Prerequisites:
Note: (March 28, 2023) Microsoft has changed the requirements for the service account. It used to require no special permissions. Now you need it to be a “Cloud Device Administrator” or an “Intune Administrator.”
An Entra ID (Azure AD) Administrator Account to grant with the necessary permissions to the application to authenticate with AAD
A Service account or user account for bulk token enrollment process of VMs
New Control Account
Configuration Process:
After a new Control Account is created and verified, the user can login to the account with the initial account created during the setup.
User would see the below screen where in he/she had to choose the type (AAD or Active Directory).
Full AAD – if the control account is configured with this option, both Workspot Client and the Desktop Authentication should happen using the AAD credentials.
Active Directory – If this is chosen, then the account can be configured to user AAD or AD for Client Authentication but can only be configured to use AD for Desktop Authentication.
We shall go ahead and enable “Azure Active Directory” radio button and Click on Request Permissions button.
A new window will appear, with the details and the list of the permissions required. Please go through and Click on Continue.
A new Window will appear asking to provide the AAD Admin credentials.
Once the credentials are provided, the below screen would appear asking you to review the permissions that you are about to grant to the application.
After reviewing, click on Accept.
Once the process is complete you would be successfully signed out of the AAD account.
On the control page, you can now see that the permissions are granted for Control.
Click on the “Use Bulk Token Refresh” radio button.
If you wish to Enter the bulk token credentials directly then Click on “Enter Credentials” and provide the credentials in the fields below.
If you have secured the credentials in Azure Key Vault, you can choose that option from below and provide the path for it to retrieve from the key vault.
Once the credentials are provided, you can click on “Check Account and Save”.
If everything goes well, you will see the status as “Verified”.