Configuring an Entra-ID-Only Control Account

  • Updated on Nov 8, 2025
  • Published on Jul 16, 2024
  • 2 minute(s) read
  • Robert Plamondon
 Prev Next

Note: This procedure changed substantially with Control 25.11. Exisitng Entra-ID-Only deployments will continue to use the service account method.

Prerequisites

  • This is a selective feature: contact Workspot to enable it.

  • An existing Entra ID deployment. Setting up Entra ID is beyond the scope of this document.

  • An Entra ID (Azure AD) Administrator Account that allows you manage your Entra ID domain via the Microsoft Entra Admin Center.

  • New Control Account. (This procedure can only be performed on a new Workspot deployment.)

Configuration in Azure

  1. Sign into the Azure Portal for the account associated with your Entra ID domain.

  2. Create a Key Vault (“Home > Key vaults > Create a key vault”).

    1. Set the “Key vault name” to something that indicates what it’s for. The example uses “BPRTToken.”

    2. Fill in the remaining fields with the usual values for your Entra ID deployment.

Creating a key vault with specified name, region, and pricing tier options.

  1. Create an Application to associate with Workspot Control with permissions TBD if you haven’t done this already.

[TBD: Screen shot or procedure to create the Application.]

  1. For your Key Vault, assign “Get” permissions for both “Key Permissions” and “Secret Permissions.”

Access policies for BPRToken showing application and user permissions in a key vault.

  1. Create WORKSPOT-BPRT-TOKEN in “Secrets > Create a secret.”

    1. Fill in the form as shown below.

    2. The name must be “WORKSPOT-BPRT-TOKEN”.

    3. You must set an expiration date. This can be no more than six months in the future. Write down the date because you will copy it into Control later.

Form for creating a secret with name, value, and expiration date fields.

  1. Find the URL of the token. This will be displayed in TBD. Copy the URL because you will paste it into Control in the next step.

[TBD: screen shot of page that shows Key Vault/token URL.]

Configuration in Control

  1. After a new Control Account is created and verified, the user can sign in with the initial user account created during the setup.

  2.  You will see a choice between “Active Directory” and “Entra ID.”

  3. Select “Entra ID” and Click “Continue.”

    Configuration options for desktop sign-in methods using Active Directory or Entra ID.

  4. Go to “Setup > Configuration > Authentication and Registration” if you aren’t taken there automatically.

  5. Paste the URI of WORKSPOT-BPRT-TOKEN (from the previous step) into “Location of the Key Vault with BPRT token.”

  6. Click the “Check URI and Save” button. You should see a green “Verified” banner.

  7. (Do NOT check “Use Default System Browser” unless asked to by Workspot.)

  8. Fill in the rest of the page as described in Control Setup: Configuration Page.

  9. At the bottom of the page, click “Save.”

Authentication settings for Azure AD with highlighted Key Vault URI location.

Troubleshooting

“Zombie” (Stale) Desktops

Desktops can only be deregistered from Entra ID when they are running. Actions that delete desktops when they aren’t in a running state result in stale desktop entries in Entra ID. These are invisible to the Control UI but These are still visible in the Entra ID portal and the Control API, however.

These can be detected and deleted through the Control API’s (GET staleDevices) and (POST staleDevices) commands.