Configuring FlexApp One Zero Trust Application Access

The integration of OAuth with Entra ID in FlexApp One signifies a monumental shift towards bolstering security. Users are now mandated to undergo authentication before activating a FlexApp One package, embracing a Zero Trust approach for all Win32 applications. This enhancement ensures that only verified individuals have the capability to access and activate FlexApp One packages, upholding the highest standards of cybersecurity.

Integrating FlexApp One into a Zero Trust security model is not only possible, but extremely straightforward and requires completing the following two processes:

  • Create a registered application in Azure.
  • Pass the OAuth argument when creating the FlexApp One package, providing the respective application and/or tenant domain details.

Register the application in Azure Portal

  1. Login to the Azure Portal.
  2. Navigate to the App registrations service page.
  3. Click New Registration from the banner at the top-left of the page.
  4. Define a name for the registered app (e.g., LWL FlexApp One).
  5. Under Supported account types, select Accounts in any organizational directory (Any Microsoft Entra ID tenant - Multitenant).
  6. Under Redirect URI, select Public client/native (mobile & desktop) for the platform and provide the following in the URI field:
  7. Copy 
    http://localhost/flexappone

  8. Click Register at the bottom of the page to complete the app registration process.
  9. Make note of the value present in the Application (client) ID column as it will be required during packaging.

Limit access to specific Entra ID users and/or groups

  1. Navigate to the Enterprise applications service page.
  2. Click on the newly created registered app from the list of available apps shown in All applications (e.g., LWL FlexApp One).
  3. Under the Manage section on the left of the page, click Properties.
  4. In the Properties page, set the Assignment required setting to Yes.
  5. Click Save in the ribbon at the top of the page.
  6. Under the Manage section on the left of the page, click Users and groups.
  7. On the Add Assignment page, click None Selected to display a search pane.
  8. From the search pane, search for and check the box next to the accounts and/or groups requiring access to the application.
  9. Once all desired accounts and/or groups are selected, click Select and then click Assign.
  10. Under the Manage section on the left of the page, click Permissions.
  11. Click Grant admin consent for {TenantName}.

  12. Note: Cloud Application Administrator, Application Administrator, or Global Administrator role is required to grant consent.

Create a FlexApp One package with OAuth enabled

Option A

Create a package using Bundler.exe, the required arguments, and any additional arguments typically used, including the following arguments as well:

  1. Oauth –Enables OAuth functionality.
  2. AppId –Recorded value from step 8 of Register the application in Azure Portal.
  3. AllowedTenants (Optional) –Restrict access based on domain name (e.g., company.com).

  4. Note: Multiple AllowedTenants arguments can be defined to accommodate different allowed domains.


  5. Example command:
  6. Copy 
    ".\bundler.exe" bundle -p "\\Server\FlexApps\PackageFolder" -f ".\Flexapp.zip" -o "\\Server\FlexApps\PackageFolder" -t ".\engine.exe" --seticon --oauth --appid <RegisteredAppId> --allowedtenants <FQDN>

Option B

Define the FA1 CLI arguments via FlexApp Packaging Console.

  1. Launch the FlexApp Packaging Console.
  2. Navigate to the console Settings page (gear icon at top-right).
  3. Define the Oauth, AppId, and AllowedTenants (optional) CLI arguments in the Create FlexApp One Arguments field. For example:
  4. Copy 
    --oauth --appid <RegisteredAppId> --allowedtenants <FQDN>

  5. Click OK to apply the changes.

  6. Note: Any FlexApp One packages created via FPC will not contain these additional parameters.

Option C

Define the FA1 CLI arguments via FlexApp Packaging Automation by adding it to the json file specified in the /PackagesFile FPA argument or passing directly via CLI by including the FPA argument below:

Copy 
/FlexAppOneCliOverride "--oauth --appid <RegisteredAppId> --allowedtenants <FQDN>"