This content has been machine translated dynamically.
Dieser Inhalt ist eine maschinelle Übersetzung, die dynamisch erstellt wurde. (Haftungsausschluss)
Cet article a été traduit automatiquement de manière dynamique. (Clause de non responsabilité)
Este artículo lo ha traducido una máquina de forma dinámica. (Aviso legal)
此内容已经过机器动态翻译。 放弃
このコンテンツは動的に機械翻訳されています。免責事項
이 콘텐츠는 동적으로 기계 번역되었습니다. 책임 부인
Este texto foi traduzido automaticamente. (Aviso legal)
Questo contenuto è stato tradotto dinamicamente con traduzione automatica.(Esclusione di responsabilità))
This article has been machine translated.
Dieser Artikel wurde maschinell übersetzt. (Haftungsausschluss)
Ce article a été traduit automatiquement. (Clause de non responsabilité)
Este artículo ha sido traducido automáticamente. (Aviso legal)
この記事は機械翻訳されています.免責事項
이 기사는 기계 번역되었습니다.책임 부인
Este artigo foi traduzido automaticamente.(Aviso legal)
这篇文章已经过机器翻译.放弃
Questo articolo è stato tradotto automaticamente.(Esclusione di responsabilità))
Translation failed!
Azure AD service accounts
An Azure AD service account is a container to store application ID and secret of an Azure AD service principal which has sufficient permissions to manage Azure AD joined or Microsoft Intune enrolled devices. MCS can use this service account to automatically clean any stale Azure AD or Microsoft Intune devices generated during the lifecycle of the provisioned machines.
Permissions required for an Azure AD service principal
The permissions required for an Azure AD service principal used by a service account depend on the capabilities enabled for the service account.
- For the service account with Azure AD joined devices management capability, the Azure AD service principal must have
Device.ReadWrite.All
permission in your Azure AD tenant. - For the service account with Microsoft Intune enrolled devices management capability, the Azure AD service principal must have
DeviceManagementManagedDevices.ReadWrite.All
permission in your Azure AD tenant.
Limitation
Azure AD role-based access control is currently not supported. Therefore, assign the Azure AD permissions directly to the service principal.
Create an Azure AD service account
Use Studio or PowerShell to create an Azure AD service account.
Prerequisite
To create an Azure AD service account, make sure to complete the following task:
- Create an Azure AD principal in your Azure AD tenant with sufficient permissions based on the capabilities that you want to enable the service account with.
Use Studio
- In the DaaS tile, click Manage.
- In the left pane, select Administrators.
- In the Service Accounts tab, click Create Service Account.
- On the Identity Type page, select Azure Active Directory. Click Next.
- On the Credentials page, enter the Azure AD tenant ID, Application ID and Client secret and set the credential expiration date.
- Choose the capabilities for the service account.
- Select one or more scopes for the service account.
- Enter a friendly name and a description (optional) for the service account.
- Click Finish to complete the creation.
Note:
- The capability of Azure AD joined devices management is selected by default and you cannot deselect it.
- To use a multitenant Azure AD application which is invited to your tenant, the Azure AD tenant ID you entered must be your own tenant ID rather than the home tenant ID of the application.
Use PowerShell
Alternatively, you can use PowerShell commands to create an Azure AD service account. For example:
$tenantId = xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx
$applicationId = xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx
$applicationSecret = xxxxxxxxxxxxxxx
$credential = ConvertTo-SecureString -String $applicationSecret -AsPlainText -Force
New-AcctServiceAccount -IdentityProviderType AzureAD -IdentityProviderIdentifier $tenantId -AccountId $applicationId -AccountSecret $credential -SecretExpiryTime 2030/08/15 -Capabilities @("AzureADDeviceManagement","IntuneDeviceManagement") -DisplayName 'MyApplication' -Description 'Service account for Azure AD tenant'
<!--NeedCopy-->
Associate Azure AD service account with machine catalog
The MCS machine catalogs with Azure Active Directory joined machine identities can be associated with an Azure AD service account. Machine catalogs can use the capabilities provided by the service account to manage stale Azure AD joined or Microsoft Intune enrolled devices.
Use Studio or PowerShell commands to associate an Azure AD service account with an MCS machine catalog.
Use Studio
The following information is a supplement to the guidance in Create machine catalogs.
- Sign in to Citrix Cloud.
- In the DaaS tile, click Manage to open Studio.
- In the left pane, select Machine Catalogs.
- Select Create Machine Catalog. The catalog creation wizard opens.
- On the Machine Identities page, click Select service account and select an available service account from the list. If a suitable service account is not available for the Azure AD tenant that the machine identities will join to, you can create a service account.
Note:
The service account that you selected might be in an unhealthy status due to various reasons. You can go to Administrators > Service Accounts to view details and fix the issues according to the recommendations. Alternatively, you can proceed with the machine catalog operation and fix the issues later. If do not fix the issue, stale Azure AD joined or Microsoft Intune enrolled devices are generated that can block Azure AD join of the machines.
Modify the service account association
To change the associated service account or add an association to an existing MCS machine catalog, use the Edit Machine Catalog page.
- To add a service account, click Select service account on the Service Account page.
- To change the service account association, click the edit icon on the Service Account page.
Use PowerShell
To associate an Azure AD service account with an MCS machine catalog, associate it with the identity pool that is used by the machine catalog. You can either create a new identity pool or update an existing identity pool to associate it with a service account.
For example: To create a new identity pool and associate it with a service account, run the following:
New-AcctIdentityPool -IdentityType AzureAD -IdentityPoolName MyPool -NamingScheme Acc#### -NamingSchemeType Numeric -ServiceAccountUid $serviceAccountUid
<!--NeedCopy-->
For example: To update an existing identity pool to associate it with a service account, run the following:
$identityPoolUid = (Get-ProvScheme -ProvisioningSchemeName "MyProvScheme").IdentityPoolUid
Set-AcctIdentityPool -IdentityPoolUid $identityPoolUid -ServiceAccountUid $serviceAccountUid
<!--NeedCopy-->
Note:
The
$serviceAccountUid
must be a valid UID of an on-premises service account.
Migrate Azure AD joined device management to service account
Previously, Citrix provided an option to enable Azure AD joined device management when creating or editing a hosting connection to Microsoft Azure Resource Manager. MCS uses the permissions of the Azure AD service principal (provisioning SPN) stored along with the hosting connection to manage the stale Azure AD joined device. With service accounts, you can use a dedicated Azure AD service principal (identity management SPN) stored along with a service account to manage Azure AD joined or Microsoft Intune enrolled devices.
Citrix recommends migrating from hosting connection powered device management to service account powered device management to separate the responsibility of provisioning SPN and identity management SPN. See:
For any existing hosting connections that are already enabled with Azure AD joined device management, you can disable it as follows:
- From Studio, select Hosting in the left pane.
- Select the connection and then select Edit Connection in the action bar.
- On the Connection Properties page, clear the Enable Azure AD joined device management checkbox.
- Click Save to apply the changes.
Note:
Currently, you cannot enable Azure AD joined device management when creating a new hosting connection.
Share
Share
This Preview product documentation is Citrix Confidential.
You agree to hold this documentation confidential pursuant to the terms of your Citrix Beta/Tech Preview Agreement.
The development, release and timing of any features or functionality described in the Preview documentation remains at our sole discretion and are subject to change without notice or consultation.
The documentation is for informational purposes only and is not a commitment, promise or legal obligation to deliver any material, code or functionality and should not be relied upon in making Citrix product purchase decisions.
If you do not agree, select I DO NOT AGREE to exit.