-
-
WebSocket communication between VDA and Delivery Controller™
-
-
-
Microsoft Entra service accounts
-
Migrate workloads between resource locations using Image Portability Service
-
-
-
-
This content has been machine translated dynamically.
Dieser Inhalt ist eine maschinelle Übersetzung, die dynamisch erstellt wurde. (Haftungsausschluss)
Cet article a été traduit automatiquement de manière dynamique. (Clause de non responsabilité)
Este artículo lo ha traducido una máquina de forma dinámica. (Aviso legal)
此内容已经过机器动态翻译。 放弃
このコンテンツは動的に機械翻訳されています。免責事項
이 콘텐츠는 동적으로 기계 번역되었습니다. 책임 부인
Este texto foi traduzido automaticamente. (Aviso legal)
Questo contenuto è stato tradotto dinamicamente con traduzione automatica.(Esclusione di responsabilità))
This article has been machine translated.
Dieser Artikel wurde maschinell übersetzt. (Haftungsausschluss)
Ce article a été traduit automatiquement. (Clause de non responsabilité)
Este artículo ha sido traducido automáticamente. (Aviso legal)
この記事は機械翻訳されています.免責事項
이 기사는 기계 번역되었습니다.책임 부인
Este artigo foi traduzido automaticamente.(Aviso legal)
这篇文章已经过机器翻译.放弃
Questo articolo è stato tradotto automaticamente.(Esclusione di responsabilità))
Translation failed!
Microsoft Entra service accounts
A Microsoft Entra service account is a container to store application ID and secret of a Microsoft Entra service principal , which has sufficient permissions to manage Microsoft Entra joined or Microsoft Intune enrolled devices. MCS can use this service account to automatically clean any stale Microsoft Entra or Microsoft Intune devices generated during the lifecycle of the provisioned machines.
Permissions required for a Microsoft Entra service principal
The permissions required for a Microsoft Entra service principal used by a service account depend on the capabilities enabled for the service account.
- For the service account with Microsoft Entra joined devices management capability, the Microsoft Entra service principal must have
Device.ReadWrite.Allpermission in your Microsoft Entra tenant. - For the service account with Microsoft Intune enrolled devices management capability, the Microsoft Entra service principal must have
DeviceManagementManagedDevices.ReadWrite.Allpermission in your Microsoft Entra tenant. - For the service account with Microsoft Entra security group management capability, the Microsoft Entra service principal must have
Group.ReadWrite.AllandGroupMember.ReadWrite.Allpermissions in your Microsoft Entra tenant.
Limitation
Microsoft Entra role-based access control is currently not supported. Therefore, assign the Microsoft Entra permissions directly to the service principal.
Create a Microsoft Entra service account
Use Studio or PowerShell to create a Microsoft Entra service account.
Prerequisite
To create a Microsoft Entra service account, make sure to complete the following task:
- Create a Microsoft Entra principal in your Microsoft Entra tenant with sufficient permissions based on the capabilities that you want to enable the service account with.
Use Studio
- In the DaaS tile, click Manage.
- In the left pane, select Administrators.
- In the Service Accounts tab, click Create Service Account.
- On the Identity Type page, select Microsoft Entra ID. A new option to route the traffic is enabled.
- Select the Route traffic through Citrix Cloud Connectors checkbox.
- Select the zones available to route the traffic and click Next.
- On the Credentials page, enter the Microsoft Entra tenant ID, Application ID, and Client secret and set the credential expiration date.
- Choose the capabilities for the service account.
- Select one or more scopes for the service account.
- Enter a friendly name and a description (optional) for the service account.
- Click Finish to complete the creation.
Note:
- The capability of Microsoft Entra joined devices management is selected by default and you cannot deselect it.
- To use a multitenant Microsoft Entra application, which is invited to your tenant, the Microsoft Entra tenant ID you entered must be your own tenant ID rather than the home tenant ID of the application.
Use PowerShell
Alternatively, you can use PowerShell commands to create a Microsoft Entra service account. For example:
$tenantId = xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx
$applicationId = xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx
$applicationSecret = xxxxxxxxxxxxxxx
$credential = ConvertTo-SecureString -String $applicationSecret -AsPlainText -Force
New-AcctServiceAccount -IdentityProviderType AzureAD -IdentityProviderIdentifier $tenantId -AccountId $applicationId -AccountSecret $credential -SecretExpiryTime 2030/08/15 -Capabilities @("AzureADDeviceManagement","IntuneDeviceManagement") -DisplayName 'MyApplication' -Description 'Service account for Microsoft Entra tenant'
<!--NeedCopy-->
Migrate Microsoft Entra joined device management to service account
Previously, Citrix® provided an option to enable Microsoft Entra joined device management when creating or editing a hosting connection to Microsoft Azure Resource Manager. MCS used the permissions of the Microsoft Entra service principal (provisioning SPN) stored along with the hosting connection to manage the stale Microsoft Entra joined device. With service accounts, you can use a dedicated Microsoft Entra service principal (identity management SPN) stored along with a service account to manage Microsoft Entra joined or Microsoft Intune enrolled devices.
Citrix recommends migrating from hosting connection-powered device management to service account-powered device management to separate the responsibility of provisioning SPN and identity management SPN.
For any existing hosting connections that are already enabled with Microsoft Entra joined device management, you can disable it as follows:
- From Studio, select Hosting in the left pane.
- Select the connection and then select Edit Connection in the action bar.
- On the Connection Properties page, clear the Enable Microsoft Entra joined device management checkbox.
- Click Save to apply the changes.
Note:
Currently, you cannot enable Microsoft Entra joined device management when creating a new hosting connection.
Route Microsoft Entra device management and security group management traffic
Create and modify a Microsoft Entra service account to route Microsoft Entra device management and security group management traffic from Delivery Controller to Microsoft Entra ID through Citrix Cloud Connector.
Include the following custom property while creating or modifying a Microsoft Entra service account:
CustomProperties: {"ProxyHypervisorTrafficThroughConnector":true,"ZoneUid":["<zone uid>"]}
Note:
The
$ZoneUidis the Uid of the zone (resource location) that the network traffic wants to be routed to. Obtain the Uid fromGet-ConfigZonecommand.
For example:
-
For creating a new Microsoft Entra service account:
$tenantId = xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx $applicationId = xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx $applicationSecret = xxxxxxxxxxxxxxx $SecureString = ConvertTo-SecureString -String "Secretstring" -AsPlainText -Force New-AcctServiceAccount -IdentityProviderType AzureAD -IdentityProviderIdentifier "<Identity provider ID>" -AccountId "<Account ID>" -AccountSecret $SecureString -SecretExpiryTime <yyyy-mm-dd> -Capabilities @("AzureADDeviceManagement","IntuneDeviceManagement") -DisplayName "<Display name>" -CustomProperties '{"ProxyHypervisorTrafficThroughConnector":true,"ZoneUid":["<Zone UID>"]}' <!--NeedCopy--> -
For modifying an existing Microsoft Entra service account:
Set-AcctServiceAccount -ServiceAccountUid $serviceAccountUid -CustomProperties '{"ProxyHypervisorTrafficThroughConnector":true,"ZoneUid":[$ZoneUid]}' <!--NeedCopy-->
Where to go next
- To create Microsoft Entra joined catalogs, see Identity pool of Microsoft Entra joined machine identity.
- To manage service accounts, see Manage service accounts.
Share
Share
This Preview product documentation is Citrix Confidential.
You agree to hold this documentation confidential pursuant to the terms of your Citrix Beta/Tech Preview Agreement.
The development, release and timing of any features or functionality described in the Preview documentation remains at our sole discretion and are subject to change without notice or consultation.
The documentation is for informational purposes only and is not a commitment, promise or legal obligation to deliver any material, code or functionality and should not be relied upon in making Citrix product purchase decisions.
If you do not agree, select I DO NOT AGREE to exit.