Before you can use Azure AD to enroll your Windows devices, you must configure Workspace ONE UEM to use Azure AD as an Identity Service. Enabling Azure AD is a two-step process which requires the MDM-enrollment details to be added to Azure.

Prerequisites

You must have a Premium Azure AD P1 or P2 subscription to integrate Azure AD with Workspace ONE UEM. Azure AD integration with Workspace ONE UEM must be configured at the tenant where Active Directory (such as LDAP) is configured.

Important:

If you are setting the Current Setting to Override on the Directory Services system settings page, the LDAP settings must be configured and saved before enabling Azure AD for Identity Services.

Procedure

To Configure Azure AD for Identity Services:

  1. Navigate to Groups & Settings > All Settings > System > Enterprise Integration > Directory Services.

  2. Enable Use Azure AD for Identity Services under Advanced settings.

    Once enabled, take note of the MDM Enrollment and MDM Terms of Use URLs as they are needed when configuring the Azure directory.

  3. Log in to the Azure Management Portal with your Microsoft account or organizational account.

  4. Select your directory and navigate to the Mobility (MDM and MAM) tab. This tab was formerly the Applications tab.
  5. Select Add Application and select the AirWatch by VMware application.

    You can use the default URLs if the user scope is set to none. If needed, you can also use placeholder URLs.

    AzureMarket

  6. Leave the AirWatch by VMware application on the default settings. Change the MDM user scope to None.

    AzureAddAppOnPrem

  7. Select Add Application again and select the On Premises MDM application. You can rename the application when you add it.

  8. Configure the On-Premises MDM application by entering the MDM Enrollment URL and MDM Terms of Use URLs from the Workspace ONE UEM Console.
  9. Select On-premises MDM application settings then select Required Permissions > Windows Azure Active Directory.
  10. Change the Permissions as follows:

    • Application Permissions
      • Select Read and write directory data.
      • Select Read and write devices.
    • Delegated Permissions
      • Select Access the directory as the signed-in user.
      • Select Read directory data.
      • Select Sign in and read user profile.
  11. Select the Properties settings and enter your device services host in the APP ID URI text box.

    Use the same host that you used in the MDM Enrollment URL and MDM Terms of Use text boxes.

    Example format: https:// <MDM DS SERVER>

  12. Set MDM user scope to All to apply these settings to all users.

    You can also limit the OOBE enrollment to selected Azure AD groups by selecting Some and adding the preferred groups.

  13. Select Save to continue.
  14. Navigate to the Properties tab and find the Azure Directory ID. This setting was formerly called the Tenant ID.

    Win10_AzureConfig

  15. Select User Account Details in the top right corner.

    The Azure Tenant Name is the name of your Azure Directory. You can find the name under the Domain tab.
  16. Return to the UEM Console and select Use Azure AD for Identity Services to configure Azure AD Integration.

  17. Enter the Azure Directory ID as the Tenant Identifier. Enter the default domain as your Azure Directory Tenant Name.

  18. Select Save to finish the process.