Windows 10

Connect Azure AD and KACE Cloud MDM


  • Must have an Azure AD P2 subscription to support Autopilot or Azure Domain Join.
  • Must have configured SSO for KACE Cloud MDM with the Azure AD subscription.

IMPORTANT: Option 'Immediately redirect to identity provider' must be set.

In Azure AD

To Add KACE Cloud MDM App to Azure AD:

  1. Log in to Azure AD.
  2. Go to Mobility (MDM and MAM).
  3. Click + Add application to add KACE Cloud MDM app.
  4. Locate and select On-Premises MDM application.
  5. In right panel, rename the app to 'KACE Cloud MDM', then click Add.

The app will now show up in the main Mobility (MDM and MAM) list.

To Configure KACE Cloud MDM App in Azure AD:

  1. In Mobility (MDM and MAM), open the KACE Cloud MDM app.
  2. Set to All.
  3. Create Terms of Use in KACE Cloud MDM.
    • Copy and paste the MDM terms of use URL and MDM discovery URLs. 

To continue with this configuration, we'll move down the left navigation on the main page of Azure AD.


  1. In left navigation, click Branding.
  2. Upload your logo and paste in your terms of use or privacy statement.
  3. Click Save.


  1. In left navigation, click Authentication.
  2. Click Add Platform.
  3. IMPORTANT: Adding a platform is part of the SSO setup process, so we can complete both of these tasks now.

  4. Choose Web.

A value for the Redirect URI field is required to connect the KACE Cloud MDM Admin Portal to Azure AD.

In KACE Cloud MDM:

  1. Go to Settings > Single Sign-On.
  2. Copy the Redirect URI and paste into the Azure AD URI field.

Expose an API:

In this section, we need to modify the App ID URI. This will serve as the enrollment URL for the tenant being worked on.

  1. Copy the device enrollment URL from KACE Cloud (Devices > Enrollment Options> Enroll Device > Windows 10)
  2. Click the pencil icon next to Application ID URI to edit the field.
  3. Paste the enrollment URL for your subscription (https://[subdomain]
  4. Click Save.

API Permissions:

API permissions give KACE Cloud MDM the ability to modify some of the properties inside of Azure AD—for example: device status.

  1. Click Add Permission.
  2. Choose Microsoft Graph.
  3. Click Application Permissions, then scroll to Device Group in the list.
  4. Check Device.ReadWrite.All, then click Add Permission.

While still in Microsoft Graph:

  1. Click Delegated Permission.
    • This ensures that the API will behave as if it's the signed-in user.
  2. Under Permission, check email, openid, and profile.
  3. Click Add Permission.

Review and Grant All Permissions:

  1. Review each status for the green 'Granted for [tenant]' icon.
  2. Locate missing status for api/permission name.
  3. Click Grant admin consent for [tenant].
  4. Click Yes to approve.
    • This action will grant all permissions for the app.


  1. Set "groupMembershipClaims" to "All" or "SecurityGroup"
  2. Add the following URI's to the "identifierUris" list:
    • "https://[tenant]",
    • "https://[tenant]",
    • "[tenant]",
    • "https://[tenant] ",
  3. IMPORTANT: Confirm the placement of quotes around each identifier and a comma after each line.

  4. Click Save.

Configure Azure AD Settings

In the Mobility (MDM and MAM) section:

  1. Select the new KACE Cloud MDM application.
  2. Click On-premises MDM application settings.

In Azure AD:

In the Overview section:

  1. Copy the Application (client) ID.
  2. Copy the Directory (tenant) ID.

In KACE Cloud MDM:

Go to the following page: Settings > Windows Settings > Azure AD Settings

  1. Paste the Application (client) ID copied from Azure AD.
  2. Paste the Directory (tenant) ID copied from Azure AD.
  3. Click Save.

In Azure AD:

  1. Open Certificates & Secrets in left navigation.
  2. Create a new client secret.
  3. Copy the value that is generated.

In KACE Cloud:

  1. Paste the Client Secret value into the Client Secret field.
  2. Click Save.
    •  This will be the first attempt to verify the credentials.
    •  If the attempt is successful, the credentials will be saved.

Configure SSO (assumes SSO has never been configured)

In KACE Cloud MDM:

  1. Go to Settings > Integrations > Single Sign-On (SSO).
  2. Select SAML to open the SSO Wizard.

In Azure AD:

  1. Select the KACE Cloud MDM app registration.
  2. In the Overview section, click the Endpoints button.
  3. Copy the Federation Metadata Document link.

In KACE Cloud:

  1. Paste the Federation Metadata Document link into Import from URL field.
  2. Click Import.

In the SSO Wizard:

  1. Click the 'Enable SSO' checkbox, then click Save Settings at the bottom of the screen.
    • This will accept all the default settings—consult the documentation if you want to customize.
  2. Test the Success of SSO using the following instructions.
  3. If SSO setup is successful, check 'Immediately redirect to identity provider' and Save Settings.

See also Windows 10 Enrollment.