Before you can use Azure AD to enroll your Windows devices, you must configure AirWatch to use Azure AD as an Identity Service. Enabling Azure AD is a two-step process which requires the MDM-enrollment details to be added to Azure.

If you are using an on-premises deployment, you must follow these steps.

Prerequisites

If you are enrolling with a custom domain enrollment URL (SaaS-dedicated or On-Premises), the domain must be registered with the AirWatch Azure application. This registration requires the creation of a DNS record with your domain services provider. To register your domain, contact AirWatch Professional Services.

You must have a Premium Azure AD subscription to integrate Azure AD with AirWatch. Azure AD integration with AirWatch must be configured at the tenant where Active Directory (such as LDAP) is configured.

Important:

If you are setting the Current Setting to Override on the Directory Services system settings page, the LDAP settings must be configured and saved before enabling Azure AD for Identity Services.

Procedure

To Configure Azure AD for Identity Services:

  1. Navigate to Groups & Settings > All Settings > System > Enterprise Integration > Directory Services.

  2. Enable Use Azure AD for Identity Services under Advanced options.

    Once enabled, take note of the MDM Enrollment and MDM Terms of Use URLs as they are needed when configuring the Azure directory.

  3. Log in to the Azure Management Portal with your Microsoft account or organizational account.

  4. Select your directory and navigate to the Mobility (MDM and MAM) tab. This was formerly the Applications tab.
  5. Select Add Application and select the AirWatch by VMware application..

    AzureMarket

  6. Select Add Application again and select the On Premises MDM application. You can rename the application when you add it.

    AzureAddAppOnPrem

  7. Leave the AirWatch by VMware application on the default settings. Change the MDM user scope to None.
  8. Configure the On Premises MDM application by entering the MDM Enrollment URL and MDM Terms of Use URLs from the AirWatch Console.
  9. Change the Permissions as follows:

    • Application Permissions
      • Select Read and write directory data.
      • Select Read and write devices.
    • Delegated Permissions
      • Select Access the directory as the signed-in user.
      • Select Read directory data.
      • Select Sign in and read user profile.
  10. Set the Single-sign on settings and enter your device services url in the APP ID URL textbox.

    Example format: https:// <MDM DS SERVER>

  11. Set MDM user scope to All. Select Save to continue.
  12. Navigate to the Properties tab to find the Azure Directory ID. This was formerly called the Tenant ID.

    Win10_AzureConfig

  13. Select the User Account Details option in the top right corner.

    The Azure Tenant Name is the name of your Azure Directory. You can find the name under the Domain tab.
  14. Return to the AirWatch Console and select Use Azure AD for Identity Services to configure Azure AD Integration.

  15. Return to the AirWatch Console and select Use Azure AD for Identity Services to configure Azure AD Integration.
  16. Enter the Azure Directory ID as the Tenant Identifier. Enter the name of your Azure Directory as the Tenant Name.

  17. Select Save to complete the process.