EBF product documentation

Find help using and administering EBF applications

Target System Microsoft Intune

01. Introduction

There is a general documentation available for the EBF Onboarder, where you can find information about its prerequisites and the whole migration project. It describes how you can setup a migration project, how you can setup invitation emails and reminders which guide your users through the migration. It also tells you how to initiate the migration process and how to track the migration status.

This documentation complements the general EBF Onboarder documentation and provides more detailed information for the target system Microsoft Intune about:

  • the prerequisites for the target system,
  • the target system selection during the migration project setup,
  • the device selection during the migration project setup,
  • the monitoring of the migration project.

The EBF Onboarder supports the following endpoints (National Clouds) offered by Microsoft:

Global Service & GCC [DEFAULT]:
Select this option if you use the standard Microsoft Azure/Intune system with Azure AD endpoints: https://portal.azure.com, https://endpoint.microsoft.com or https://login.microsoftonline.com

US Government L4 (GCC High):
Select this option if you use the Microsoft 365 L4 GCC High environment with the following Azure endpoints to connect to your system: https://portal.azure.us and https://login.microsoftonline.us

US Government L5 (DoD):
Select this option if you use the Microsoft 365 L5 DoD (DoD=Department of Defense) environment with the following Azure endpoints to connect to your system: https://portal.azure.us and https://login.microsoftonline.us

China operated by 21Vianet:
Select this option if you use the Microsoft Cloud for China operated by 21Vianet environment with the following Azure endpoints to connect to your system: https://portal.azure.cn and https://login.chinacloudapi.cn

German Cloud [DEPRECATED]:
The German Cloud reachable at https://portal.microsoftazure.de is out service.

02. Prerequisites for the target system Microsoft Intune

02.1. Microsoft Intune Service Account

You need to create an Intune Service Account to allow the EBF Onboarder to access your target system. The setup is the same for each endpoint/region.

  • This can be done with the help of the EBF Onboarder and its shared app (see chapter 02.1.1).
  • Or you can create an app yourself if you want to have full control over the app and client permissions (see chapter 02.1.2).

ATTENTION:

  • The EBF Onboarder will not support Multi Factor Authentication (MFA) for the Intune Service Account as API requests of the EBF Onboarder do not support Multi Factor Authentication or Single Sign On (see chapter 02.1.1).
  • But you can use Multi Factor Authentication for your users. The EBF Onboarder is able to migrate devices if you use Multi Factor Authentication and the Microsoft Company Portal will accept the user credentials with MFA (security reinforced) during registration.

02.1.1. Using the EBF Onboarder shared app (default)

If you use the EBF Onboarder shared app to access your Intune server, you have to make sure that the Service Account meets certain requirements in order to allow the EBF Onboarder to register your devices in Microsoft Intune as a target system.

Please verify with your Active Directory or O365 administrator that the Service Account meets the following requirements:

  • Make sure to use a Service Account created with your initial domain (yourcompany.onmicrosoft.com) and not your custom domain (e.g. @yourcompany.com) which doesn’t require Multi Factor Authentication. API requests of the EBF Onboarder do not support Multi Factor Authentication or Single Sign On.
  • Make sure to use a Local User of the AD Microsoft environment (not a Global User).
  • Make sure that the syntax of the account you use corresponds to the following format: ServiceOnboarder@YourOriginalDomain.onmicrosoft.com. ‘YourOriginalDomain’ is the original name of your domain created (not an alias or subdomain).
  • Make sure that this account is at least a ’Limited Administrator’ with the roles ‘Intune Administrator’ and ‘User Administrator’.
  • Make sure that you have direct access by logging into the Microsoft Portal (Default: https://portal.azure.com/) at least once with this Service Account, so that you can change the password if required (security policy at first login) or you can detect any access restrictions for this account in case they exist.
  • Once the EBF Onboarder software accesses Intune for the first time, you will see a dialog box which asks you to give consent to adding rights to the EBF Onboarder app. This must be done by entering the credentials of a ‚Global Administrator‘ account. You can’t use the account created before for accessing the Microsoft Intune base.

Once you setup a migration project with the EBF Onboarder, you will be asked to define the target system, the National Cloud and to insert your tenant ID (see chapter 03). You can optionally insert your account details to check the registration status:

02.1.2. Using your own app

Using your own app instead of the shared app enables you to reduce the applied roles and provides full control over the app and client permissions. You will need your tenant ID, the client ID and client secret for your Azure tenant to customize the app.

Follow these steps to create the app:

  1. Create your own app for the EBF Onboarder:
    • Login into the Azure Portal (Default: https://portal.azure.com/).
    • Within ‘Home’ and ‘Azure services’ click on ‘App registrations’.
    • Register a new app by clicking on ‘New registration’.
    • Enter a user-facing display name and set up the app for ‘Accounts in this organizational directory only (Single tenant)’ and click on ‘Register’:
    • You will find your Application (client) ID and Directory (tenant) ID on the next page. Copy them as you will need them during the setup of a migration project with the EBF Onboarder.
  2. Go to ‘API permissions’ on the left side on the same screen and
    • delete the existing permission ‘User.Read’ and confirm,
    • click on ‘+ Add a permission‘ and select ‚Microsoft Graph’,
    • select ‘Application permissions’,
    • add the following permissions for the Service Account:
      • User.Read.All
      • Directory.Read.All
      • Device.Read.All
      • DeviceManagementConfiguration.Read.All
      • DeviceManagementManagedDevices.Read.All
      • Group.ReadWrite.All (see NOTE 1)
    • and ‘Grant admin consent for (your domain)’.

    NOTE 1:

    • ‘Writing groups’ (Group.ReadWrite.All) is only necessary if you want to add migrated users to a group.
    • The permissions DeviceManagementServiceConfig.ReadWrite.All and DeviceManagementConfiguration.ReadWrite.All are required instead of Read.All if the device serials should be added to corporate owned devices. Otherwise, the devices will be enrolled as personal owned devices.

    NOTE 2:

      • If there are issues with the Read-only permissions we recommend to use the following ReadWrite permissions:
        • User.ReadWrite.All
        • Directory.ReadWrite.All
        • Device.ReadWrite.All
        • DeviceManagementConfiguration.ReadWrite.All
        • DeviceManagementManagedDevices.ReadWrite.All
        • Group.ReadWrite.All
  3. Go to ‘Certificates & secrets’ and set up a new client secret:
    • Press ‘+ New client secret’, provide a meaningful description and select a value for ‘Expires’. It would be possible to choose the planned migration date, but it is recommended to add some months to be prepared for a possible delay.
    • Press ‘Add Copy the Value’ and save it at a save place as it will not be displayed again.
  4. While configuring the migration project with the EBF Onboarder, you will be asked to define the target system, the  National Cloud and to insert your tenant ID (see chapter 03). After entering the tenant ID, the form will switch to ask you for the client_id (Application (client) ID) and client_secret (Value of the Secret) which you have received after creating your own app in the Azure Portal:

02.2. Best practice: If the target system requires a client app

The target system Microsoft Intune requires in most cases the Company Portal app to be installed to register a device. Best practice is to push this app to the device with the help of the source MDM. You need to make sure that this app is not removed from the device during unenrollment from the source MDM, so that it can be used to register the device during the migration.

This applies to any other app which will be used on the target system.

03. Target system selection for the target system Microsoft Intune

When you setup a migration project with the EBF Onboarder, you will be asked to define the target system (please read the general documentation to learn more about this).

Select Microsoft Intune as target system, select your National Cloud and enter your tenant ID (Directory (tenant) ID).

  • If you have decided to use a shared app, you can optionally insert your account details to check the registration status. If you do that and if you have followed all instructions of chapter 02.1.1, the EBF Onboarder will check the presence and the compliance of the devices in Microsoft Intune after the migration (see chapter 05.2).
  • If you have decided to use your own app, you need to enter your client_id (Application (client) ID) and client_secret (Value of the Secret). Please make sure that you have followed all instructions of chapter 02.1.2.

NOTE: Some UEM environments may have restrictions on incoming connections (IP filters, firewall). Please check with your target system administrator that the needed ports are open and that the EBF Onboarder IP address is whitelisted and read the general documentation to learn more about this.

03.1. Selecting MAM as a target

You can also select ‘Microsoft MAM only’ as a target. In this case it is not an UEM migration, but a migration of Managed Applications such as MS Outlook or OneDrive for O365 customers:

04. Device selection for the target system Microsoft Intune

When you setup a migration project with the EBF Onboarder (please read the general documentation to learn more about this), you will be asked to select the users you want to migrate.

NOTE: For Microsoft Intune (https://endpoint.microsoft.com/), the default setting is to add “users” to a group with membership type “assigned” in Azure Active Directory (AAD), not „devices“. The user accounts must exist in AAD before migration, as the EBF Onboarder doesn’t create user accounts.

When you select the single users, you can choose to which group the users should be added by selecting ‘Add to Group’:

NOTE: When you type in several letters, a list of groups starting with these letters will be displayed. This will allow you to get access to the list you are looking for faster, instead of waiting for the full list of groups to be loaded.

05. Migration monitoring for the target system Microsoft Intune

Administrators can follow the status of a migration project easily. Depending on the project progress, they can take actions to drive the migration forward.

NOTE: Please read the general documentation to learn more about this and read chapter 05.1 and 05.2 of this documentation to find out which additional information are provided for the target system Microsoft Intune.

05.1. Graphic and mouse-over information

There is a colored icon in the right column which illustrates the migration status. When you hover your mouse over the icon, you will see more information for the corresponding device.

For Microsoft Intune as a target system, there is an additional status available which is indicated with a green icon. The status is ‘Interrupted’ and is different from the status ‘Success’, which is also indicated with a green icon.

Color Status Invitation sent Invitation received Retiring Succeeded App Store Redirection Succeeded Pop-up
Green

 Interrupted:
The migration was interrupted after retiring the device and was not restarted with the EBF Onboarder, but the device was registered manually in Microsoft Intune. The software will detect the presence and compliance of the device in Microsoft Intune and will change the status to ‘Confirmed Enrollment’.		 . . . x The pop-up provides the timestamp of the sending date of the last invitation sent, the date of the registration in Microsoft Intune and the retiring date.

NOTE: Please read the general documentation for an explanation of all icons.

05.2. Check mark information

There are two types of check marks which indicate the status of the device on the source or target system. Check marks which refer to the status of the device detected on the target system (when the migration has started or when the device was detected on the target system for registration) are presented with bright colors:

For Microsoft Intune as a target system, there is an additional information available which refers to the compliance of the device which you find in the table below.

It is recommended to enable the EBF Onboarder to check the device status directly. This will allow the EBF Onboarder to double-check the presence of the device in the target system Microsoft Intune and to check the status which should be ‘compliant’.

Check Mark Description Migration started
The device was confirmed as registered and compliant at 11:13 and the welcome message was sent by the EBF Onboarder to the user’s email address at 12:03.

The blue check mark confirms that the device has been registered on the target system and the pop-up provides a timestamp for this (cached). It also confirms that the device is confirmed as compliant for Microsoft Intune.

 .
The device was confirmed as registered (the last SyncDateTime is the date of the registration). The welcome message was not sent to the device, the last notification received was an invitation/reminder message.

The green check mark indicates that the device was not confirmed as compliant, but it was registered by the user in Microsoft Intune.

 .

NOTE: Please read the general documentation for an explanation of all check marks.

06. Migration Launch Self Service (/ireg)

In some cases it is not possible to use an email or web clip to initiate the migration of a device. In this case you can provide your users with a static link to start the migration.

06.1. Prerequisites

The EBF Onboarder Self Service will use your Default Azure Identity Provider authenticating the user by their Azure AD email address and Azure AD password.

ATTENTION: The migration must exist already and the user must have been invited to migrate the device at least once.

06.2. Workflow

Please follow these steps to enable your users to start the migration using /ireg:

  1. Create a Redirect URI for the app created in chapter 02.1.2:
    • Login into the Azure Portal.
    • Go to ‘App registrations’, open your app and ‘Authentication’.
    • Within ‘Platform configurations’ click on ‘+ Add a platform’.
    • Click on ‘Web’ and enter the following for Redirect URIs: https://intune-onboarder.ebf.com/ireg
    • Click on ‘Configure’.
  2. Provide your users with the following link: https://intune-onboarder.ebf.com/ireg

    NOTE: This link needs to be opened on the device that should be migrated. The link must be opened in a browser that is not removed while the device is removed/retired from the source MDM system.

  3. The user needs to enter his email address and click on ‘Find’.
  4. The user needs to enter the Azure Active Directory Password and click on ‘Find’.
  5. If a user has more than one device registered on the source MDM system, a list of devices which are assigned to him is displayed. The correct device needs to be selecteed for the migration.
  6. The browser redirectes to the start page of the migration and the migration can be initiated by clicking on ‘Start Migration’.
  7. The user can follow the normal migration/enrollment process on the device.
Was this article useful?