Before you can use Azure AD to enroll your Windows devices, you must configure AirWatch to use Azure AD as an Identity Service. Enabling Azure AD is a two-step process which requires the MDM-enrollment details to be added to Azure.

If your using an on-premesis deployment, you must follow these steps.

Prerequisites

You must register the domain for your Device Services server as one of the domains in your Azure tenant.

You must have a Premium Azure AD subscription to integrate Azure AD with AirWatch. Azure AD integration with AirWatch must be configured at the tenant where Active Directory (such as LDAP) is configured.

Important:

If you are setting the Current Setting to Override on the Directory Services system settings page, the LDAP settings must be configured and saved before enabling Azure AD for Identity Services.

Procedure

To Configure Azure AD for Identity Services:

  1. Navigate to Groups & Settings > All Settings > System > Enterprise Integration > Directory Services.

  2. Enable Use Azure AD for Identity Services under Advanced options.

    Once enabled, take note of the MDM Enrollment and MDM Terms of Use URLs as they are needed when configuring the Azure directory.

  3. Log in to the Azure Management Portal with your Microsoft account or organizational account.

  4. Select your directory and navigate to the Applications tab.
  5. Select Add.

    AzureMarket

  6. Select Add an application from gallery.
  7. Select Mobile Device Management on the left then search for AirWatch by VMware. Select the checkmark in the bottom right of the screen. Then find and add the On Premises MDM application.

    AzureAddApp

  8. Leave the AirWatch by VMware application on the default settings. Change the Manage devices for these user settings to None.
  9. Configure the On Premises MDM application by entering the MDM Enrollment URL and MDM Terms of Use URLs from the AirWatch Console.
  10. Change the Permissions as follows:

    • Application Permissions
      • Select Read and write directory data.
      • Select Read and write devices.
    • Delegated Permissions
      • Select Access the directory as the signed-in user.
      • Select Read directory data.
      • Select Sign in and read user profile.
  11. Set the Single-sign on settings and enter your device services url in the APP ID URL textbox.

    Example format: https:// <MDM DS SERVER>

  12. Set Manage devices for these users settings to All. Select Save to continue.
  13. Return to the Applications tab to locate the Tenant ID and Tenant Name from your Azure directory.

    The Azure Tenant ID is found in your Azure AD Directory Instance URL.

    The Azure Tenant Name is the name of your Azure Directory. You can find the name under the Domain tab.

    Win10_AzureConfig

  14. Return to the AirWatch Console and select Use Azure AD for Identity Services to configure Azure AD Integration.

  15. Enter the Tenant Identifier and Tenant Name.

  16. Select Save to complete the process.