Skip to main content

IdP Setup: Microsoft Entra ID


Before we can use AzureAD for authentication from FileWave, we must create a new application in the Azure Portal and give FileWave access to it.  The whole purpose of this configuration is to give FileWave permissions to talk to your Microsoft Entra ID environment.


This configuration is required if you want to use AzureAD for authentication during device enrollment or during login to the FileWave Web and Native administrator consoles.


The configuration for access is all driven through an Microsoft Entra ID application, so we need to start with:

Part 1: Login to Microsoft Entra ID Portal

First, we'll login to Microsoft Entra ID at with an administrator's account and click on Microsoft Entra ID as shown:


And make note of the domain info shown below:


It is a good idea to take all of these elements and label/paste them into a document you store securely.   Although we'll use them to configure FileWave, you can't access many of them from FileWave once they are stored.

Part 2: Create an App

Now we have to create an app for FileWave to talk to, and assign some right to it.  First go to the app registrations menu, then click "new registration":


Specify a name for your app that is meaningful to you, and Register the app (we'll set the login URIs later).


Part 3: Add a Platform and URI Addresses

Within the app configuration, we'll choose Authentication, then Add a Platform, of type Web:


And for the web configuration, we'll need to copy some address from your FileWave server.  You'll get them from the WebAdmin, Settings:, New AzureAD IDP, and then Get URLs as shown


Then choose an Microsoft Entra ID IDP Provider


You can add a name now (or later), but you'll get the URLs from the "Get URLs" button:

AzureSetup8.png    AzureSetup9.png

So now we'll enter one of the redirects, and click configure:


And then add the other two from here:


Make sure to hit Save at the top after you have entered all three.

Part 4: Cert & Secrets

Now we are going to go to Certificates & Secrets to provide a way for FileWave to authentication to our new application.  Click on New client secret


Then we give it a descriptive name:


And then we'll want to get a copy of the Client Secret, and this is the ONLY time you can copy it.


Lastly, we get the The Client ID, you get from the overview page:


Each of the relevant values then gets copied into the FileWave config below:


You'll check the checkbox for "Admin" if you want to be able to use AzureAD for login to the FileWave admin with AzureAD, and "Enrollment" if you want to use it for Apple device enrollment authentication.  Note that multiple IDPs can be used for admin login, but only one for device enrollment. 

Part 5: App Permissions

Now we have to give our app permissions to read the directory so that it can pull group information into FileWave for browsing and rights assignment. 

So, we'll go to the App Permissions section and start Adding Permissions


Our permissions are going to be for Microsoft Graph


We'll start with an application permission:


For Group Read All AND User Read All (not shown, but you can pick two at once):


Then we'll add more permissions, but "delegated permissions" for open id and profile as shown:


Our permissions then should look like this when we have them all


And then we just need to click Grant Consent to finish with the permissions


When they show as green, we are all done!


Part 6: App Registration Renewal

At some point the Certificate of the App will expire and a new certificate should be generated.

From the App Registration view, expired certificates may be observed


For renewal, click on the Display Name of the App, followed by 'Create a new one ->'


Then generate a 'New client secret' similar to part 4 of this KB.

  • Add a description
  • Copy the Secret ID

This time though, Edit the current IdP in FileWave Anywhere:

  • Open Settings in the FileWave Admin
  • Choose Edit from the selected IdP
  • Paste in the new Client Secret and 'Save'

The old, expired certificate may be deleted from within the Azure portal.

Related Content