MeshCentral SSO Demystified

Related Tech
1

MeshCentral, I love you, but we need to talk. Your documentation is written as though someone told you, through the grapevine, how humans communicate. Tough.

Anyhow, adding Entra ID SSO to MeshCentral is pretty straightforward.

Here’s what you’ll need:

  1. A deployed MeshCentral Instance with a valid cert, likely on the internet.
  2. Azure AD / Hybrid and enough permissions to do all of this
  3. A hostname, on the internet.

On the Azure side:

  1. Head over to your Entra ID Portal, and create a group (or do so in your On-Prem AD, whichever makes sense). I’ll be calling that group MeshCentral_SSOUser.
  2. In Azure, create an App Registration. I called mine MeshCentral SSO, which will not win me any creativity awards.
  3. On the “Overview”, notice and record the Application (Client) ID and the Tenant ID.
  4. Under the “Manage” blade, select “Branding and Properties”. If you’d like to add a logo, you can. Enter your Home page URL here.
  5. Navigate to the “Authentication” blade. Under “Platform configurations”, click “Add a Platform” and select “Web”. The redirect URI you need is https://{{your url}}/auth-azure-callback
  6. Next, we can head to “Certificates and Secrets” and generate a “New client secret”. Choose the length of your secret’s validity, and a description, and click “Add”. Record the value of the secret. Note, this is the only time you’ll see that. If you need it again, you have to recreate it!
  7. Head over to Enterprise Applications and find the name you just gave your App Registration.
  8. On the “Overview” blade, select “Assign Users and Groups”. Add your group to the list.

On the MeshCentral side:

  1. SSH into your server and navigate to /opt/meshcentral/meshcentral-data.
  2. Use the following to edit your config.json: sudo nano config.json
  3. Locate the “domains” subsection, and then “authStrategies”. Please see the example code below:
      "authStrategies": {
        "azure": {
          "newAccounts": true,
          "clientid": "Your Value Here",
          "clientsecret": "Your Value Here",
          "tenantid": "Your Value Here"
        }
      }

Screenshot 2025-03-16 221854
Screenshot 2025-03-16 221854767×337 18.4 KB

  1. Press CTRL-X to exit, and press Y when it asks if you’d like to save. You can reboot the server to reload the config.
  2. Verify that your configuration worked properly by navigating to your site. You should see a sneaky little Microsoft button down below the login window.
    Screenshot 2025-03-16 224141
    Screenshot 2025-03-16 2241411001×633 35.9 KB