Skip to main content

Integration via Microsoft Entra Application Proxy

Marigona Kelmendi avatar
Written by Marigona Kelmendi
Updated this week

To access iManage from an external application (Office & Dragons) via Entra Application Proxy, you configure an enterprise application in Entra ID that utilizes the Application Proxy service. This involves specifying the internal URL of your iManage server and an external URL for O&D to access from outside the network. Entra Application Proxy acts as a secure intermediary.

Requirements:

  • iManage version 10.3 and above installed on premises or in a private cloud (single-tenant instance in iManage cloud).

  • Microsoft Entra Application Proxy connector installed on your iManage instance.

  • Microsoft Entra Application Proxy set up and configured in your Azure Cloud.

    Note the following:

  • The Microsoft Entra ID registered tenant domain must match the domain associated with the on-premises iManage server.

  • Microsoft Entra Application Proxy connector must be deployed within the same network as the iManage server.

  • Use of an SSL wildcard is needed to configure Microsoft Entra Application Proxy.

Install Microsoft Entra Application Proxy Connector

To install the Microsoft Entra Application Proxy connector on iManage, you first download the connector from the Microsoft Entra admin center and then install it on a Windows Server (2016 or later) that has access to your iManage server.

Note: You must ensure the server can reach Azure endpoints over HTTPS (port 443) so your network/firewall must allow outbound connections on port 443 to Azure.

  1. In the Microsoft Entra admin center, select Enterprise applications.

  2. Select New application. The Browse Microsoft Entra Gallery page is displayed.

  3. Select Add an on-premises application.

  4. Scroll down to the information message and select the link

  5. In the Private Network connectors page, select Download connector service and follow the Microsoft instructions for installation.

Set up Microsoft Entra Application Proxy in Azure Cloud

In this step, you add an enterprise application that utilizes the Application Proxy service to your Microsoft Entra tenant. All requests from Litera Office and Dragons will be to this proxy application which will then forward the requests to iManage.

Tip: If you have multiple instances of iManage, you’ll need to create a new enterprise application for each.

To create a new enterprise application, you’ll need a Cloud Application Administrator or Application Administrator role

  1. In the Microsoft Entra admin center, select Enterprise applications.

  2. Select New application. The Browse Microsoft Entra Gallery page is displayed.

  3. Select Add an on-premises application.

  4. In the Basic tab, enter the following:

    1. Name: A name for the proxy application, for example, “Office and Dragons-iManageProxy”.

    2. Internal Url: The internal URL of your iManage server (on-prem DNS FQDN).

    3. External Url: Build the URL for the proxy application (external FQDN). This is the URL you will add to the Litera Office and Dragons configuration.

    Note: You must use the same internal and external domain name that matches the wild-card certificate on the Application Proxy server.

  5. Navigate to your external DNS configuration page and configure a CNAME to point the external FQDN to the address provided by Microsoft Entra Application Proxy ending in “msappproxy.net”.

  6. Select Microsoft Entra ID as the Pre Authentication. This ensures that every request Litera Office and Dragons makes to the iManage server is bypassed through the Azure App proxy connector.

  7. From the Connector Group dropdown, select the connector group specified during the installation of the Microsoft Entra Application Proxy connector.

    Note: If a connector group name is not specified during installation, the connector is added to the default group.

    Tip: Assign a connector to connector group to align with the intended application mapping.

  8. Select the Advanced tab and set the options as follows .

    1. Backend Application Timeout: Default

    2. Use Http-Only Cookie: Not selected

    3. User Persistent Cookie: Not selected

    4. Translate Urls in headers: Not selected

    5. Translate Urls in application body: Not selected

    6. Validate Backend SSL certificate: Selected

  9. Select Create

  10. Once created, navigate to the newly created proxy application and select Application Proxy in the left panel to upload the wildcard domain certificate. The SSL certificate must be monitored and managed according to the IT team’s existing SSL management procedures.

  11. Open the newly created proxy application and select Properties in the left panel.

  12. Configure the options as follows:

    1. Assignment required: No

    2. Visible to users: No

  13. Open the Single sign-on in the left panel and verify that the method is set as Disabled.

Configure App Registration for Microsoft Entra Application Proxy

In this step, you set up the app registration for the newly created proxy application.

  1. In the Microsoft Entra admin center, select App registration.

  2. Select the All application view and search for the proxy application created in

    the previous section.

  3. Select Authentication in the left panel and verify the Web Redirect URIs match

    the external FQDN of the iManage URL.

  4. Configure the Front-channel logout URL to match the FQDN value as well.

  5. Under Implicit grand and hybrid flows, select both Access tokens and ID

    tokens.

  6. Select Certificates and Secrets in the left panel then select the Client secrets tab.

  7. Create a new secret.

    1. Select New client secret.

    2. Enter a description and an expiration date. We recommend a 24 month

    3. expiry or whatever aligns to your internal corporate policy. Since the client

    4. secret is used in the configuration in Litera Office and Dragons, you will need to update

    5. that configuration with the new client secret once it expires.

    6. Select Add.

    Note: Save the client secret in a secure location as you will add it to the Litera Office and Dragons configuration.

  8. Select API permissions in the left panel. You need to add the following control

    permissions: User.Read to access user profile information from Microsoft Entra

    via Microsoft Graph, and User.Impersonation to access or impersonate users in

    a custom enterprise application.

  9. Add User.Read:

    1. Select Add a permission.

    2. Select Microsoft Graph.

    3. Select Delegated permissions.

    4. Enter user.read.

    5. Select Add permissions.

  10. Add User.Impersonation:

    1. Select Add a permission.

    2. Select APIs my organization uses.

    3. Select the name of the proxy application created previously.

    4. Select Delegated permissions.

    5. Enter user.impersonation.

    6. Select Add permissions.

  11. Once completed, the configured API permissions must be granted admin

    consent and listed under Configured permissions.

  12. Select Expose an API in the left panel. Here, you’ll add scopes for the API

    permissions added above.

  13. Verify that the Application ID URI is the external FQDN.

  14. Select Add a scope, and enter the following:

    1. In Scope name, enter user_impersonation.

    2. In Who can consent?, select Admins only.

    3. In Admin consent display name, enter what the scope will be called in the

      consent screen when admins consent to this scope. For example, “Access

      Office and Dragons-iManage-Proxy”.

    4. Enter details in Admin consent description, User consent display name,

      and User consent description.

  15. Select Add scope.

  16. Repeat the above steps to add a scope for user_read.

  17. In the Authorized Client Application section, select Add a client application.

  18. In Client ID, copy and paste the application (client) ID for the proxy application, and select the authorized scopes for the client ID.

    Tip: You can find the application (client) ID by selecting Overview in the left panel.

  19. Select App roles and verify the options match the image below.

Configure iManage in the Office and Dragons Admin Portal

For this step, you’ll need your iManage client ID, client secret and URL, and your Azure client ID, client secret and URL.

  1. In the admin settings, select Integrations from the side panel

  2. Toggle on iManage, and select Self-host / on-prem

  3. From the iManage Integration Type dropdown, select iManage via Azure App Proxy

  4. Enter your iManage client ID and client secret in the iManage Client ID and iManage Client Secret fields.

  5. In the Azure Client ID and Azure Client Secret fields, enter the client ID and client secret of the proxy application (Office and Dragons-iManage-Proxy) created in the above procedure.

  6. In the Azure External URL field, enter the URL of the proxy application (Office and Dragon-iManage-Proxy) created in the above procedure. The URL must be externally accessible.

  7. In the Azure Tenant ID field, enter the Directory (tenant) ID of the proxy application (Office and Dragons-iManage-Proxy) created in the above procedure.

    Tip: The client ID, client secret and tenant ID of the proxy application are found in the App registration > Overview page in the Microsoft Entra admin center.

  8. Click Add Server.

Related Articles
Configuring your self host / on-prem iManage integration
Configuring single sign-on (SSO) with Azure AD
How do I clear my application cache?
Configuring your iManage cloud integration
Did this answer your question?