3. SDH Instance App Registrations
Service Delivery Hub Service Principal/App Registration
App registration needs to have at least ‘Contributor’ access assigned either on Resource group or the subscription level.
Under the ‘Authentication’ tab, Redirect URI needs to be set for the API sign in URL:
https://{sdh-api-url}/signin-oidc
A secret needs to be created and used during Service Delivery Hub instance creation ('Secret' field under the Active Directory tab in Marketplace)
Under the ‘API permissions’ tab the following permissions need to be added:
Permission | Type | Desc | Needs admin consent |
|---|---|---|---|
user_impersonation | Delegated | Access Azure Service Management as organization users | No |
User.Read | Delegated | Sign in and read user profile | No |
Application.ReadWrite.All | Application | Read and write all applications | Yes |
Directory.Read.All | Application | Read directory data | Yes |
Group.ReadWrite.All | Application | Read and write all groups | Yes |
User.Read.All | Application | Read and write all users' full profiles | Yes |
Under the ‘Expose an API’ tab a scope needs the be created in the following format and then used during Service Delivery Hub instance creation (the ‘Audience’ field under the Active Directory tab in Marketplace):
{Audience URL/Application ID URI}/user_impersonation
Using the default Azure format for the 'Application ID URI, your scope would look like this:
api://00000000-0000-0000-0000-000000000000/user_impersonation
Service Delivery Hub Client App Registration
Under the ‘Authentication’ tab, Redirect URI needs to be set for the Service Delivery Hub client/angular app URL.
Under the ‘API permissions’ tab the following permissions need to be added:
Permission | Type | Desc | Needs admin consent |
|---|---|---|---|
user_impersonation | Delegated | The Service Principal exposed API scope (created in the previous section) | No |
User.Read | Delegated | Sign in and read user profile | No |