Azure AD Integration I: Configure Azure Active Directory
Configure Azure Active Directory
The first part of the Azure Active Directory Integration is to create a specific Mobility (MDM and MAM) application in your Azure Tenant. For Cloud Customers, the process starts already one step before as they are required first to validate their Silverback SaaS URL as a verified or trusted domain in their Azure Tenant. The Mobility (MDM and MAM) applications defines as an example, which users are allowed to enroll via Autopilot or Azure Active Directory Join and where or to which Silverback instance the devices should be enrolled. During the process, we will note down two identifiers and one access key, that will be added later into Silverback to link the application with their specific permissions. Depending on the granted application permissions, you can integrate additionally and next to Autopilot or Azure AD Join, the App Protection policy feature, which has a dedicated part in the Azure AD Integration Guide.
Prerequisites
- Minimum Silverback Version 21.0 Update 3 für Windows Autopilot and Azure Active Directory Join
- Administrative Account for the Azure Active Directory to configure the integration with Silverback
- Administrative Account for the Silverback Management Console
- Microsoft Azure Active Directory Premium P1 or greater, or any Bundle which includes this license.
An Azure Active Directory Premium P1 or greater license is not required for the Microsoft Store for Business integration, as it is a separate process from automatic enrollments.
Before you Start
Since October 2021, Microsoft requires for single tenant applications and their AppID URI the usage of verified domains. Requests to add/update AppID URI (identifierUris) will validate that the domain in the value of URI is part of the verified domain list in your Azure Tenant. With this, Microsoft prevents to add an AppID URI containing a domain name that isn't in your verified domain list. As the AppID URI for cloud customers logically are not verified by default in your Azure Tenant (as your SaaS URL is part of the m42cloud.com domain), you will need to verify the domain first. This means that cloud customers are required to perform the domain verification upfront for your Silverback SaaS instance. To perform this validation, Cloud Customers are required to perform the following steps:
- Open Azure Portal and login as an Administrator
- Navigate to Azure Active Directory
- Select Custom Domains
- Click +Add custom domain
- Enter your Silverback SaaS instance URL, e.g. silverback001.m42cloud.com
- Press Add domain
- Copy the Destination or point to address to your Clipboard
- Create a support incident and provide inside the description your Silverback SaaS Instance URL and the TXT Record
- Wait until Matrix42 will add the TXT Record and provide you the information to Verify the domain
- Proceed with Create Application
Add your Mobility (MDM and MAM) application
Create Application
- Open Azure Portal and login as an Administrator
- Navigate to Azure Active Directory
- Navigate to Mobility (MDM and MAM)
- Click + Add application
- Choose On-premises MDM application
- Set a given name to the application (e.g. Silverback)
- Click Add
- Wait until Silverback application is added successfully
- Click X to Close
Configure Application
The MDM User Scope settings are dedicated for the usage of Autopilot or Azure Active Directory Join and are not required for the Microsoft Store for Business Integration. When you select All, all users that performing an enrollment with Autopilot or with Azure Active Directory Join will be automatically routed to your Silverback instance, defined in the Terms of Use and Discovery. In case you want to allow the enrollment only for some users or some groups, ensure to select Some and enter the group name.
- Select your newly created application, e.g. Silverback
- Set MDM User scope:
- Choose “All” or
- Choose “Some” and select “groups”
- Change MDM terms of use URL to e.g. https://silverback.imagoverum.com/EnrollmentServer/TermsOfUse
- Change MDM discovery URL to e.g. https://silverback.imagoverum.com/EnrollmentServer/Discovery.svc
- Press Save
Copy Identifiers
- Click On-Premises MDM application settings
- On the Overview section, copy the following values to any Text Editor (e.g. Notepad++)
- Application (client) ID: e.g. edfde181-304a-48d5-af66-fb0af5877a68
- Directory (tenant) ID: e.g. f7ce7027-e6d8-4844-8a91-1f66ad2a3592
Create Application Key
- Navigate to Certificates & secrets
- Click New client secret
- Enter as description e.g. application_key
- Configure your expiration date for the key, e.g. 24 months
- Click Add
- Copy the new client secret value to your Text Editor (e.g Notepad++)
You won't be able to retrieve it after you leave this blade
Add a reminder into your calendar for the key expiration date. You will need to create a new key before the key will expire.
Grant Permissions
- Navigate to API Permissions
- Click Add a permission
- Select Microsoft Graph
- Select Application permissions
- Select the following permissions depending of your purpose
| Group | Permission | Purpose |
|---|---|---|
| Devices | Device.ReadWrite.All | Windows Autopilot & Azure AD Join |
| User | User.Read.All | Windows Autopilot & Azure AD Join |
| Group | Group.Read.All | App Protection Policies |
| DeviceManagementApps | DeviceManagementApps.ReadWrite.All | App Protection Policies |
- Press Add permissions
- Click Grant admin consent for your organization, e.g. Imagoverum
- Confirm with Yes
As the default Device.ReadWrite.All permission for Azure Active Directory Graph is not required, press the three dots next to the permission and click Revoke admin consent and confirm with yes. Afterwards press again the three dots and select Remove permission. It might be that after this the Device.ReadWrite.All permission for the Microsoft Graph will be separated from the other permission. In this case simply press the three dots and select Add to configured permissions.
Change Application ID URI
- Navigate to Expose an API
- Click Edit next to Application ID URI
- Change the URI to the URL of your Silverback Server, e.g. https://silverback.imagoverum.com
- Press Save
- Your Azure Active Directory Configuration is now finished
Review IDs and Application Key
- During the process you should have noted down 3 values
- Application ID
- Directory ID
- Key Value
Next Steps
- Move forward to import these values into Silverback: Azure AD Integration II: Configure Silverback