Register WorkZone apps in Azure

WorkZone Entra ID registration

WorkZone uses the Microsoft identity platform for identity and access management tasks. To set up a trust relationship between WorkZone and the Microsoft identity platform, the WorkZone application must be registered. This app registration is created by KMD during WorkZone installation, and an Enterprise application representing this app registration is created in the customer’s Entra ID tenant when first users access the WorkZone instance.

The WorkZone SharePoint and WorkZone Process modules require additional application registrations. These need to be created by the customer in their Entra ID tenant.

Create a WorkZone Enterprise application

Prerequisite:

This task must be performed by a user with permission to grant an admin consent in Entra ID (that is, at least a Privileged Role Administrator).

To create WorkZone Enterprise application, open the link provided by the WorkZone consultant. This link will redirect you to WorkZone, and you will need to consent for the required permissions on Entra ID.

Register the WorkZone Process application

An additional registration is needed to send emails from WorkZone Process. This registration will allow interaction with Exchange Online. Because the privileges that are granted are broad, the application access must be scoped down to one mailbox.

To create an application registration for WorkZone Process, run the New-KmdWorkZoneExchangeApp.ps1 script.

The script uses the following parameters:

  • DisplayName: Display name of the Entra app.
  • TenantId: Entra Tenant ID.
  • IdentifierUriPrefix: Unique name prefix used for application registration Uri.
  • ExchangeOnlineAuthFlow: ClientCredential (recommended) or PublicClient.

Example: 


.\New-KmdWorkZoneExchangeApp.ps1 `
	-DisplayName 'KMD WorkZone - Production - Exchange' `
	-TenantId XXXXXXXX-XXXX-XXXX-XXXX-XXXXXXXXXXXX `
	-IdentifierUriPrefix 'Production' ` 
	-ExchangeOnlineAuthFlow ClientCredential

See Command line configuration of WorkZone Process for more details.

The script will output a client (application) identifier, tenant ID, and a client secret that must be delivered to KMD.

After running the script:

  1. Inform KMD about the client (application) identifier, tenant ID, and a client secret that the script returns.
  2. The script also returns the following message:"Permissions for this App requires Admin Consent. Please go to Azure Portal and 'Grant Permission' for this App or go directly to this consent url and log in as an AAD Admin (ignore that the redirect in the end might not work)". Follow the instructions in the message to grant Admin Consent to the WorkZone Process application.

Secure WorkZone Process application registration

Important:

Application access must be limited to a single mailbox used by WorkZone Process using an application access policy. For more information, see the Microsoft documentation Limiting application permissions to specific Exchange Online mailboxes. Use the PowerShell script Set-WZPAppRegistrationScope.ps1 to set the access limitation.

Prerequisite:

The script requires that the PowerShell ExchangeOnlineManagement module is installed. Before you execute the script, you need to connect to Exchange Online by running:

Connect-ExchangeOnline -UserPrincipalName <Exchange administrator account>

The following parameters are required by the script:

  • wzpMailbox: The mailbox that the application should have access to.
  • wzpAppId: The application (client) ID of the WorkZone Process application registration.
  • groupName: Name of the Entra group that manages security for the application registration.

Example: 


.\Set-WZPAppRegistrationScope.ps1 `
	-wzpMailbox example@yourdomain.com `
	-wzpAppId XXXXXXXX-XXXX-XXXX-XXXX-XXXXXXXXXXXX
	-groupName "KMD WorkZone Process Production"

Register the WorkZone SharePoint application

Follow these steps to register the WorkZone SharePoint application at Entra ID (this is a prerequisite for using the WorkZone SharePoint module to copy the documents from Microsoft SharePoint to WorkZone).

This is done via the New-KmdWorkZoneWZSPApp.ps1 script provided by KMD technicians.

Prerequisite: You must have the Entra and Azure Az Powershell modules installed, and the Entra admin consent.

Run the New-KmdWorkZoneWZSPApp.ps1 script, using the following parameters:

  • DisplayName: Display name of the AD app. For example, KMD WorkZone - WZSP.
  • IdentifierUri: Identifier URI of the AD app that is also used for updates (script re-runs)
  • TenantId: your Entra Tenant ID

Example:

.\New-KmdWorkZoneWZSPApp.ps1 `

-DisplayName 'KMD WorkZone – WZSP' `

-IdentifierUri 'api://5d3760f7-9e2f-4bf3-a318-b0ea87f66540/wzsp' `

-TenantId ‘5d3760f7-9e2f-4bf3-a318-b0ea87f66540’