Before you can use Azure AD to enroll your Windows devices, you must configure Workspace ONE UEM to use Azure AD as an Identity Service. Enabling Azure AD is a two-step process which requires the MDM-enrollment details to be added to Azure.
You must have a Premium Azure AD P1 or P2 subscription to integrate Azure AD with Workspace ONE UEM. Azure AD integration with Workspace ONE UEM must be configured at the tenant where Active Directory (such as LDAP) is configured.
Important: If you are setting the Current Setting to Override on the Directory Services system settings page, the LDAP settings must be configured and saved before enabling Azure AD for Identity Services.
- Navigate to .
- Log in to the Azure Management Portal with your Microsoft account or organizational account.
- Select your directory and navigate to the Mobility (MDM and MAM) tab.
- Select Add Application, select the AirWatch by VMware application, and select Add.
- Select the AirWatch by VMware app that you added to change the MDM user scope to All.
- Add an on-premises app by selecting Add. , and then selecting
- Select the On Premises MDM application again and configure the on-premises MDM application. Set the MDM user scope to All or Some and select a group of users.
- Enter the Workspace ONE UEM console URLs to the On Premises MDM application and save the settings.
- Paste your MDM Enrollment URL from the Workspace ONE UEM console into the MDM discovery URL text box in Azure.
- Select .
- Select Edit for Application ID URI and enter your Device Services URL in the Application ID URI text box. Save the settings.
- You can select and assign premium licenses in Azure.
- In the Microsoft Azure console, select All Products. Select the proper license in the list. and select
- Select Assign, select the users or groups for the license, and select Assign.
- Copy the Directory ID and the primary domain to enter into the Workspace ONE UEM console.
- Navigate to the Properties tab and find the Azure Directory ID and copy it.
- Select Custom domain names and copy the Name that is listed as the primary domain.
- Return to the Workspace ONE UEM console and select Use Azure AD for Identity Services to configure Azure AD Integration.
- Enter the directory ID you copied to the Directory ID text box.
- Enter the primary domain you copied in Tenant Name text box.
- To finish the process, select Save.
Configure Azure AD Identity Services Integration
To configure your Azure AD Identity Services Integration, use an Azure admin account to sign up with the store and to activate the Workspace ONE UEM management tool.
- Create an Azure admin account for Workspace ONE UEM.Configure an admin account with global admin roles in your Default Directory in Microsoft Azure. Use this account to acquire applications in the Microsoft Store for Business. You do not need an Azure premium account to create an admin account for the Microsoft Store for Business.
- In Azure, navigate to your Azure Active Directory.
- Select Users and groups and + New user.
- Configure the Directory role as Global administrator.
- Create a temporary password so you can log in to the Microsoft Store for Business.
- Activate Workspace ONE UEM in the Microsoft Store for Business and acquire apps.Activate the Workspace ONE UEM management tool in the Microsoft Store for Business with your Azure admin account credentials. If you use offline licensing, enable the acquirement of offline license applications.
- Navigate to the Microsoft Store for Business and log in with your Azure admin account.
- Navigate to Manage > Settings > Distribute > Management tools and activate the Workspace ONE UEM by VMware tool.
- For offline licenses, go to Manage > Settings > Shop > Shopping experience and enable Show offline licensed apps to people shopping in the store.
- In the Store for Business, add applications to your inventory. You can add applications with either offline or online licenses depending on your license management strategy.