This content has been machine translated dynamically.
Dieser Inhalt ist eine maschinelle Übersetzung, die dynamisch erstellt wurde. (Haftungsausschluss)
Cet article a été traduit automatiquement de manière dynamique. (Clause de non responsabilité)
Este artículo lo ha traducido una máquina de forma dinámica. (Aviso legal)
此内容已经过机器动态翻译。 放弃
このコンテンツは動的に機械翻訳されています。免責事項
이 콘텐츠는 동적으로 기계 번역되었습니다. 책임 부인
Este texto foi traduzido automaticamente. (Aviso legal)
Questo contenuto è stato tradotto dinamicamente con traduzione automatica.(Esclusione di responsabilità))
This article has been machine translated.
Dieser Artikel wurde maschinell übersetzt. (Haftungsausschluss)
Ce article a été traduit automatiquement. (Clause de non responsabilité)
Este artículo ha sido traducido automáticamente. (Aviso legal)
この記事は機械翻訳されています.免責事項
이 기사는 기계 번역되었습니다.책임 부인
Este artigo foi traduzido automaticamente.(Aviso legal)
这篇文章已经过机器翻译.放弃
Questo articolo è stato tradotto automaticamente.(Esclusione di responsabilità))
Translation failed!
Azure AD service accounts
An Azure AD service account is a container to store application ID and secret of an Azure AD service principal which has sufficient permissions to manage Azure AD joined or Microsoft Intune enrolled devices. MCS can use this service account to automatically clean any stale Azure AD or Microsoft Intune devices generated during the lifecycle of the provisioned machines.
Permissions required for an Azure AD service principal
The permissions required for an Azure AD service principal used by a service account depend on the capabilities enabled for the service account.
- For the service account with Azure AD joined devices management capability, the Azure AD service principal must have
Device.ReadWrite.Allpermission in your Azure AD tenant. - For the service account with Microsoft Intune enrolled devices management capability, the Azure AD service principal must have
DeviceManagementManagedDevices.ReadWrite.Allpermission in your Azure AD tenant.
Limitation
Azure AD role-based access control is currently not supported. Therefore, assign the Azure AD permissions directly to the service principal.
Create an Azure AD service account
Use Studio or PowerShell to create an Azure AD service account.
Prerequisite
To create an Azure AD service account, make sure to complete the following task:
- Create an Azure AD principal in your Azure AD tenant with sufficient permissions based on the capabilities that you want to enable the service account with.
Use Studio
- In the DaaS tile, click Manage.
- In the left pane, select Administrators.
- In the Service Accounts tab, click Create Service Account.
- On the Identity Type page, select Azure Active Directory. Click Next.
- On the Credentials page, enter the Azure AD tenant ID, Application ID and Client secret and set the credential expiration date.
- Choose the capabilities for the service account.
- Select one or more scopes for the service account.
- Enter a friendly name and a description (optional) for the service account.
- Click Finish to complete the creation.
Note:
- The capability of Azure AD joined devices management is selected by default and you cannot deselect it.
- To use a multitenant Azure AD application which is invited to your tenant, the Azure AD tenant ID you entered must be your own tenant ID rather than the home tenant ID of the application.
Use PowerShell
Alternatively, you can use PowerShell commands to create an Azure AD service account. For example:
$tenantId = xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx
$applicationId = xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx
$applicationSecret = xxxxxxxxxxxxxxx
$credential = ConvertTo-SecureString -String $applicationSecret -AsPlainText -Force
New-AcctServiceAccount -IdentityProviderType AzureAD -IdentityProviderIdentifier $tenantId -AccountId $applicationId -AccountSecret $credential -SecretExpiryTime 2030/08/15 -Capabilities @("AzureADDeviceManagement","IntuneDeviceManagement") -DisplayName 'MyApplication' -Description 'Service account for Azure AD tenant'
<!--NeedCopy-->
Migrate Azure AD joined device management to service account
Previously, Citrix provided an option to enable Azure AD joined device management when creating or editing a hosting connection to Microsoft Azure Resource Manager. MCS used the permissions of the Azure AD service principal (provisioning SPN) stored along with the hosting connection to manage the stale Azure AD joined device. With service accounts, you can use a dedicated Azure AD service principal (identity management SPN) stored along with a service account to manage Azure AD joined or Microsoft Intune enrolled devices.
Citrix recommends migrating from hosting connection powered device management to service account powered device management to separate the responsibility of provisioning SPN and identity management SPN.
For any existing hosting connections that are already enabled with Azure AD joined device management, you can disable it as follows:
- From Studio, select Hosting in the left pane.
- Select the connection and then select Edit Connection in the action bar.
- On the Connection Properties page, clear the Enable Azure AD joined device management checkbox.
- Click Save to apply the changes.
Note:
Currently, you cannot enable Azure AD joined device management when creating a new hosting connection.
Where to go next
- To create Azure Active Directory joined catalogs, see Create Azure Active Directory joined catalogs.
- To manage service accounts, see Manage service accounts.
Share
Share
This Preview product documentation is Citrix Confidential.
You agree to hold this documentation confidential pursuant to the terms of your Citrix Beta/Tech Preview Agreement.
The development, release and timing of any features or functionality described in the Preview documentation remains at our sole discretion and are subject to change without notice or consultation.
The documentation is for informational purposes only and is not a commitment, promise or legal obligation to deliver any material, code or functionality and should not be relied upon in making Citrix product purchase decisions.
If you do not agree, select I DO NOT AGREE to exit.