Product Configuration for Microsoft Entra ID
Configuring PTC Modeler and Model Explorer
• First use: If no Entra ID settings are stored, the product prompts you for:
◦ Application (client) ID
◦ Directory (tenant) ID — (optional; you can leave this blank to use the common endpoint if supported by you rdeployment.
• The product stores values in a DPAPI-protected file under the currect user profile (for example, in %LOCALAPPDATA%\PTC\Modeler\entra_settings.dat.
• Sign-in: When you connect to a repository configured for Entra ID, complete the WAM sign-in dialog or the device code flow prompt.
Configuring Model Manager
• Configure IIS setting: In the IIS Manager, under the Model Manager site, set EntraClientID and EntraTenantID in the application settings.
• Server-side configuration: Ensure the Model Manager web server is configured for Entra ID. When a client requests Entra authentication (for example, authType=entra or a UPN-style user name), the server uses the configured client ID and tenant ID to obtain tokens.
• First time Entra Sign-in: If the server has no cached token, it returns a device code and a verification URL. The user must:
a. Open the verification URL in a browser.
b. Enter the device code shown in the Model Manager sign-in dialog.
c. Sign in with Microsoft Entra account.
d. Wait for the Model Manager client to detect completion.
• Subsequent sign-ins: If a token is cached, the server can complete sign-in without showing a device code.
Configuring Web Interface
• Server-side configuration: Ensure the Web Interface is configured for Microsoft Entra ID authentication.
• Web Interface configuration (web.config): In the Web Interface web.config file, set the following keys in the <appsettings> section:
◦ ida:Enabled = true
◦ ida:TenandId = {Tenand ID}
◦ ida:ClientId = {Client ID}
• Entra Sign-in: When users select Sign in with your organization, the browser redirects to the Microsoft sign-in experience.
• Entra Sign-out: When users sign out of the Web Interface, they can also sign out of their current Microsoft Entra session.
Important values to configure
The following are values that you must configure in the applications to effectively use Entra ID.
|
Application
|
Values to set
|
|
Azure portal
|
App registration values (client ID and tenant ID), redirect URIs, and required API permissions (Microsoft Graph and Azure SQL Database, as applicable).
|
|
Desktop (first use)
|
Application (client) ID and, if required, directory (tenant) ID in the Entra settings prompt.
|
|
Model Manager (server)
|
EntraClientID and EntraTenantID in the IIS application settings for the Model Manager site.
|
|
Web Interface (server)
|
ida:Enabled, ida:TenantId, and ida:ClientId in the Web Interface web.config file.
|
Important points to consider
• WAM redirect URI: For desktop SSO (WAM), the redirect URI must be exactly ms-appx-web://Microsoft.AAD.BrokerPlugin/{client_id} with your app’s Client ID. Missing or incorrect redirect URI will prevent WAM from working.
• Web Interface redirect URI: For Web Interface sign-in, the redirect URI must be exactly https://{server}:{port}/account/entra-callback with your deployed server name and port number. Missing or incorrect redirect URIs prevent sign-in from completing.
• Token storage: Tokens are stored in the OS (WAM) or in DPAPI-protected files under the user profile. Do not share or move these files between machines or users.
• Token storage (Web Interface): The Web Interface does not store Entra tokens. After sign-in, the application uses a time-limited, browser session cookie.
• Device code (Model Manager): Device code flow requires the user to complete sign-in within the validity period (typically several minutes). Session timeouts (e.g. 15 minutes) apply to pending device-code sessions; after that, the user must login again.
• Hybrid environments: You can use Entra ID together with Windows (AD) accounts (e.g. federated or hybrid identity). The application detects Entra vs Windows based on login choice and/or UPN format (e.g.
[email protected]).
• Sign in: PTC Modeler prioritizes your Windows domain identity (DOMAIN\username) in hybrid environments. If you sign in using Microsoft Entra ID, it uses your e-mail address instead
• Multiple processes: Desktop tools use a single interactive sign-in at a time (through a shared mutex). Only one process shows the WAM prompt; others wait and then use the cache.
• Clear cache: If you need to force re-configuration or re-sign-in, use the product’s option to clear the Entra cache (if available). On desktop, removing or resetting the settings file (e.g. entra_settings.dat) triggers the Client ID / Tenant ID form again on subsequent use.
• Security: Client ID and Tenant ID are not highly sensitive but identify your app. Tokens are sensitive; they are stored with DPAPI (desktop) or equivalent and passed only in process/environment on the same machine. The Model Manager “clear cache” endpoint is intended for localhost only.