Skip to main content
Matrix42 Self-Service Help Center

Azure AD Integration V: Enable Device Orchestration

Configure Device Orchestration

When you use Azure AD Enrollment or Windows 10 Autopilot your devices will be listed in Silverback and in your Azure Active Directory (Azure Portal > Azure Active Directory > Devices). With our Device Orchestration we will make it possible for you that when you use the Factory Wipe or Delete Business Data command in Silverback the devices will be removed as well from your Azure Active Directory, so that these devices will not have any possibility to use services within your company.

For this we need to give your Mobility (MDM and MAM) Silverback application inside your Azure environment the needed rights to perform these actions via Silverback with the support of the Graph API.  

Please do not use this Feature so far when you have any Conditional Access Policies configured in your Azure Portal

Grant Rights

Give any user the Global Administrator role of your Azure Active Directory. If you want to use your “main” Administrator account you can proceed with Add Owner

  • Login into your Azure Portal
  • Navigate to Azure Active Directory > Users and select any user you like to give the permission. As best practice use a service or functional account.
  • Click on the name of the desired account so that the users profile will open
  • Navigate to Directory role and set the role to “Global Administrator”
  • Click Save

Add Owner

  • Navigate to Azure Active Directory > Users Mobility (MDM and MAM)
  • Click on your created Silverback application (e.g. Matrix42_EMM)
  • Open On-Premise MDM application settings
  • Click Owners
  • Click +Add owner, search for the Global Administrator user, mark him and click on the bottom on select
  • Now click on the Settings tab Properties and note down the application ID. We need the ID in a couple of seconds.
  • Close all open Tabs in Azure Portal. There is no need to save anything.

Enable Graph API

PowerShell Version 5 is required

  • Open Windows PowerShell as an Administrator on your Work machine
  • Enter Install-Module MSOnline and accept the prompt with yes
  • Enter Connect-MsolService
  • A new Window will appear where you need to login with the credentials for the in the previous steps used account
  • After the successful login the Window will disappear
  • Now open Notepad++ or any text editor you like
  • Copy the following string into the text editor and change the bold marked application ID to the application ID of your Silverback application 

$ClientIdWebApp = '9ce10ad7-2439-4965-bb53-442f5c1f15d1'

$webApp = Get-MsolServicePrincipal -AppPrincipalId $ClientIdWebApp

Add-MsolRoleMember -RoleName 'Company Administrator' -RoleMemberType ServicePrincipal -RoleMemberObjectId $webApp.ObjectId

  • Save the file as a Windows PoerShell *.ps1 file
  • Run the script on your Work machine

From now on every Factory Wipe or Delete Business data command in the Silverback Console will remove the device as well from Azure Active Directory.

  • Was this article helpful?