Working with Azure AD/ Microsoft Entra Identity

Integrating AVEVA Integration Service with a Microsoft Entra Identity environment involves three key aspects:

• Installation and configuration of AIS

• Communication with the AIS Data API

• AIS communication with back-end data sources

While AIS can be installed in a Microsoft Entra Identity environment, the local AIS Data API only supports NTLM authentication, with no current plans for Entra Identity support. Therefore, users requiring Entra Identity integration must use a hybrid installation - a combination of AIS with AIS on CONNECT.

AIS continues to use standard Active Directory (Windows Authentication) to access back-end data sources. Examples include:

• Communication with SQL Server using Windows Authentication

• Accessing AVEVA ERM on-premises systems using NTLM authentication

Using AVEVA Integration Service in a Microsoft Entra Identity Environment

AVEVA Integration Service only works with Standard Active Directory. Microsoft Entra Identity/Azure Active Directory is not supported fully. However, AVEVA Integration Service can be run with some limitation in this environment.  

To run AVEVA Integration Service in Microsoft Entra Identity/Azure Active Directory enabled environment; follow the steps. 

1. Prerequisites: User Account Setup Before Installation

   Before installing AVEVA Integration Service 3.2, ensure the following user setup steps are completed on the AVEVA Integration Service (AIS) server:

   1. Create a local user account on the AIS server.

   2. Add these users to the following groups:

      • Local Administrators group

      • AISAdministrators group

        Important: Restart the AIS server after adding the user to these groups to apply the changes.

2. Installation and Configuration

   3. Run the AVEVA Integration Service 3.2 installer using the above local user account.

   4. Use the same user account during the configuration process.

   You can later switch the AIS runtime identity to an Azure AD-based Identity Pool user by following the steps outlined below.

3. AVEVA Integration Service WCF API interface (windows service) cannot be run with Azure Active Directory user. Limitation of windows service. 

   5. Alternatively, you can run AVEVA Integration Service WCF API interface (windows service) with a Local user. 

   6. The local user you want to use must be:

      1. Part of Local Administrator group in AIS Server 

      2. User should be part of "AISAdministrators" group 

      3. User must have Log as Service permission 

   7. Please discuss with your IT team to create local username for AIS use in AIS Server. 

   8. Use the user to run the AVEVA Integration Service WCF API interface (windows service) & AVEVA Notification Service WCF API interface (windows service) 

4. AVEVA Integration Service Web APIs hosted in IIS IntegrationServiceConfigAPI, IntegrationServiceDataAPI, IntegrationServiceRESTAPI, IntegrationServiceWebAdmin can be run with Microsoft Entra Identity/Azure Active Directory user 

   9. The Microsoft Entra Identity/Azure Active Directory user you want to use must be 

      4. Part of Local Administrator group in AIS Server 

      5. User should be part of "AISAdministrators" group 

   10. You cannot add the Microsoft Entra Identity/Azure Active Directory user directly, you can do so by using PowerShell script 

       net localgroup AISAdministrators AzureAD\firstname.lastname@example.com /add  

        

5. Run the application pools identity (AISConfigPool, AISDataAPIPool, AISWebAdminPool, and RESTAPIPOOL) with Azure AD user. Use the following PowerShell script:

   Import-Module WebAdministration

   Get-PSDrive

   $IntegrationServiceConfigAPIWebSite='IntegrationServiceConfigAPI'

   $IntegrationServiceDataAPIWebSite='IntegrationServiceDataAPI'

   $IntegrationServiceRESTAPIWebSite='IntegrationServiceRESTAPI'

   $IntegrationServiceWebAdminWebSite='IntegrationServiceWebAdmin'

   ## Section-- UserCredentialsSetToWebSiteAndAppPools - Begin

   ##Note: The below snippet is to set the user credentials who has full access to the desired folder/UNC path

   #Please set $true or $false if you want to set credentials to the specific API

   $SetConfigAPIPool=$false

   $SetDataAPIAPIPool=$false

   $SetWebAdminAPIPool=$false

   Add-Type -AssemblyName System.Windows.Forms

   Add-Type -AssemblyName System.Drawing

   $form = New-Object System.Windows.Forms.Form

   $form.Text = 'User credentials'

   $form.Size = New-Object System.Drawing.Size(300,200)

   $form.StartPosition = 'CenterScreen'

   $okButton = New-Object System.Windows.Forms.Button

   $okButton.Location = New-Object System.Drawing.Point(75,120)

   $okButton.Size = New-Object System.Drawing.Size(75,23)

   $okButton.Text = 'OK'

   $okButton.DialogResult = [System.Windows.Forms.DialogResult]::OK

   $form.AcceptButton = $okButton

   $form.Controls.Add($okButton)

   $cancelButton = New-Object System.Windows.Forms.Button

   $cancelButton.Location = New-Object System.Drawing.Point(150,120)

   $cancelButton.Size = New-Object System.Drawing.Size(75,23)

   $cancelButton.Text = 'Cancel'

   $cancelButton.DialogResult = [System.Windows.Forms.DialogResult]::Cancel

   $form.CancelButton = $cancelButton

   $form.Controls.Add($cancelButton)

   $label = New-Object System.Windows.Forms.Label

   $label.Location = New-Object System.Drawing.Point(10,20)

   $label.Size = New-Object System.Drawing.Size(280,20)

   $label.Text = 'User name:(Ex: DOMAINName\UserName)'

   $form.Controls.Add($label)

   $userNameTextBox = New-Object System.Windows.Forms.TextBox

   $userNameTextBox.Location = New-Object System.Drawing.Point(10,40)

   $userNameTextBox.Size = New-Object System.Drawing.Size(260,20)

   $form.Controls.Add($userNameTextBox)

   $label = New-Object System.Windows.Forms.Label

   $label.Location = New-Object System.Drawing.Point(10,70)

   $label.Size = New-Object System.Drawing.Size(280,20)

   $label.Text = 'Password:'

   $form.Controls.Add($label)

   $passwordTextBox = New-Object System.Windows.Forms.TextBox

   $passwordTextBox.Location = New-Object System.Drawing.Point(10,90)

   $passwordTextBox.Size = New-Object System.Drawing.Size(260,20)

   $passwordTextBox.PasswordChar = "*"

   $form.Controls.Add($passwordTextBox)

   $form.Topmost = $true

   $form.Add_Shown({$userNameTextBox.Select()})

   $result = $form.ShowDialog()

   $userNameText = $userNameTextBox.Text

   $passwordText = $passwordTextBox.Text

   $SetRESTAPIPool=$true

   $SetConfigAPIPool=$true

   $SetDataAPIAPIPool=$true

   if ($result -eq [System.Windows.Forms.DialogResult]::OK)

   {

   if($userNameText -eq "" -and $passwordText -eq "")

   {

   popUp("User Name and Password should not be empty");

   $SetRESTAPIPool=$false

   $SetConfigAPIPool=$false

   $SetDataAPIAPIPool=$false

   $SetWebAdminAPIPool=$false

   }

   elseif($userNameText -eq "")

   {

   popUp("User Name should not be empty");

   $SetRESTAPIPool=$false

   $SetConfigAPIPool=$false

   $SetDataAPIAPIPool=$false

   $SetWebAdminAPIPool=$false

   }

   elseif($passwordText -eq "")

   {

   popUp("Password should not be empty");

   $SetRESTAPIPool=$false

   $SetConfigAPIPool=$false

   $SetDataAPIAPIPool=$false

   $SetWebAdminAPIPool=$false

   }

   }

   function popUp($text,$title) {

   $a = new-object -comobject wscript.shell

   $b = $a.popup($text,0,$title,0)

   }

   ##Title : Setting up User Credentials to AISConfigPool and AISDataAPIPool and RestIISPOOL

   ##Note: The below snippet is to set the user credentials who has full access to the desired folder/UNC path

   #Title : Setting up UserName and password to IntegrationServiceWebAdmin

   if($SetWebAdminAPIPool)

   {

   Set-ItemProperty IIS:\apppools\AISWebAdminPool -name processModel -value @{userName=$userNameText;password=$passwordText;identitytype=3}

   Set-WebConfigurationProperty -pspath 'MACHINE/WEBROOT/APPHOST' -filter `

   "system.applicationHost/sites/site[@name=$IntegrationServiceWebAdminWebSite]/application[@path='/']/virtualDirectory[@path='/']" `

   -name "userName" -value $userNameText

   Set-WebConfigurationProperty -pspath 'MACHINE/WEBROOT/APPHOST' -filter `

   "system.applicationHost/sites/site[@name=$IntegrationServiceWebAdminWebSite]/application[@path='/']/virtualDirectory[@path='/']" `

   -name "password" -value $passwordText

   }

   #Title : Setting up UserName and password to IntegrationServiceRESTAPI

   if($SetRESTAPIPool)

   {

   Set-ItemProperty IIS:\apppools\RESTAPIPOOL -name processModel -value @{userName=$userNameText;password=$passwordText;identitytype=3}

   Set-WebConfigurationProperty -pspath 'MACHINE/WEBROOT/APPHOST' -filter `

   "system.applicationHost/sites/site[@name=$IntegrationServiceRESTAPIWebSite]/application[@path='/']/virtualDirectory[@path='/']" `

   -name "userName" -value $userNameText

   Set-WebConfigurationProperty -pspath 'MACHINE/WEBROOT/APPHOST' -filter `

   "system.applicationHost/sites/site[@name=$IntegrationServiceRESTAPIWebSite]/application[@path='/']/virtualDirectory[@path='/']" `

   -name "password" -value $passwordText

   }

   #Title : Setting up UserName and password to IntegrationServiceConfigAPI

   if($SetConfigAPIPool)

   {

   Set-ItemProperty IIS:\apppools\AISConfigPool -name processModel -value @{userName=$userNameText;password=$passwordText;identitytype=3}

   Set-WebConfigurationProperty -pspath 'MACHINE/WEBROOT/APPHOST' -filter `

   "system.applicationHost/sites/site[@name=$IntegrationServiceConfigAPIWebSite]/application[@path='/']/virtualDirectory[@path='/']" `

   -name "userName" -value $userNameText

   Set-WebConfigurationProperty -pspath 'MACHINE/WEBROOT/APPHOST' -filter `

   "system.applicationHost/sites/site[@name=$IntegrationServiceConfigAPIWebSite]/application[@path='/']/virtualDirectory[@path='/']" `

   -name "password" -value $passwordText

   }

   #Title : Setting up UserName and password to IntegrationServiceDataAPI\

   if($SetDataAPIAPIPool)

   {

   Set-ItemProperty IIS:\apppools\AISDataAPIPool -name processModel -value @{userName=$userNameText;password=$passwordText;identitytype=3}

   Set-WebConfigurationProperty -pspath 'MACHINE/WEBROOT/APPHOST' -filter `

   "system.applicationHost/sites/site[@name=$IntegrationServiceDataAPIWebSite]/application[@path='/']/virtualDirectory[@path='/']" `

   -name "userName" -value $userNameText

   Set-WebConfigurationProperty -pspath 'MACHINE/WEBROOT/APPHOST' -filter `

   "system.applicationHost/sites/site[@name=$IntegrationServiceDataAPIWebSite]/application[@path='/']/virtualDirectory[@path='/']" `

   -name "password" -value $passwordText

   }

   ## Section- - UserCredentialsSetToWebSiteAndAppPools - End

6. If you are using AVEVA Integration Service WCF API interface (windows service) for integration, after above set up is complete, use AVEVA Integration Service Settings Editor to configure, DatasourceSTore URL, Data Store URL, REST URL, WebAdminURL & start AIS windows service.  

7. If you are using AVEVA Integration Service Data API restful interface for integration, you cannot use AVEVA Integration Service Data API restful interface Local for integration in Microsoft Entra Identity/Azure Active Directory environment. You must use AVEVA Integration Service Data API restful interface on CONNECT for integration. To set up or use AVEVA Integration Service on CONNECT with AVEVA Integration Service Local.