Help for Administration

Ready to get started with Callisto? We’re here to help. Browse through our most popular articles or get in touch if you need advice on something more specific to your SCCM environment.

Callisto Help > Setup and user administration > AzureAD Authentication (Callisto as a Service)

AzureAD Authentication (Callisto as a Service)

Callisto as a Service supports authentication using AzureAD credentials using OpenID. To configure this is a three-step process:

  1. Create an App Registration in Azure
  2. Copy App Registration properties
  3. Add App Registration details to Callisto AzureAD Settings tab

Creating the App Registration

Navigate to the Azure Portal and log in with an account that has rights to create App Registrations.

You will add a name for the app registration (for example "Callisto").

In Supported Accounts select "Accounts in this organizational directory only"

REDIRECT URI is used for Microsoft to return the login token to Callisto.
This URI will always be https://{CallistoTenantName} for example

Select Single-Page Application (SPA) from the dropdown list in the Redirect URI section

When you have filled in the required properties click Register.

You will be shown the App Registration overview screen. We need to copy some properties from here.

Copy Application (client) ID and Directory (tenant) ID into a Notepad document.

Now click the Authentication link on the left in the "Manage" section.

Tick both boxes in the Implicit grant for hybrid flows section. This grants the application rights to issue the tokens used by Callisto to validate login.:

Click Certificates and secrets in the Manage menu, then click New client secret.

Name the secret and set an expiry duration, your call on this it just means in x months your login will stop working if you don’t update it.

Now you can copy the Value of your client secret from the highlighted section and add it to your Notepad document:

Finally in the Azure Portal, clock the Authentication tab.

In the Web - Redirect URIs section, click the arrow alongside the warning triangle about migrating URIs and click Configure in the pop out Window.

This completes our work in the Azure Portal.

Adding settings to Callisto

Now log into Callisto with an administrator account and navigate to the Settings menu. Select the AzureAD tab and clear the "Disabled" checkbox.

Now add the details for your Application ID, Client Secret and Directory ID to the relevant boxes and select Save All.

This completes the configuration. The logon screen will now show a Sign in with Microsoft button. You do not need to supply a username or password.

At first logon an administrator will have to confirm that we want to allow the application registration.

User requirements

You should check in the Users area in Callisto that there are no existing user accounts with email addresses that match the AzureAD accounts you are going to have logging in. If you do, you can delete these accounts and they will be recreated on first login by that user.

You will always be able to log in as "Admin" to make configuration changes.

If the AzureAD Account a user logs into Callisto with has a matching on-prem AD Account with the same Email Address set, any RBAC role they have in ConfigMgr for their on-prem AD account will be maintained in Callisto.

For example, if I log in with this AzureAD Account

The On-Prem version of this account has ther AzureAD UPN set as the email property:

So when this user logs in, any security role or scope that is set for them or a group they are in will automatically be applied to their Callisto experience. This is really useful in restricting visibility to only Windows clients, or just one location by setting permissions on the ConfigMgr collections created for those roles.