Configuring Entra ID (Azure Active Directory) in Workspot Control

  • Updated on Dec 19, 2024
  • Published on Jul 16, 2024
  • 3 minute(s) read
  • Robert Plamondon
  • d

Introduction

Workspot supports Entra ID (formerly Azure Active Directory or Azure AD) as an optional method for authenticating your Workspot users’ access to the Workspot Client.

Workspot's Entra ID support allows end-users to log into the Workspot Client using Microsoft's Entra ID services, using whatever settings for access, multi-factor authentication, etc. that you have set up with Entra ID.

Entra ID is supported by all Workspot Clients.

About Microsoft Entra ID

Entra ID/Azure AD is Microsoft’s cloud-based directory and identity management service. See Microsoft’s What is Microsoft Entra ID? for more information.

End-User Experience

When Entra ID is enabled, the users receive a Microsoft Login/Office 365 Login experience, customized according to whatever rules you have set up with Microsoft for Entra ID, including a customized logo and MFA (multi-factor authentication) requirements.

With Entra ID sign-in, end-users no longer have the option of having a PIN to lock their Workspot Clients: they have to sign in with a password and possibly MFA each time they start or unlock the Client.

The first time they sign in with a given Client, end-users are asked to identify themselves by email address. This screen will not be shown on later sessions:

Note: Screen configurations in this article will vary slightly from those shown.

Then they are asked for a password via a Microsoft Login screen that you have (probably) customized with your own logo. Subsequent sign-ins will start with this screen:

On successful sign-in, they will be taken to the Workspot Client dashboard:

The Microsoft Login screen, as usual, also allows them to sign in as a different user or to change their password.

Configuring Workspot for Entra ID

Requirements

  • Workspot’s Entra ID support is an optional feature. To make it available for your deployment, contact your Workspot customer service representative.

  • To use Entra ID with Workspot, you need an existing, configured Entra ID subscription for your organization.

  • Your Entra ID deployment must be synchronized with your Active Directory servers used by your Workspot Enterprise Connector.

  • You need your organization’s Entra ID global administrative credentials to authorize Workspot access to your Entra ID service.

  • You need administrator-level access to your Workspot Control account.

  • Both your Workspot RD Gateways and Workspot Clients must be able to reach https://login.microsoft.com.

Caveats

  • Entra ID currently cannot be disabled by the Workspot customer, but only by Workspot Support.

  • This Entra ID support does NOT replace the Workspot Enterprise Connector. The Workspot Enterprise Connector and its connection to your AD server are currently still required.

  • The Workspot Agent is unchanged. This means that end-users will log into remote desktops and applications as before. Only the login to the Workspot Client changes.

Procedure

To configure Workspot to use Entra ID:

  1. Log onto Workspot Control as a Workspot Administrator

  2. Navigate to Setup > Configuration.

  3. Find the “Azure AD (Entra ID) Auth” section and click the “Enable” button.

  1. A descriptive screen will appear. Read it and press the “Continue” button.

  1. A Microsoft login window will pop up. Enter your organization’s Entra ID global administrative user credentials.

  1. The Microsoft Entra ID system will ask you to approve Workspot read-only access to your user profiles. Click “Accept.”

  1. Entra ID access has been enabled. Workspot Control will now give you the opportunity to log your browser out of the Entra ID administrative account. To sign out, click your account under the “Pick an account” heading.

  1. When you return to the Configuration page in Workspot Control, Entra ID Authentication will be shown as “Enabled.”

  1. Configure credential caching. This controls when the Client is allowed to use cached credentials instead of forcing the user to sign in. Regardless of this setting, if Entra ID wants the user to sign in due to the rules you have set, the cached credentials will be ignored and the user must provide them again. See Credential Caching for more information.

Testing Your Installation

Test the installation on a system with an Entra ID-compatible Workspot Client.

  • Exit and restart the Workspot Client to ensure that the Client has polled Workspot Control for the latest configuration.

  • You will be prompted to log in via a Microsoft login screen (similar to the one you used when enabling Entra ID).

  • Log in with valid Entra ID user credentials.

    • If successful, the Workspot Client will show your desktops and apps.

    • If you receive the error message, "Your token credentials were rejected by the Remote Desktop Gateway," your Workspot RD Gateway likely can't reach https://login.microsoft.com due to firewall restrictions.

Event Log Messages

Workspot Control logs the initiation, success, or failure of the Entra ID setup process, as shown in the image below.

Note: If you close your browser partway through the process, subsequent log messages are not guaranteed.