Configuring an AAD Only Control Account
Last updated on March 28, 2023 by Robert Plamondon
Pre-requisites:
Note: (March 28, 2023) Microsoft has changed the requirements for the service account. It used to require no special permissions. Now you need it to be a “Cloud Device Administrator” or an “Intune Administrator.”
- An Azure AD Administrator Account to grant with the necessary permissions to the application to authenticate with AAD
- A Service account or user account for bulk token enrollment process of VMs
- New Control Account
Configuration Process:
- After a new Control Account is created and verified, the user can login to the account with the initial account created during the setup.
- User would see the below screen where in he/she had to choose the type (AAD or Active Directory).
- Full AAD – if the control account is configured with this option, both Workspot Client and the Desktop Authentication should happen using the AAD credentials.
- Active Directory – If this is chosen, then the account can be configured to user AAD or AD for Client Authentication but can only be configured to use AD for Desktop Authentication.
- We shall go ahead and enable “Azure Active Directory” radio button and Click on Request Permissions button.
- A new window will appear, with the details and the list of the permissions required. Please go through and Click on Continue.
- A new Window will appear asking to provide the AAD Admin credentials.
- Once the credentials are provided, the below screen would appear asking you to review the permissions that you are about to grant to the application.
- After reviewing, click on Accept.
- Once the process is complete you would be successfully signed out of the AAD account.
- On the control page, you can now see that the permissions are granted for Control.
- Click on the “Use Bulk Token Refresh” radio button.
- If you wish to Enter the bulk token credentials directly then Click on “Enter Credentials” and provide the credentials in the fields below.
- If you have secured the credentials in Azure Key Vault, you can choose that option from below and provide the path for it to retrieve from the key vault.
- Once the credentials are provided, you can click on “Check Account and Save”.
- If everything goes well, you will see the status as “Verified”.