Manually connect Azure AD and KACE Cloud

This topic describes the manual process of connecting your Azure AD subscription with KACE Cloud. This is an alternative to using the automated process. While both flows result in the same outcome, it is always recommended to use the automated flow. For details, see Automatically connect Azure AD and KACE Cloud.

To add KACE Cloud app to Azure AD:

  1. Ensure that you have all of the mandatory Azure AD pre-requisites in place before you establish a connection to your Azure AD environment.
  2. Log in to Azure AD.
  3. Go to Mobility (MDM and MAM).
  4. Click + Add application to add KACE Cloud app.
  5. Locate and select On-Premises MDM application.
  6. In right panel, rename the app to 'KACE Cloud', then click Add.

The app will now show up in the main Mobility (MDM and MAM) list.

To get started with creating a manual configuration in KACE Cloud:

  1. In KACE Cloud, go to Settings > Windows Settings > Azure AD.
  2. On the Azure Active Directory Settings page, start the Manual process.
    • If you do not currently have a configuration for the previously offered on-premise KACE Cloud solution, click Manual.
    • If you already have an on-premise KACE Cloud solution, and want to create a new one, click Remove Existing Settings, and then click Manual.

To configure KACE Cloud app in Azure AD:

  1. In Mobility (MDM and MAM), open the KACE Cloud app.
  2. Set MDM user scope to All.
  3. Create Terms of Use in KACE Cloud.
    1. In KACE Cloud, go to Settings > Windows Settings > Terms of Use.
    2. Click Add New, and in the Edit Terms Of Use view that appears, provide required information. Then, click Save.
  4. Configure the MDM Terms Of Use URI and MDM Discovery URI values.
    1. In KACE Cloud, go to Settings > Windows Settings > Azure AD.
    2. On the Azure Active Directory Settings page, locate the MDM Terms Of Use URI field, and click Copy.
    3. In Azure AD, paste the contents in to the MDM Terms Of Use URL field.
    4. In KACE Cloud, on the Azure Active Directory Settings page, locate the MDM Discovery URI field, and click Copy.
    5. In Azure AD, paste the contents in to the MDM Discovery URL field, and click Save. Then click the On-premises MDM application settings link.

To continue with this configuration, we move down the left navigation on the main page of Azure AD.

To configure branding elements:

  1. In left navigation, click Branding.
  2. Upload your logo and paste in your terms of use or privacy statement.
  3. Click Save.

To configure authentication:

  1. In left navigation, click Authentication.
  2. Click Add Platform.

    3. Adding a platform is part of the SSO setup process, so we can complete both of these tasks now.

  3. Choose Web.
  4. In KACE Cloud, go to Settings > Windows Settings > Azure AD.
  5. On the Azure Active Directory Settings page, locate the Redirect URI field, and click Copy.
  6. In Azure AD, in the Redirect URIs section, paste the contents of the Redirect URI field from KACE Cloud. Then click Configure.

A Redirect URI is used to connect the KACE Cloud Admin Portal to Azure AD.

Modify API permissions

API permissions give KACE Cloud the ability to modify some of the properties inside of Azure AD—for example: device status.

  1. In left navigation, click API Permissions.
  2. Click Add Permission.
  3. Choose Microsoft Graph.
  4. Click Application Permissions, then scroll to Device Group in the list.
  5. Check Device.ReadWrite.All, then click Add Permission.

While still in Microsoft Graph:

  1. Click Delegated Permission.
    • This ensures that the API will behave as if it's the signed-in user.
  2. Under Permission, check email, openid, and profile.
  3. Click Add Permission.

Review and Grant All Permissions:

  1. Review each status for the green 'Granted for [tenant]' icon.
  2. Locate missing status for api/permission name.
  3. Click Grant admin consent for [tenant].
  4. Click Yes to approve.
    • This action will grant all permissions for the app.

Manifest:

  1. Set "groupMembershipClaims" to "All" or "SecurityGroup".
  2. Set "accessTokenAcceptedVersion" to 2.
  3. Add the following URI's to the "identifierUris" list:
      • If provisioned in the US datacenter:
        • "https://[tenant].kacecloud.com",
        • "https://[tenant].enroll.kacecloud.com",
        • "https://auth.service.kacecloud.com/auth/realms/[tenant]",

      • If provisioned in the datacenter in Europe:
        • "https://[tenant].kacecloud.com",
        • "https://[tenant].enroll.kacecloud.com",
        • "https://[tenant].enroll.westeurope.kacecloud.com",
        • "https://auth.service.westeurope.kacecloud.com/auth/realms/[tenant]",

    4. Confirm the placement of quotes around each identifier and a comma after each line.

  4. Click Save.

Configure Azure AD Settings

In the Mobility (MDM and MAM) section:

  1. Select the new KACE Cloud application.
  2. Click On-premises MDM application settings.

In Azure AD, in the Overview section:

  1. Copy the Application (client) ID.
  2. Copy the Directory (tenant) ID.

In KACE Cloud:

  1. Go to Settings > Windows Settings > Azure AD Settings.
  2. Paste the Application (client) ID copied from Azure AD.
  3. Paste the Directory (tenant) ID copied from Azure AD.

In Azure AD:

  1. Open Certificates & Secrets in left navigation.
  2. Create a new client secret.
  3. Copy the value that is generated.

In KACE Cloud:

  1. Paste the Client Secret value into the Client Secret field.
  2. Click Save.
    •  This will be the first attempt to verify the credentials.
    •  If the attempt is successful, the credentials will be saved.

Configure SSO

Follow these instructions if SSO has never been configured.

In KACE Cloud:

  1. Go to Settings > Integrations > Single Sign-On (SSO).
  2. Select SAML to open the SSO Wizard.

In Azure AD:

  1. Select the KACE Cloud app registration.
  2. In the Overview section, click the Endpoints button.
  3. Copy the Federation Metadata Document link.

In KACE Cloud:

  1. Paste the Federation Metadata Document link into Import from URL field.
  2. Click Import.

In the SSO Wizard:

  1. Click the 'Enable SSO' checkbox, then click Save Settings at the bottom of the screen.
    • This will accept all the default settings—consult the documentation if you want to customize.
  2. Test the success of SSO. See Configuring Single Sign-On.
  3. If SSO setup is successful, check 'Immediately redirect to identity provider' and Save Settings.