Configuring a new Entra ID-Only Control Account

  • Updated on Oct 23, 2025
  • Published on Jul 15, 2024
  • 1 minute(s) read
  • Robert Plamondon
  • d
 Prev Next

Prerequisites

  • An Entra ID (Azure AD) Administrator Account to grant the necessary permissions to the application to authenticate with Entra ID. 

  • A Service account (or possibly a user account) for the bulk token enrollment process of VMs.

    • This account cannot have MFA enabled, since it is used as required by Control without direct human intervention.

      This includes unobvious MFA rules that are indirectly applied to the account, including:

      • Requiring MFA for device registration.

      • Requiring MFA for dynamic groups.

  • A new Control account (Workspot subscription): existing deployments cannot be upgraded.

Steps: 

  • Sign into Control using the Control Administrator’s account that was created during setup. 

  • The Administrator will be asked to choose between AAD (Entra ID) and Active Directory. 

  1. Full AAD: If the control account is configured with this option, both Workspot Client and Workspot Desktop authentication can use Entra ID credentials.

  1. Active Directory: If this is chosen, then the account can only be configured to use Active Directory for Desktop authentication, but Client authentication can use either AD or Entra ID.

  • We shall go ahead and enable the “Azure Active Directory” radio button and click on the Request Permissions button. 

  • A new window will appear, with the details and the list of the permissions required. Please read this and click “Continue” if you’re satisfied with your selection.

  • A new Window will appear asking to provide the Entra ID Admin credentials. 

  • Once the credentials are provided, the below screen will appear asking you to review the permissions that you are about to grant to the application. 

  • After reviewing, click “Accept.”

  • Once the process is complete you will be successfully signed out of the Entra ID account. 

  • On the Control page, you can now see that the permissions are granted for Control.

  •  Click on the “Use Bulk Token Refresh” radio button.

  • If you wish to Enter the bulk token credentials directly, then Click on “Enter Credentials” and provide the credentials in the fields below.

  • If you have secured the credentials in Azure Key Vault, you can choose that option from below and provide the path for it to be retrieved from the key vault. 

  • Once the credentials are provided, you can click on “Check Account and Save.” 

  • If everything goes well, you will see the status as “Verified.” 

  • Configuration is complete.