An Entra-ID-Only account does not use AD on the Workspot desktops; they are joined directly to an Entra ID domain. The choice between Entra-ID-Only and AD is made early in a new Workspot deployment. Contact Workspot if you aren’t sure which option to use.
Prerequisites
This is a selective feature: contact Workspot to enable it.
An existing Entra ID deployment can now be migrated to the new BRPT-based (Bulk Primary Refresh Token) method using the procedure in this article.
Access to an Entra ID (Azure AD) Administrator Account that allows you manage your Entra ID domain via the Microsoft Entra Admin Center.
A New Control Account. (This procedure can only be performed on a new Workspot deployment, except when migrating an older Entra-ID-Only account to use the BPRT authentication method.)
Configuration in WCD (Windows Configuration Designer)
This step creates the BPRT (Bulk Primary Refresh Token) that is central to domain-joining Workspot desktops to the Entra ID domain.
Download Microsoft’s Windows Configuration Designer application from the Microsoft Store.
Use WCD to generate a package file, as described in Microsoft’s Bulk Enrollment for Windows Devices.
We will use the BRPT from this package. Points to keep in mind:
You must note down the expiration date of the BRPT token, which will expire silently unless you configure this date in Control.
The BRPT token can be found in Customizations.xml under the generated package file. For example:
C:\Users\{username}\Documents\Windows Imaging and Configuration Designer (WICD)\{packagename}
WCD also reports this path at the bottom of the screen below.
The BRPT token within the .xml file is between <BRPT> and </BRPT> delimiters:
Configuration in Azure
Create a Key Vault
Sign into the Azure Portal for the account associated with your Entra ID domain.
Create a Key Vault (“Home > Key vaults > Create a key vault”).
Set the “Key vault name” to something that indicates what it’s for. The example uses “BPRTToken.”
Fill in the remaining fields with the usual values for your Entra ID deployment.
On the Networking tab, set up the access for the key vault. This is usually configured for public access, as shown below. (Configuring a firewall to restrict access to Workspot Control’s static IP addresses is feasible but beyond the scope of this article):
In the Key Vault, create a Secret with:
Name: “WORKSPOT-BPRT-TOKEN”
Secret Value: The BPRT token value from the .xml file above.
Expiration date: This can be no more than six months in the future.
Enabled: Yes.
For your Key Vault, create an Access Policy that assigns “Get” permissions for both “Key Permissions” and “Secret Permissions.”
Find the URL of the token in the Azure Portal. We will copy the URL into Control in the next step.
Configuration in Control
After a new Control Account is created and verified, the user can sign in with the initial user account created during the setup.
You will see a choice between “Active Directory” and “Entra ID.”
Select “Entra ID” and Click “Continue.”
Go to “Setup > Configuration > Authentication and Registration” if you aren’t taken there automatically.
Paste the URI of WORKSPOT-BPRT-TOKEN (from the previous step) into “Location of the Key Vault with BPRT token.”
Click the “Check URI and Save” button. You should see a green “Verified” banner.
(Do NOT check “Use Default System Browser” unless asked to by Workspot.)
Fill in the rest of the page as described in Control Setup: Configuration Page.
At the bottom of the page, click “Save.”
Troubleshooting
“Zombie” (Stale) Desktops
Desktops can only be deregistered from Entra ID when they are running. Actions that delete desktops when they aren’t in a running state result in stale desktop entries in Entra ID. These are invisible to the Control UI but These are still visible in the Entra ID portal and the Control API, however.
These can be detected and deleted through the Control API’s (GET staleDevices) and (POST staleDevices) commands.
Non-Persistent Desktop