Breadcrumbs

S3 - Create an Entra ID App Registration for CI Sync Agent Authentication

Extended Page Title

Step 3 - Create an Entra ID App Registration for CI Sync Agent Authentication

Task List

Task #

Task

Performed by

1

Decide which credential type your organization will use for authentication between the CI Sync Agent against the App Registration that represents the CI Sync Agent

Azure Admin

2
Option 1

(Option 1) Create the App Registration object in your AAD using a Client Secret credential and provide details about the App Registration to the SME performing the CI Sync Agent installation

Azure Admin

2
Option 2

(Option 2) Create the App Registration object in your AAD using a Certificate credential and provide details about the App Registration to the SME performing the CI Sync Agent installation

Azure Admin
Click to expand Guidance Notes

  1. An AAD App Registration object is used to control authentication between the CI Sync Agent (i.e. the CI Sync Agent Windows Service) and your organization’s Azure Active Directory. This ensures your customer specific CI Sync SaaS instance will only accept payloads from a CI Sync Agent that has first authenticated to your organization’s Azure AD.

  2. CI Sync supports the following credential types for authentication between the CI Sync Agent and the App Registration:

    1. Client Secret, or

    2. Certificate

  3. The App Registration created in this section relates to the CI Sync Agent itself (i.e. the Windows Service). This CI Sync Agent App Registration is distinct from any additional App Registrations you may need to create when configuring the CI Sync Agent to read from sources such as InTune and Azure.  The steps for creating one/more App Registrations for data sources such InTune and Azure are described in subsequent sections of this guide

Click to expand Informational Note

In AAD an App Registration is used to define a Service Principal that will be used to authenticate the CI Sync Agent when it connects to your customer specific instance of the CI Sync SaaS application.

If you have multiple instances of the same source system (e.g. multiple Lansweeper instances, one for TEST and one for PROD) you will need to create an AAD App Registration for each of the CI Sync Agent instances you have installed.

Task 1: Decide which credential type your organization will use for authentication between the CI Sync Agent against the App Registration that represents the CI Sync Agent

CI Sync supports the following credential types for authentication between the CI Sync Agent and the App Registration:

  • Client Secret, or

  • Certificate

Deciding which credential type to use is an organisational decision (often based on your Cyber Security requirements and/or Azure AD administration requirements).

Two sets of instructions are provided below. The instructions you use will depend on the authentication method you are using. Your options are:

  1. Client Secret Authentication, or

  2. Certificate Based Authentication.

Task 2 (Option 1): Create the App Registration using a Client Secret credential

Expand the instructions below if you are using a Client Secret Authenticaiton between the CI Sync Agent and your Entra ID.

Click to expand the instructions for Option 1

  1. In the Azure Portal, navigate to Azure Active Directory -> App Registrations and click New Registration

image-20250326-032219.png

Guidance Notes

Syncfish recommend using “Syncfish - CI Sync – Agent”.

If you use another name, then it is highly recommended to include “Agent” in the name to help distinguish this registration from the CI Sync SaaS application Enterprise App registration as AAD will show both in the same list on some forms.


  1. On the Register an application form complete as follows:

    1. Enter the Name

    2. Under Supported account types select “Accounts in this organizational directory only ({Your Domain/Tenant Name} only - Single tenant)”

    3. Click Register

image-20250326-032707.png

  1. Navigate to API permissions and click Add Permission

image-20250326-032733.png

  1. Navigate to APIs my organization uses and search for Syncfish, and then select the Syncfish - CI Sync entry.

image-20250326-032825.png

In the list you are selecting the CI Sync Enterprise Application that was enrolled during S2 - Enrol CI Sync SaaS to your Entra ID.


  1. Select the “Application permissions” button

image-20250326-032934.png

  1. Tick the checkbox for sf.cs.en.agent Agent and click the Add permissions button

image-20250326-033007.png

  1. Back on the main screen for “API permissions”, click the button to “Grant admin consent for {Your Domain/Tenant Name}

image-20250326-033017.png

  1. Click Yes to confirm

Picture 1.png

  1. Using the left-hand menu, navigate and select Certificates & secrets.  Select client “Client secrets (0)” in the middle of the form.

image-20250326-033110.png

  1. Click the “New client secret” button.

image-20250326-033127.png

  1. Enter a unique Description for the secret associated with the CI Sync Agent App Registration.

  2. Then, select a suitable Expires duration based on your organisational policy.  Finally click the Add button.

image-20250326-033201.png

It is recommended you set a reminder prior to the expiry date of the Secret (i.e. a reminder to regenerate and update the Secret in the CI Sync Agent configuration. The use of the secret will be clearer once you have read the section on “Install the CI Sync Agent”.

The steps to regenerate the secret and update the secret in the CI Sync Agent are explained in the Syncfish Knowledge Base Article How-to - Update an Expired Client Secret for the App Registration that represents the CI Sync Agent.


  1. The form now displays the generated secret value (shown in the Value field). 

    1. Use the copy option to make a copy of value in the Value field.

CleanShot 2025-07-02 at 09.32.32@2x-20250701-233358.png

Data Capture Note

  1. The Value is only available while you remain on this screen. You must make a copy of the Value before leaving this form.

  2. Make sure you copy the “Value” and NOT the “Secret ID”.

Make sure the secret is stored securely and in a way that can be shared with the CI Sync Admin so they can use it when the follow the instructions later on during S5 - Register the Multi-Source Agent & Setup Source Connections.

  1. Return to the Overview page for the App Registration.

    1. Use the copy option to make a copy of the “Application (client) ID” value.

CleanShot 2025-08-13 at 15.20.36@2x-20250813-052345.png

Data Capture Summary

As a reminder, you should have captured the following information when completing the above steps.

  1. The Secret Value (from Step 13 above). This is the Client Secret value.

  2. The Application (client) ID (from Step 14 directly above).

  3. The Directory (tenant) ID (also from Step 14 directly above).

Make sure the secret is stored securely and in a way that can be shared with the CI Sync Admin so they can use it when the follow the instructions later on during S5 - Register the Multi-Source Agent & Setup Source Connections.


At this point Task 2 (Option 1) is complete.  Please proceed to the follow steps (both are typically performed by an Infrastructure SME):

  1. S4 - Install the On-Prem Multi-Source Agent, and then

  2. S5 - Register the Multi-Source Agent & Setup Source Connections.

Task 2 (Option 2): Create the App Registration using a Certificate credential

Expand the instructions below if you are using a Certificate Based Authenticaiton between the CI Sync Agent and your Entra ID.

Click to expand the instructions for Option 2

  1. In the Azure Portal, navigate to Azure Active Directory -> App Registrations and click New Registration

image-20250326-034837.png

Syncfish recommend using “Syncfish - CI Sync – Agent”.

If you use another name, then it is highly recommended to include “Agent” in the name to help distinguish this registration from the CI Sync SaaS application Enterprise Application registration as AAD will show both in the same list on some forms.


  1. On the Register an application form complete as follows:

    1. Enter the Name

    2. Under Supported account types select “Accounts in this organizational directory only ({Your Domain/Tenant Name} only - Single tenant)”

    3. Click Register

image-20250326-035021.png

  1. Navigate to API permissions and click Add Permission

image-20250326-035035.png

  1. Navigate to APIs my organization uses and search for Syncfish, and then select the Syncfish - CI Sync entry.

Guidance Note

In the list you are selecting the CI Sync Enterprise Application that was enrolled during S2 - Enrol CI Sync SaaS to your Entra ID earlier in this guide.

image-20250326-035159.png

  1. Select the “Application permissions” button

image-20250326-035210.png

  1. Tick the checkbox for sf.cs.en.agent Agent and click the Add permissions button

image-20250326-035220.png

  1. Back on the main screen for “API permissions”, click the button to “Grant admin consent for {Your Domain/Tenant Name}

image-20250326-035229.png

  1. Click Yes to confirm

Picture 1.png

  1. Using the left-hand menu, navigate and select Certificates & secrets.  Select client “Certificates (0)” in the middle of the form.

image-20250326-035319.png

  1. Click the “Upload certificate” button. Then use the file uploader to import the certificate (public key) file in one of the supported formats.  Enter a description and then select the Add button

image-20250326-035339.png

  1. The certificate should now be displayed in the Certificates list for this App Registration. 

image-20250326-035400.png

  1. Return to the Overview page for the App Registration.

    1. Use the copy option to make a copy of the “Application (client) ID” value.

CleanShot 2025-08-13 at 15.20.36@2x-20250813-052345.png

Data Capture Summary

As a reminder, you should have captured the following information when completing the above steps.

  1. The Application (client) ID (from Step 12 directly above).

  2. The Directory (tenant) ID (also from Step 12 directly above).

Make sure the secret is stored securely and in a way that can be shared with the CI Sync Admin so they can use it when the follow the instructions later on during S5 - Register the Multi-Source Agent & Setup Source Connections.


At this point Task 2 (Option 2) is complete.  Please proceed to the follow steps (both are typically performed by an Infrastructure SME):

  1. S4 - Install the On-Prem Multi-Source Agent, and then

  2. S5 - Register the Multi-Source Agent & Setup Source Connections.