EBF product documentation

Find help using and administering EBF applications

View Categories

Target System Microsoft Intune

01. Introduction

There is a general documentation available for the EBF Onboarder, where you can find information about its prerequisites and the whole migration project. It describes how you can setup a migration project, how you can setup invitation emails and reminders which guide your users through the migration. It also tells you how to initiate the migration process and how to track the migration status.

This documentation complements the general EBF Onboarder documentation and provides more detailed information for the target system Microsoft Intune about:

  • the prerequisites for the target system,
  • the target system selection and setup during the migration project setup,
  • the device selection during the migration project setup,
  • the monitoring of the migration project.

The EBF Onboarder supports the following endpoints (National Clouds) offered by Microsoft:

Global Service & GCC [DEFAULT]:
Select this option if you use the standard Microsoft Azure/Intune system with Azure AD endpoints: https://portal.azure.com, https://endpoint.microsoft.com or https://login.microsoftonline.com

US Government L4 (GCC High):
Select this option if you use the Microsoft 365 L4 GCC High environment with the following Azure endpoints to connect to your system: https://portal.azure.us and https://login.microsoftonline.us

US Government L5 (DoD):
Select this option if you use the Microsoft 365 L5 DoD (DoD=Department of Defense) environment with the following Azure endpoints to connect to your system: https://portal.azure.us and https://login.microsoftonline.us

China operated by 21Vianet:
Select this option if you use the Microsoft Cloud for China operated by 21Vianet environment with the following Azure endpoints to connect to your system: https://portal.azure.cn and https://login.chinacloudapi.cn

German Cloud [DEPRECATED]:
The German Cloud reachable at https://portal.microsoftazure.de is out service.

02. Prerequisites for the target system Microsoft Intune

02.1. Microsoft Intune Service Account

We recommend to create a Microsoft Azure app to allow the EBF Onboarder to access your source system and to have full control over the app and client permissions (see chapter 02.1.1). The setup is the same for each endpoint/region.

Otherwise you can also use the EBF Onboarder and its shared app (see chapter 02.1.2).

ATTENTION:

  • The EBF Onboarder will not support Multi Factor Authentication (MFA) for the Intune Service Account as API requests of the EBF Onboarder do not support Multi Factor Authentication or Single Sign On (see chapter 02.1.2).
  • But you can use Multi Factor Authentication for your users. The EBF Onboarder is able to migrate devices if you use Multi Factor Authentication and the Microsoft Company Portal will accept the user credentials with MFA (security reinforced) during registration.

02.1.1. Using your own app (recommended)

We recommend to use your own Azure app instead of the EBF Onboarder shared app!

While creating the app in Microsoft Azure, you will get the Directory (tenant) ID, the Application (client) ID and the value of the client secret. You will need these values to configure your EBF Onboarder projects.

First you need to clarify (relevant for step 2): Which ownership should the devices have in Microsoft Intune?

  • Corporate only
  • Personal only
  • Corporate and personal devices

Follow these steps to create the app:

        1. Create your own app for the EBF Onboarder:
          • Login into the Azure Portal (Default: https://portal.azure.com/).
          • Within ‘Home’ and ‘Azure services’ click on ‘App registrations’.
          • Register a new app by clicking on ‘New registration’.
          • Enter a user-facing display name.
          • For ‚Supported account types‘ select ‚Accounts in this organizational directory only (Single tenant)’ and click on ‘Register’:
          • You will find your Application (client) ID and Directory (tenant) ID on the next page. You can copy them now and also look up these information at any time within the app in your Microsoft Azure tenant.
        2. Go to ‘API permissions’ on the left side on the same screen and
          • delete the existing permission ‚User.Read’ and confirm (press the three dots, click on ‘Remove permission’ and confirm with ‘Yes, remove’)
          • click on ‘+ Add a permission‘ and select ‚Microsoft Graph’,
          • select ‘Application permissions’,
          • add the following permissions for the Service Account (follow the information which correspond to your device type) and press the button ‘Add permissions’:
            Please add the following permissions for corporate devices only:

            • User.Read.All
            • Directory.Read.All
            • Device.Read.All
            • DeviceManagementManagedDevices.Read.All
            • DeviceManagementConfiguration.ReadWrite.All
            • DeviceManagementServiceConfig.ReadWrite.All
            • Group.ReadWrite.All (only necessary if you want to add migrated users to a group)

            Please add the following permissions for personal devices only:

            • User.Read.All
            • Directory.Read.All
            • Device.Read.All
            • DeviceManagementManagedDevices.Read.All
            • DeviceManagementConfiguration.ReadWrite.All
            • Group.ReadWrite.All (only necessary if you want to add migrated users to a group)

            Please add the following permissions for a mix of corporate and personal devices

            • Configure the app registration for personal devices.
              For devices with corporate ownership in Microsoft Intune you need to import the Serial Numbers or IMEIs into Microsoft Intune BEFORE the devices migrate. See ‘Microsoft Intune > Home > Devices >Device Onboarding > Enrollment’ for more details.
            • Or: Setup groups on the source system which contain either the corporate or the personal devices only. Setup the app registrations for each type (see above) and use them in these projects only.
          • For all cases: ‚Grant admin consent for (your domain)’.

      NOTE: In case there are issues with the Read-only permissions, we recommend using ReadWrite permissions:

      • User.ReadWrite.All
      • Directory.ReadWrite.All
      • Device.ReadWrite.All
      • DeviceManagementConfiguration.ReadWrite.All
      • DeviceManagementManagedDevices.ReadWrite.All
      • Group.ReadWrite.All
    2. Go to ‘Certificates & secrets’ and set up a new client secret:
      • Press ‘+ New client secret’, provide a meaningful description and select a value for ‘Expires’. It would be possible to choose the planned migration date, but it is recommended to add some months to be prepared for a possible delay.
      • Press ‘Add Copy the Value’ and save it at a save place as it will never be displayed again!
    3. While configuring the migration project with the EBF Onboarder, you will be asked to define the target system, the National Cloud type and to insert your tenant ID. After entering the tenant ID, the form will switch to ask you for the client_id (Application (client) ID) and client_secret (Value of the Secret) which you have received after creating your own app in the Azure Portal:

    02.1.2. Using the EBF Onboarder shared app (not supported)

    If you use the EBF Onboarder shared app to access your Intune server, you have to make sure that the Service Account meets certain requirements in order to allow the EBF Onboarder to register your devices in Microsoft Intune as a target system.

    Please verify with your Active Directory or O365 administrator that the Service Account meets the following requirements:

        • Make sure to use a Service Account created with your initial domain (yourcompany.onmicrosoft.com) and not your custom domain (e.g. @yourcompany.com) which doesn’t require Multi Factor Authentication. API requests of the EBF Onboarder do not support Multi Factor Authentication or Single Sign On.
        • Make sure to use a Local User of the AD Microsoft environment (not a Global User).
        • Make sure that the syntax of the account you use corresponds to the following format: ServiceOnboarder@YourOriginalDomain.onmicrosoft.com. ‘YourOriginalDomain’ is the original name of your domain created (not an alias or subdomain).
        • Make sure that this account is at least a ’Limited Administrator’ with the roles ‘Intune Administrator’ and ‘User Administrator’.
        • Make sure that you have direct access by logging into the Microsoft Portal (Default: https://portal.azure.com/) at least once with this Service Account, so that you can change the password if required (security policy at first login) or you can detect any access restrictions for this account in case they exist.
        • Once the EBF Onboarder software accesses Intune for the first time, you will see a dialog box which asks you to give consent to adding rights to the EBF Onboarder app. This must be done by entering the credentials of a ‚Global Administrator‘ account. You can’t use the account created before for accessing the Microsoft Intune base.

    Once you setup a migration project with the EBF Onboarder, you will be asked to define the target system, the National Cloud and to insert your tenant ID (see chapter 03). You can optionally insert your account details to check the registration status:

    02.2. Best practice: If the target system requires a client app

    The target system Microsoft Intune requires in most cases the Company Portal app to be installed to register a device. Best practice is to push this app to the device with the help of the source MDM. You need to make sure that this app is not removed from the device during unenrollment from the source MDM, so that it can be used to register the device during the migration.

    This applies to any other app which will be used on the target system.

    03. Target system selection for the target system Microsoft Intune

    When you setup a migration project with the EBF Onboarder, you will be asked to define the target system (please read the general documentation to learn more about this).

    Select Microsoft Intune as target system, select your National Cloud and enter your tenant ID (Directory (tenant) ID).

        • If you have decided to use a shared app, you can optionally insert your account details to check the registration status. If you do that and if you have followed all instructions of chapter 02.1.1, the EBF Onboarder will check the presence and the compliance of the devices in Microsoft Intune after the migration (see chapter 05.2).
        • If you have decided to use your own app, you need to enter your client_id (Application (client) ID) and client_secret (Value of the Secret). Please make sure that you have followed all instructions of chapter 02.1.2.

    NOTE: Some UEM environments may have restrictions on incoming connections (IP filters, firewall). Please check with your target system administrator that the needed ports are open and that the EBF Onboarder IP address is whitelisted and read the general documentation to learn more about this.

    03.1. Selecting MAM as a target

    You can also select ‘Microsoft MAM only’ as a target. In this case it is not an UEM migration, but a migration of Managed Applications such as MS Outlook or OneDrive for O365 customers:

    04. Device selection for the target system Microsoft Intune

    When you setup a migration project with the EBF Onboarder (please read the general documentation to learn more about this), you will be asked to select the users you want to migrate.

    NOTE: For Microsoft Intune (https://endpoint.microsoft.com/), the default setting is to add “users” to a group with membership type “assigned” in Azure Active Directory (AAD), not „devices“. The user accounts must exist in AAD before migration, as the EBF Onboarder doesn’t create user accounts.

    When you select the single users, you can choose to which group the users should be added by selecting ‘Add to Group’:

    NOTE: When you type in several letters, a list of groups starting with these letters will be displayed. This will allow you to get access to the list you are looking for faster, instead of waiting for the full list of groups to be loaded.

    05. Migration monitoring for the target system Microsoft Intune

    Administrators can follow the status of a migration project easily. Depending on the project progress, they can take actions to drive the migration forward.

    NOTE: Please read the general documentation to learn more about this and read chapter 05.1 and 05.2 of this documentation to find out which additional information are provided for the target system Microsoft Intune.

    05.1. Graphic and mouse-over information

    There is a colored icon in the right column which illustrates the migration status. When you hover your mouse over the icon, you will see more information for the corresponding device.

    For Microsoft Intune as a target system, there is an additional status available which is indicated with a green icon. The status is ‘Interrupted’ and is different from the status ‘Success’, which is also indicated with a green icon.

    Color Status Invitation sent Invitation received Retiring Succeeded App Store Redirection Succeeded Pop-up
    Green

    		 Interrupted:
    The migration was interrupted after retiring the device and was not restarted with the EBF Onboarder, but the device was registered manually in Microsoft Intune. The software will detect the presence and compliance of the device in Microsoft Intune and will change the status to ‘Confirmed Enrollment’.    		 . . . x The pop-up provides the timestamp of the sending date of the last invitation sent, the date of the registration in Microsoft Intune and the retiring date.

    NOTE: Please read the general documentation for an explanation of all icons.

    05.2. Check mark information

    There are two types of check marks which indicate the status of the device on the source or target system. Check marks which refer to the status of the device detected on the target system (when the migration has started or when the device was detected on the target system for registration) are presented with bright colors:

    For Microsoft Intune as a target system, there is an additional information available which refers to the compliance of the device which you find in the table below.

    It is recommended to enable the EBF Onboarder to check the device status directly. This will allow the EBF Onboarder to double-check the presence of the device in the target system Microsoft Intune and to check the status which should be ‘compliant’.

    Check Mark Description Migration started
    The device was confirmed as registered and compliant at 11:13 and the welcome message was sent by the EBF Onboarder to the user’s email address at 12:03.

    The blue check mark confirms that the device has been registered on the target system and the pop-up provides a timestamp for this (cached). It also confirms that the device is confirmed as compliant for Microsoft Intune.

    		 .
    The device was confirmed as registered (the last SyncDateTime is the date of the registration). The welcome message was not sent to the device, the last notification received was an invitation/reminder message.

    The green check mark indicates that the device was not confirmed as compliant, but it was registered by the user in Microsoft Intune.

    		 .

    NOTE: Please read the general documentation for an explanation of all check marks.

    06. Migration Launch Self Service (/ireg)

    In some cases it is not possible to use an email or web clip to initiate the migration of a device. In this case you can provide your users with a static link to start the migration.

    06.1. Prerequisites

    The EBF Onboarder Self Service will use your Default Azure Identity Provider authenticating the user by their Azure AD email address and Azure AD password.

    ATTENTION: The migration must exist already and the user must have been invited to migrate the device at least once.

    06.2. Workflow

    Please follow these steps to enable your users to start the migration using /ireg:

      1. Create a Redirect URI for the app created in chapter 02.1.2:
        • Login into the Azure Portal.
        • Go to ‘App registrations’, open your app and ‘Authentication’.
        • Within ‘Platform configurations’ click on ‘+ Add a platform’.
        • Click on ‘Web’ and enter the following for Redirect URIs: https://intune-onboarder.ebf.com/ireg
        • Click on ‘Configure’.
      2. Provide your users with the following link: https://intune-onboarder.ebf.com/ireg

        NOTE: This link needs to be opened on the device that should be migrated. The link must be opened in a browser that is not removed while the device is removed/retired from the source MDM system.

      3. The user needs to enter his email address and click on ‘Find’.
      4. The user needs to enter the Azure Active Directory Password and click on ‘Find’.
      5. If a user has more than one device registered on the source MDM system, a list of devices which are assigned to him is displayed. The correct device needs to be selecteed for the migration.
      6. The browser redirectes to the start page of the migration and the migration can be initiated by clicking on ‘Start Migration’.
      7. The user can follow the normal migration/enrollment process on the device.

07. Web based enrollment

Follow these steps to enable the web based enrollment into Microsoft Intune:

    1. Go to ‘Settings’ > ‘Tenant Settings’.
    2. Select the check box for: ‘Use web based enrollment for Intune’.
    3. Press ‘Save Settings’.

NOTE: Please note that you need to configure Microsoft Intune to enable web based enrollment and check the following website for further information:
Set up web based device enrollment – Microsoft Intune | Microsoft Learn

Was this article useful?