Azure Active Directory as IdP
Configuring Azure Active Directory (AAD) as your identity provider (IdP) lets users enroll in XenMobile using their Azure credentials.
iOS, Android, and Windows 10 and Windows 11 devices are supported. iOS and Android devices enroll through Secure Hub. This authentication method is available only to users enrolling in MDM through Citrix Secure Hub. Devices enrolling in MAM can’t authenticate using AAD credentials. To use Secure Hub with MDM+MAM, configure XenMobile to use Citrix Gateway for MAM enrollment. For more information, see Citrix Gateway and XenMobile.
You configure Azure as your IdP under Settings > Authentication > IDP. The IDP page is new to this version of XenMobile. In previous versions of XenMobile, you configured Azure under Settings > Microsoft Azure.
Versions and licenses
- To enroll iOS or Android devices, you need Secure Hub 10.5.5.
- To enroll Windows 10 and Windows 11 devices, you need Microsoft Azure Premium licenses.
Directory services and authentication
- XenMobile Server must be configured for certificate-based authentication.
- If you are using Citrix ADC for authentication, Citrix ADC must be configured for certificate-based authentication.
- Secure Hub authentication uses Azure AD and honors the authentication mode defined on Azure AD.
- XenMobile Server must connect to Windows Active Directory (AD) using LDAP. Configure your local LDAP server to sync with Azure AD.
When device enrolls through Secure Hub and XenMobile is configured to use Azure as its IdP:
Users enter their Azure Active Directory user name and password, on their device, in the Azure AD login screen shown in Secure Hub.
Azure AD validates the user and sends an ID token.
Secure Hub shares the ID token with XenMobile Server.
XenMobile validates the ID token and the user information present in the ID token. XenMobile returns a session ID.
Azure account setup
To use Azure AD as your IdP, first log in to your Azure account and make these changes:
Register your custom domain and verify the domain. For details, see Add custom domain name to Azure Active Directory.
Extend your on-premises directory to Azure Active Directory using directory integration tools. For details, see Directory Integration.
To use Azure AD to enroll Windows 10 and Windows 11 devices, make the following changes to your Azure account:
Make the MDM a reliable party of Azure AD. To do so, click Azure Active Directory > Applications and then click Add.
Select Add an application from the gallery. Go to MOBILE DEVICE MANAGEMENT and then select on-premises MDM application. Save the settings.
You choose on-premises application even if you signed up for Citrix XenMobile cloud. In Microsoft terminology, any non-multi-tenant application is an on-premises MDM application.
MDM Discovery URL:
APP ID URI:
- MDM Discovery URL:
Select the on-premises MDM application that you created in step 2. Enable the option, Manage devices for these users, to enable MDM management for all users or any specific user group.
For more information about using Azure AD with Windows 10 and Windows 11 devices, see the Microsoft article Azure Active Directory integration with MDM.
Configure Azure AD as your IdP
Locate or make note of the information you need from your Azure account:
- Tenant ID from the Azure application settings page.
- If you want to use Azure AD to enroll Windows 10 and Windows 11 devices, you also need:
- App ID URI: The URL for the server running XenMobile.
- Client ID: The unique identifier for your app from the Azure Configure page.
- Key: From the Azure application settings page.
In the XenMobile console, click the gear icon in the upper-right corner. The Settings page appears.
Under Authentication, click Identity Provider (IDP). The Identity Provider page appears.
Click Add. The IDP configuration page appears.
Configure the following information about your IdP:
- IDP Name: Type a name for IdP connection you are creating.
- IDP Type: Choose Azure Active Directory as your IdP type.
- Tenant ID: Copy this value from the Azure application settings page. In the browser address bar, copy the section made up of numbers and letters.
For example, in
https://manage.windowszaure.com/acmew.onmicrosoft.com#workspaces/ActiveDirectoryExtensin/Directory/abc213-abc123-abc123/onprem..., the tenant ID is:
The rest of the fields automatically fill. When they are filled, click Next.
To configure XenMobile to enroll Windows 10 and Windows 11 devices using Azure AD for MDM enrollment, configure the following settings. To skip this optional step, clear Windows MDM.
- App ID URI: Type the URL for the XenMobile Server that you entered when you configured your Azure settings.
- Client ID: Copy and paste this value from the Azure Configure page. The client ID is the unique identifier for your app.
- Key: Copy this value from the Azure application settings page. Under keys, select a duration in the list and then save the setting. You can then copy the key and paste it into this field. A key is required when apps read or write data in Microsoft Azure AD.
Citrix has registered Secure Hub with Microsoft Azure and maintains the information. This screen shows the details used by Secure Hub to communicate with Azure Active Directory. This page will be used in the future if any of this information needs a change. Edit this page only if Citrix advises you to.
Configure the type of user identifier that your IdP provides:
- User Identifier type: Choose userPrincipalName from the list.
- User Identifier string: This field is automatically filled.
Review the Summary page and click Save.
What users experience
Users start Secure Hub. Users then enter the XenMobile Server Fully Qualified Domain Name (FQDN), a User Principle Name (UPN), or email address.
Users then click Yes, Enroll.
Users log on by using their Azure AD credentials.
Users complete the enrollment steps in the same way as any other enrollment through Secure Hub.
XenMobile doesn’t support authentication through Azure AD for enrollment invitations. If you send users an enrollment invitation containing an enrollment URL, users authenticate through LDAP instead of Azure AD.