcceptedVersion

Step 1.1: Register your app

  • Log in to https://portal.azure.com.
  • Go to the App registrations tab. App Registrations TabClick to enlarge.
  • Click the New registration button.
    • Enter a name, for example My_Registration.
    • Select Accounts in this organizational directory only. Register an App Click to enlarge.
    • Optional: Enter the redirect URI if you already know it. If you do not know it yet, you can enter it later.
    • Click the Register button to register the new app.
  • Select the newly registered app My_Registration.
  • Copy the Application (client) ID and Directory (tenant) ID.
    Note: You need these to configure PRTG later. Client ID and Tenant IDClick to enlarge.

Step 1.2: Create a client secret

  • Go to the Certificates & secrets tab. Certificates & Secrets Tab Click to enlarge.
  • Click the New client secret button. Add a Client Secret
    Click to enlarge.
    • Enter a Description, for example My_Client_Secret.
    • Enter the period after which the client secret expires.
    • Click the Add button to save the client secret.
      Important: Make sure to note the client secret now because it will not be visible again and because you need it when you configure PRTG.

Step 1.3: Add a platform

  • Go to the Authentication tab. Add a Platform Click to enlarge.
  • Click the Add a platform button. Configure Platforms Click to enlarge.
  • Select Web. Configure Web Click to enlarge.
    • Enter the redirect URI under Redirect URIs. Use the format https://IP address or DNS name:port/cb. For example, https://192.0.2.0:443/cb.
      Note: Make sure to add redirect URIs for the ports that PRTG uses, namely port 443 (default), port 8443 (fallback). If both 443 and 8443 are not available, PRTG sends a ticket that shows you the currently used port number. Add a redirect URI for this port until PRTG can switch back to 443 as soon as it is available again.
    • Click the Continue button to continue.

Step 1.4: Add a groups claim

  • Go to the Token Configuration tab. Token Configuration Tab Click to enlarge.
  • Click the Add groups claim button. Add Groups Claim Click to enlarge.
    • Select Security groups and Directory roles.
    • Click the Add button to save the new groups claim.

Step 1.5: Add a scope

  • Go to the Expose an API tab. Expose an API Tab Click to enlarge.
    • Click the Add a scope button. Add a Scope Click to enlarge.
    • Enter an Application ID URI.
    • Click the Save and continue button. Scope Settings Click to enlarge.
    • Enter a name for the scope. By default, Azure uses the format api://<client-ID>/<name given>. For our example, we will use api://<client-ID>/AnAPIName.

Step 1.6: Edit accesstokenacceptedversion

  • Go to the Manifest tab. Edit Manifest Click to enlarge.
    • Change accessTokenAcceptedVersion = 0 to accessTokenAcceptedVersion = 2

You have now successfully configured Azure AD.

Step 2: Configure SSO in PRTG

Now that you have configured Azure AD, you now need to configure the SSO settings in PRTG accordingly. To do so, follow these steps.


Important: Make sure that PRTG uses a connection that is encryped via SSL. For more information, see PRTG Manual: PRTG Administration Tool on Core Server System


  • Log in to the PRTG web interface.
  • Go to Setup | System Administration | Single Sign-On. Single Sign-On Tab Click to enlarge.
  • Under SSO Login, select Enable. Single Sign-On Settings Click to enlarge.
  • Under Provider, select Azure Active Directory from the dropdown list.
  • Under Configuration Endpoint, enter the configuration endpoint URL as follows https://login.microsoftonline.com/<tenant-ID>/v2.0/.well-known/openid-configuration
    Note: Make sure to replace <tenant-ID> with your directory (tenant) ID from Step 1.1.
  • Click the Load Configuration button. This automatically fills in the values in the next four fields.
    Note: If this does not work, then you have to manually enter the values instead as follows. Also, make sure to replace <tenant-ID> with your directory (tenant) ID from Step 1.1.
    • Authorization Endpoint: https://login.microsoftonline.com/<tenant-ID>/oauth2/v2.0/authorize
    • Token Endpoint: https://login.microsoftonline.com/<tenant-ID>/oauth2/v2.0/token
    • JSON Web Key Set (JWKS) URI: https://login.microsoftonline.com/<tenant-ID>/discovery/v2.0/keys
    • Issuer: https://login.microsoftonline.com/<tenant-ID>/v2.0
  • Under Scope, enter offline_access email. This is from Step 1.5. The full scope entry should look like this: openid profile offline_access email api://<client-ID>/AnAPIName
  • Under ClientID, enter the application (client) ID from Step 1.1.
  • Under Client Secret, enter the client secret from Step 1.2.
  • Under Available Callback URLs, select the URLS that your users will use to log in to PRTG. You will need to add these to the Azure app you configured in Step 1.3.
  • If the URL your users use to log in to PRTG is not listed because PRTG is reachable via a different URL (for example, myPRTG.example.com for login but PRTG lists myPRTG.internal.example.com), you can use the option Manually enter a URL. PRTG still lists all available endpoints if needed for forwarding. You then need to add the URL to the Azure app you configured in Step 1.3.
    Note: Azure AD and PRTG both check whether or not the callback URLs are allowed. Make sure you configure each required URL on both ends; otherwise, you will not be able to log in.

You have now configured SSO in PRTG.

Step 3: Add a user group in PRTG

Now that you have configured SSO, you need to add a new user group in PRTG.

  • Log in to the PRTG web interface.
  • Go to Setup | System Administration | User Groups.
  • Hover over the blue + button and select Add User Group. User Group Settings Click to enlarge.
    • Under User Group Name, give the group a meaningful name, for example Azure AD SSO.
    • Under Active Directory or Single Sign-On Integration, select Use single sign-on integration.
    • Under SSO Group Access Claim, enter the groups claim that you created in Step 1.4.
      Note: For claims, you can use Azure group IDs. To find a group ID, open the Azure portal and select the Groups tab. There you find a list of all groups and their object IDs. Find the object ID you need and enter it under SSO Group Access Claim. Alternatively, you can use the API name you previously configured, for example AnAPIName.

You have now successfully integrated Azure AD as SSO provider in PRTG.

Created on Sep 4, 2020 11:15:58 AM by  Brandy Greger [Paessler Support]

Last change on Jun 15, 2021 6:52:12 AM by  Brandy Greger [Paessler Support]



Votes:

0

Your Vote:

Up

Down

Hello,

thank you the tutorial worked.

My question: How Can I restrict the API to a special group?

I tried it with the object ID but this didn't work.

Created on May 28, 2021 12:18:26 PM by  Rixius (0) 1



Votes:

0

Your Vote:

Up

Down

I've followed this and it works fine. The the post above mine, the Object ID does work. I have tested this and when creating a PRTG SSO Group, and inputting the Azure AD Group Object ID into the 'SSO Group Access Claim', when a user from that Group logs into PRTG via SSO, they will join that group.

All good here. Thanks very much for this long awaited feature.

Created on Jun 1, 2021 10:35:51 AM by  AuRiSmith (20)



Votes:

0

Your Vote:

Up

Down

Also, can anyone confirm that the current mobile app is SSO/2FA compatible? I am having issues logging in with an SSO based account via cellular with a bad password hash error.

I have raised a case to check on this as well.

Created on Jun 2, 2021 9:54:46 AM by  AuRiSmith (20)



Votes:

1

Your Vote:

Up

Down

Does this work in the iOS app yet? I don't see an option for SSO there.

Created on Jun 2, 2021 3:53:24 PM by  Mike Garb (24) 1



Votes:

0

Your Vote:

Up

Down

Mobile Apps (IOS/Android) currently do not support Azure SSO. They use the classic login and require credentials. We are looking into implementing this in the future, however there is no ETA for this.


Kind regards,
Sasa Ignjatovic, Tech Support Team

Created on Jun 3, 2021 1:23:22 PM by  Sasa Ignjatovic [Paessler Support]



Votes:

2

Your Vote:

Up

Down

@ Sasa Ignjatovic ^^ Please look to do that soon! Many of us use the mobile app on weekends, after-hours and SSO via the app is important functionality to be released/

Created on Jun 4, 2021 2:26:54 AM by  AuRiSmith (20)



Votes:

1

Your Vote:

Up

Down

Can we use App Roles or any other form of permissions? Id like to assign different Azure AD users to different groups in PRTG.

Created on Jun 7, 2021 4:33:02 PM by  dbekker (10)



Votes:

0

Your Vote:

Up

Down

This is not possible. There are also currently no plans for this.


Kind regards,
Sasa Ignjatovic, Tech Support Team

Created on Jun 11, 2021 10:05:33 AM by  Sasa Ignjatovic [Paessler Support]



Votes:

0

Your Vote:

Up

Down

I'm having a similar issue when attempting to use a Azure group ID to target PRTG groups. I get an SSO logon failure. If I use the API name it works without issue, but doesn't allow me to restrict or target access. Any advice or way to troubleshoot?

Created on Jun 11, 2021 3:10:31 PM by  LWUsername (0)



Please log in or register to enter your reply.


Disclaimer: The information in the Paessler Knowledge Base comes without warranty of any kind. Use at your own risk. Before applying any instructions please exercise proper system administrator housekeeping. You must make sure that a proper backup of all your data is available.