Authentication using Azure Active Directory

This SecurityModule uses federated authentication and is tested with an Azure ad using the Azure AD v1.0 endpoint.

Note: There is a newer version of the Azure AD endpoint available (Azure AD v2.0, aka but this method uses the old legacy version (v1.0). For more information, see

Azure Ad

To be able to use authentication using Azure ad you need to setup an active directory in Azure. Create users and groups or set up a directory synchronize with your on-premises ad.

Create application

To create an application in the Azure AD:

  • navigate to the azure portal.
  • Select App registrations and click New application registration
  • Give it a suitable name, preferably the url of the imagevault site.
  • Enter the URL to the ImageVault site as redirect uri.
  • When the application is created you must add an App ID URL. Use the suggested or enter the url of the site. There is no need to specify any scopes.

Create an application key

Since ImageVault needs to read information from the ad, we need to create a key that allows us to communicate with the ad. This is done in the Certificates & Secrets tab for the application. Click on + New client secret and enter a descriptive name as Description and select a duration. It is recommended that you choose the max duration to minimize administration since the key needs to be reissued when it expires.

When saving the key, the key value will be visible (just once) so be sure to copy it and store it before leaving the tab (see its usage below).

Assign permissions

To be able to read information from the active directory you need to add the following permissions for "Windows Azure Active Directory" application. This is done in the API permissions tab.

Note: Current version of the Azure Ad connector only uses the Legacy Azure Active Directory Graph API so be sure to select that API when adding permissions.

  • Application Permissions: "Read directory data" -> Azure Active Directory Graph -> Directory -> Directory.Read.All
  • Delegated Permissions: "Sign in and read user profiles" -> Azure Active Directory Graph -> User -> User.Read
  • Delegated Permissions: "Read all users' basic profiles" -> Azure Active Directory Graph -> User -> User.ReadBasic.All
  • Delegated Permissions: "Read all groups" -> Azure Active Directory Graph -> Group -> Group.ReadAll
  • Delegated Permissions: "Read directory data" -> Azure Active Directory Graph -> Directory -> Directory.Read.All

    (Bear in mind that it can take a while for the changes to take effect)

Note: Since some of the permissions above requires Admin permissions you need to click the "Grant permissions" on the required permissions form to complete the assignment.

Automatically add groups to user claims

Normally in Azure AD, the groups that a user is assigned to is not included in the claims received when logging in. To activate this, you need to edit the manifest for the application.

Open the application in the Azure AD. Click on the Manifest tab.

Edit the manifest that pops up and set the "groupMembershipClaims" to "All" or "SecurityGroup" (SecurityGroup will not include distribution lists).

"groupMembershipClaims": "SecurityGroup",

Save the file by clicking the Save link in the tabs toolbar.

ImageVault UI

To activate Azure ad authentication the following changes must be done in web.config.


When using Azure ad authentication, the authentication mode must be set to None.

    <authentication mode="None"/>


To use Azure ad with ImageVault add/modify the connection string named ImageVaultSecurityManager.

    <add name="ImageVaultSecurityManager"

or if using clientid as wtrealm (also provide LoggedoutUrl)

    <add name="ImageVaultSecurityManager"


Must be ImageVaultSecurityManager for the UI to detect which connection string that should be used for the SecurityManager


Tells ImageVault.UI which SecurityManager it will use (See the ISecurityManager for more information)

For Azure ad, use the following providerName: ImageVault.Adal.Providers.AdalSecurityManager,ImageVault.Adal.Providers


This is a key value string where key and value are separated by equals (=) and each pair is terminated with a semicolon (;)

Here comes a list of the possible keys (keys are case-insensitive)


This is the name of the domain that your Azure directory is connected to. This can be a custom domain or a default domain that Azure has assigned the directory when creating it (like

You can also use the GUID found in the application endpoint list as the tenant.


This is the URL to the application that you entered as App ID URI. You can also use the client id (in that case, also set LoggedoutUrl).


This is the Application ID for the application. You find it as a GUID when opening the applications tab.


This is the key value that you generated for the application.

Optional connectionString keys

The following configuration options all have default values and only needs to be adjusted if you need to change the default behavior.


The URL to the graph resource (service for querying the ad). The default is "".


The version of the GraphApi to use. The default is "1.5"


The URL to the AzureAd instance. The default is "".


The local URL that is used for logout. Will be remapped to a federated logout. The default is "/account/logout".


The landing URL to use after a federated logout. The default is "${Wtrealm}/account/loggedout"

Metadata (from v5.15)

The url to the federated metadata document. The default is "${AADInstance}/${Tenant}/federationmetadata/2007-06/federationmetadata.xml"


If true, the group assignment will be requested from the ad after a login and added to the user. A better approach is to include the group/role claims in the ticket from the beginning, using the automap feature described above. The default is false.


The timeout in minutes for data retrieved from the ad to be cached. The default is 10.


If multiple UI are using the same core but with different user directories, this prefix can be used to guarantee uniqueness between different ad:s.

Known issues

comments powered by Disqus
+46 (0)480 - 31 47 95
English website