Main Content

Configure Application Access Control Using Azure AD

MATLAB® Production Server™ administrators can use Microsoft® Azure® AD to restrict access to deployed applications to only certain users or groups of users. To enable application access control, configure Azure AD and specify access control policies, in consultation with the Azure AD administrator.

Register Application in Azure Portal

To use Azure AD for application access control, register a server application and a client application in the Azure portal. These applications are different from the application that you might have registered for dashboard access control. These applications are not related to the applications deployed to MATLAB Production Server or client applications written using the MATLAB Production Server client libraries.

Note

The application registration process is determined by Azure and is subject to change.

Register Server Application in Azure

  1. Sign in to the Azure portal.

  2. From Azure Active Directory, select App registrations and click New registration.

  3. In the resulting pane, enter the name of the application (for example, MATLAB Production Server App) then select Register.

  4. In the application that you registered, select Expose an API.

  5. Click Add a scope, and enter the scope information for your application. Click Add Scope. For more information on adding a scope, see the Microsoft Azure documentation. The following table lists the fields and values that you enter to add a scope.

    FieldValue
    Scope name

    Enter a name, for example, user_impersonation.

    Who can consentSelect Admin and users.
    Admin consent display name

    Enter a name, for example, Access MATLAB Production Server App.

    Admin consent description

    Enter a description, for example, Allow the application to access MATLAB Production Server App on behalf of the signed-in user.

    User consent display name

    Enter a name, for example, Access MATLAB Production Server App.

    User consent description

    Enter a description, for example, Allow the application to access MATLAB Production Server App on behalf of the signed-in user.

    StateSelect Enabled.

  6. Click Manifest in the left navigation pane. In the JSON that is displayed, set the value for groupMembershipClaims to "SecurityGroup". Click Save.

Register Client Application in Azure

In the Azure portal, register a client application. The client application helps clients that send requests to the server to generate an access token. You can register the client application as either a native app or a web app. If you register the client application as a native app, users have to log in using a user name and password to generate the access token. If you register the client application as a web app, users have to log in using the browser with single sign-on to generate the access token.

Registering client applications can require higher privileges in Azure based on your organization setup.

Register Client Application as Native Client

  1. Sign in to the Azure portal.

  2. From Azure Active Directory, select App registrations and click New registration.

  3. In the pane that opens, enter the following registration information for your application, then click Register.

    FieldValue
    Name

    Enter a name, for example, MATLAB Production Server Native Client.

    Redirect URISelect Public client/native (mobile & desktop).

  4. Click Manifest in the left navigation pane. In the JSON, set the value for allowPublicClient to true. Click Save.

  5. Click API permissions and click Add a permission.

  6. In the pane that opens, click APIs my organization uses.

  7. Search for the MATLAB Production Server App server application that you registered earlier. In the pane that opens, select the scope name (for example, user_impersonation) and click Add permissions.

Register Client Application as Web Client

  1. Sign in to the Azure portal.

  2. From Azure Active Directory, select App registrations and click New registration.

  3. In the pane that opens, enter the following registration information for your application, then click Register.

    FieldValue
    Name

    Enter a name, for example, MATLAB Production Server Web Client.

    Redirect URISelect Web. Enter a valid redirect URI that will be used by your client application

  4. Select Certificates & secrets in the left navigation pane. Under Client secrets, create a new client secret, and save the value of the secret.

  5. Click API permissions, then click Add a permission and select APIs my organization uses.

  6. Search for the MATLAB Production Server App server application that you registered earlier. In the pane that opens, select the scope name, for example, user_impersonation, then click Add permissions.

Configure Identity Provider

After you register the server application and client application in the Azure portal, create a configuration for Azure AD in the Application Access Control tab of the dashboard. Click Create and select Azure AD.

In the Azure portal, find the tenant ID for your organization, and the application ID for the server application that you registered earlier. Enter the tenant ID and application ID in the dashboard under Create Identity Provider for Application Access Control.

  1. Sign in to the Azure portal.

  2. From Azure Active Directory, select Properties. Copy the value from Directory (tenant) ID and paste it into Tenant ID field in the dashboard.

  3. From Azure Active Directory, select App registrations. Select the application used for MATLAB Production Server, for example, MATLAB Production Server App. Copy the value from Application (client) ID and paste it into the Server App ID field in the dashboard.

  4. In the dashboard, click Create. If the server is running on a Windows® virtual machine, saving the values can take up to 30 seconds.

Specify Access Control Policy Rules

Specify the applications that certain user groups can access by defining access control policy rules. To define the rule, click Add Rule under Access Control Policy in the Application Access Control tab of the dashboard. Specify the following values.

FieldValue
Rule ID

Name for the rule

DescriptionDescription for your rule
UsersUser names set up in Azure AD that are allowed access to deployed applications
GroupsObject IDs of the groups set up in Azure AD groups that are allowed access to deployed applications
Applications

Applications that the specified users and groups can access.

To select all applications, select Apply this rule to all applications.

Enable Application Access Control

After you configure the identity provider and specify access control policy rules, you must enable dashboard access control by selecting the Yes option from the dashboard.

Application Access Control tab showing that access control is enabled

Generate Access Token

After application access control is enabled, users that are specified in the access control policy rules can generate a bearer access token. If the registered client application is a native app, log in using a user name and password, or integrated Windows authentication to generate the access token. If the registered client application is a web app, log in using the browser with single sign-on to generate the access token. You can use the Microsoft identity platform authentication libraries (Microsoft-supported client libraries or compatible client libraries in different programming languages) to generate the access token. For more information, see Microsoft documentation. Use this access token in the HTTP authorization header when you make a request to the server using the MATLAB Production Server RESTful API. The format for this header is Authorization:Bearer <access token>.

Related Topics