Citrix Cloud

Add Azure AD administrator groups to Citrix Cloud

You can add administrators to your Citrix Cloud account using Azure Active Directory (AD) groups. You can then manage service access permissions for all administrators in the group.

This feature is supported for use only with the Virtual Apps and Desktops service. Administrators in the group don’t have access to manage any other services in the Citrix Cloud account.

Prerequisites

Using Azure AD groups requires the latest version of the Azure AD application for connecting your Azure AD to Citrix Cloud. Citrix Cloud acquired this application when you connected your Azure AD for the first time. If you connected your Azure AD to Citrix Cloud before May 2019, Citrix Cloud might not be using the most current application to connect with Azure AD. Citrix Cloud can’t display your Azure AD groups if your account isn’t using the most current application.

Before using Azure AD groups in Citrix Cloud, perform the following tasks:

  1. Verify that you’re using the latest application for your Azure AD connection. Citrix Cloud displays a notification if you’re not using the most current application.
  2. If the application must be updated, reconnect your Azure AD to Citrix Cloud. By reconnecting to your Azure AD, you grant application-level read-only permissions to Citrix Cloud and allow Citrix Cloud to reconnect to your Azure AD on your behalf. During reconnection, a list of these permissions is displayed for your review. For more information about the permissions Citrix Cloud requests, see Azure Active Directory Permissions for Citrix Cloud.

    Important:

    To complete this task, you must be a Global Admin in Azure AD. Also, you must be signed in to Citrix Cloud using a Full Access administrator account under the Citrix identity provider. If you sign in with your Azure AD credentials, the reconnection fails. If you don’t have any administrators using the Citrix identity provider, you can add one temporarily to perform this task and then delete it afterward.

Verify your connection to Azure AD

  1. Sign in to Citrix Cloud using a Full Access administrator account under the Citrix identity provider.
  2. From the Citrix Cloud menu, select Identity and Access Management and then select Authentication.
  3. Locate Azure Active Directory. A notification appears if Citrix Cloud must update the application for your Azure AD connection.

    Reconnect to Azure AD prompt in Citrix Cloud console

    If Citrix Cloud is already using the most current application, no notification appears.

Reconnect to Azure AD

  1. From the Azure AD notification in the Citrix Cloud console, click the reconnect link. A list of the requested Azure permissions appears.
  2. Review the permissions and then select Accept.

Supported Citrix Cloud permissions

Only Custom Access permissions are supported for Azure AD groups. Full Access permissions are not supported.

Permission changes for an administrator who’s already signed in will take effect only after the administrator signs out and authenticates again.

Resultant permissions for administrators with Citrix and Azure AD identities

When an administrator signs in to Citrix Cloud, only certain permissions might be available if the administrator has both a Citrix identity (the default identity provider in Citrix Cloud) and a single-user or group-based Azure AD identity. The table in this section describes the permissions that are available for each combination of these identities.

Single-user Azure AD identity refers to Azure AD permissions that are granted to the administrator through an individual account. Group-based Azure AD identity refers to Azure AD permissions that are granted as a member of an Azure AD group.

Citrix identity Single-user Azure AD identity Group-based Azure AD identity Permissions available after authentication
X X   Administrator has cumulative permissions of both identities after successful authentication with either the Citrix identity or Azure AD identity.
X   X Each identity is treated as an independent entity. Available permissions depends on whether the administrator authenticates using the Citrix identity or the Azure AD identity.
  X X Administrator has cumulative permissions of both identities when authenticating to Citrix Cloud with Azure AD.
X X X When authenticating with their Citrix identity, the administrator has cumulative permissions of both the Citrix identity and the single-user Azure AD identity. When authenticating with Azure AD, the administrator has cumulative permissions of all three identities.

Sign-in experience for administrators

After you add an Azure AD group to Citrix Cloud and define the service permissions, administrators in the group simply sign in by selecting Sign in with my company credentials on the Citrix Cloud sign-in page and entering the Azure AD sign-in URL for the account (for example, https://citrix.cloud.com/go/mycompany). Unlike adding individual Azure AD administrators, administrators in the Azure AD group aren’t explicitly invited, so they won’t receive any emails to accept an invitation to be Citrix Cloud administrators.

After signing in, administrators select Manage from the Virtual Apps and Desktops service tile to access the service’s management console.

Launchpad with Virtual Apps and Desktops service tile

Administrators who are granted permissions only as members of Azure AD groups can access the Citrix Cloud account using the Azure AD sign-in URL for the account.

Administrators who are granted permissions through an individual Azure AD account and as a member of Azure AD groups can choose the Citrix Cloud account they want to access. If the administrator is a member of multiple Citrix Cloud accounts, they can select a Citrix Cloud account from the customer picker after authenticating successfully.

Limitations

Access to platform and service features

Citrix Cloud platform features are not available to administrators in the Azure AD group. These features include:

  • Resource locations
  • Notifications
  • Library
  • Workspace Configuration

Also, Virtual Apps and Desktops features that rely on Citrix Cloud platform capabilities such as Quick Deploy user assignment are not available.

Impact of multiple groups on application performance

Citrix recommends that a single administrator belongs to no more than 20 Azure AD groups that have been added to Citrix Cloud. Membership in a larger number of groups might result in reduced application performance.

Impact of multiple groups on authentication

If an Azure AD group-based administrator is assigned to multiple groups in Azure AD, authentication might fail because the number of groups is too large. This issue occurs due to a limitation in the integration between Citrix Cloud and Azure AD. When the administrator attempts to sign in, Citrix Cloud attempts to compress the number of groups that are retrieved. If Citrix Cloud can’t apply the compression successfully, all groups can’t be retrieved and the authentication fails.

This issue might also affect users who authenticate to Citrix Workspace through Azure AD. If a user belongs to multiple Azure AD groups, authentication might fail because the number of groups is too large.

To resolve this issue, review the administrator or user account and verify that they belong only to the groups that are required for their role in the organization.

Adding groups fails due to too many assigned role/scope pairs

When adding a group with multiple role/scope pairs, an error might occur that indicates the group can’t be created. This error occurs because the number of role/scope pairs that are assigned to the group is too large. To resolve this error, divide the role/scope pairs among two or more groups and assign the administrators to those groups.

Add an Azure AD group to Citrix Cloud administrators

  1. From the Citrix Cloud menu, select Identity and Access Management and then select Administrators.
  2. Under Select an identity provider, select your Azure AD and sign in to Azure, if needed. Identity and Access Management console with Azure AD and Sign in button selected
  3. Search for the group you want to add and select the group. Azure AD group search
  4. Select the roles you want to assign to the group. You must select at least one role. Select custom access permissions
  5. When you’re finished, select Save.

Modify service permissions for an Azure AD group

  1. From the Citrix Cloud menu, select Identity and Access Management and then select Administrators.
  2. Under Select an identity provider, select your Azure AD and sign in, if needed.
  3. Locate the Azure AD group you want to manage and, from the ellipsis menu, select Edit Access. Group with Edit access menu selected
  4. Select or clear the check marks next to one or more role and scope pairs as needed. Custom access permissions console
  5. When you’re finished, select Save.

Delete an Azure AD group

  1. From the Citrix Cloud menu, select Identity and Access Management and then select Administrators.
  2. Locate the Azure AD group you want to manage and, from the ellipsis menu, select Delete Group. Ellipsis menu with Delete Group selected

    A confirmation message appears. Delete Group confirmation message

  3. Choose I understand deleting this group will prevent administrators in the group from accessing Citrix Cloud. to confirm you’re aware of the effects of deleting the group.
  4. Select Delete.

Changes to Azure AD groups

If you make any changes to your groups in Azure AD, those changes might not propagate automatically to Citrix Cloud. To ensure Citrix Cloud displays these changes, select Refresh from the Identity and Access Management > Administrators page.

Administrators page with Azure AD selected and Refresh button highlighted

Switch between multiple Citrix Cloud accounts

By default, Citrix Cloud administrators can use the Change Customer menu option to switch between other Citrix Cloud accounts that they can manage.

User menu with Change Customer button highlighted

This menu option is not available to members of Azure AD groups. To enable this menu option, you must link the Citrix Cloud accounts that you want to change between.

Linking Citrix Cloud accounts involves a hub-and-spoke-approach. Before linking accounts, decide which Citrix Cloud account will act as the account from which the other accounts are accessed (the “hub”) and which accounts you want to have listed in the customer picker (the “spokes”).

Before linking accounts, ensure you meet the following requirements:

  • You have Full administrator permissions in Citrix Cloud.
  • You have access to the Windows PowerShell Integrated Scripting Environment (ISE).
  • You have the customer IDs for the Citrix Cloud accounts you want to link. The customer ID appears in the top-right corner of the management console for each account. Citrix Cloud console with Customer ID highlighted
  • You have the Citrix CWSAuth bearer token for the Citrix Cloud account you want to link as the hub account. To retrieve this bearer token, follow the instructions in CTX330675. You need to supply this information when linking your Citrix Cloud accounts.
  1. Open the PowerShell ISE and paste the following script into the working pane:

    $headers = @{}
    $headers.Add("Accept","application/json")
    $headers.Add("Content-Type","application/json")
    $headers.Add("Authorization","CWSAuth bearer=XXXXXXX")
    
    $uri = "https://trust.citrixworkspacesapi.net/HubCustomerID/links"
    
    $resp = Invoke-RestMethod -Method Get -Uri $uri -Headers $headers
    $allLinks = $resp.linkedCustomers + @("SpokeCustomerID")
    
    $body = @{"customers"=$allLinks}
    $bodyjson = $body | ConvertTo-Json
    
    $resp = Invoke-WebRequest -Method Post -Uri $uri -Headers $headers -Body $bodyjson -ContentType 'application/json'
    Write-Host "Citrix Cloud Status Code: $($resp.RawContent)"
    <!--NeedCopy-->
    
  2. On Line 4, replace CWSAuth bearer=XXXXXXX with your CWSAuth value (for example, CWSAuth bearer=AbCdef123Ghik…). This value is a long hash that resembles a certificate key.
  3. On Line 6, replace HubCustomerID with the customer ID of the hub account.
  4. On Line 9, replace SpokeCustomerID with the customer ID of the spoke account.
  5. Run the script.
  6. Repeat Steps 3-5 to link additional accounts as spokes.
  1. Open the PowerShell ISE. If the PowerShell ISE is already open, clear the working pane.
  2. Paste the following script into the working pane:

    $headers = @{}
    $headers.Add("Accept","application/json")
    $headers.Add("Content-Type","application/json")
    $headers.Add("Authorization","CWSAuth bearer=XXXXXXX")
    
    $uri = "https://trust.citrixworkspacesapi.net/HubCustomerID/links/SpokeCustomerID"
    
    $resp = Invoke-WebRequest -Method Delete -Uri $uri -Headers $headers
    Write-Host "Response: $($resp.RawContent)"
    <!--NeedCopy-->
    
  3. On Line 4, replace CWSAuth bearer=xxxxxxx1 with your CWSAuth value (for example, CWSAuth bearer=AbCdef123Ghik…). This value is a long hash that resembles a certificate key.
  4. On Line 6, replace HubCustomerID with the customer ID of the hub account.
  5. On Line 6, replace SpokeCustomerID with the customer ID of the spoke account.
  6. Run the script.
  7. Repeat Steps 4-6 to unlink additional accounts.