01. Introduction
There is a general documentation available for the EBF Onboarder, where you can find information about its prerequisites and the whole migration project. It describes how you can setup a migration project, how you can setup invitation emails and reminders which guide your users through the migration. It also tells you how to initiate the migration process and how to track the migration status.
This documentation complements the general EBF Onboarder documentation and provides more detailed information for the source system Microsoft Intune about:
- the prerequisites for the source system,
- the target system selection during the migration project setup.
The EBF Onboarder supports the following endpoints (National Clouds) offered by Microsoft:
Global Service & GCC [DEFAULT]:
Select this option if you use the standard Microsoft Azure/Intune system with Azure AD endpoints: https://portal.azure.com, https://endpoint.microsoft.com or https://login.microsoftonline.com
US Government L4 (GCC High):
Select this option if you use the Microsoft 365 L4 GCC High environment with the following Azure endpoints to connect to your system: https://portal.azure.us and https://login.microsoftonline.us
US Government L5 (DoD):
Select this option if you use the Microsoft 365 L5 DoD (DoD=Department of Defense) environment with the following Azure endpoints to connect to your system: https://portal.azure.us and https://login.microsoftonline.us
China operated by 21Vianet:
Select this option if you use the Microsoft Cloud for China operated by 21Vianet environment with the following Azure endpoints to connect to your system: https://portal.azure.cn and https://login.chinacloudapi.cn
German Cloud [DEPRECATED]:
The German Cloud reachable at https://portal.microsoftazure.de is out service.
02. Prerequisites for the source system Microsoft Intune
02.1. Microsoft Intune Service Account
We recommend to create a Microsoft Azure app to allow the EBF Onboarder to access your source system and to have full control over the app and client permissions (see chapter 02.1.1). The setup is the same for each endpoint/region.
Otherwise you can also use the EBF Onboarder and its shared app (see chapter 02.1.2).
ATTENTION:
- The EBF Onboarder will not support Multi Factor Authentication (MFA) for the Intune Service Account as API requests of the EBF Onboarder do not support Multi Factor Authentication or Single Sign On (see chapter 02.1.2).
- But you can use Multi Factor Authentication for your users. The EBF Onboarder is able to migrate devices if you use Multi Factor Authentication and the Microsoft Company Portal will accept the user credentials with MFA (security reinforced) during registration.
02.1.1. Using your own app (recommended)
We recommend to use your own Azure app instead of the EBF Onboarder shared app!
This enables you to reduce the applied roles and provides full control over the app and client permissions. If there are any changes that need to be made for this access, you are much more flexible.
You will need your tenant ID, the client ID and client secret of your Azure app to use it in the EBF Onboarder portal.
Follow these steps to create the app:
- Create your own app for the EBF Onboarder:
- Login into the Azure Portal (Default: https://portal.azure.com/).
- Go to ‘App registrations’.
- Register a new app by clicking on ‘+ New registration’.
- Enter a user-facing display name and set up the app for ‘Accounts in this organizational directory only (Single tenant)’ and click on ‘Register’.
You will find your Application (client) ID and Directory (tenant) ID on the next page. Copy them as you will need them during the setup of a migration project with the EBF Onboarder.
- Go to ‘API permissions’ and
- delete the existing permission ‘User.Read’ and confirm,
- click on ‘+ Add a permission‘ and select ‚Microsoft Graph’,
- select ‘Application permissions’,
- add the following permissions for the Service Account:
- User.ReadWrite.All
- Directory.ReadWrite.All
- Device.ReadWrite.All
- DeviceManagementConfiguration.ReadWrite.All
- DeviceManagementManagedDevices.PrivilegedOperations.All
- DeviceManagementManagedDevices.ReadWrite.All
- Group.ReadWrite.All
- and ‘Grant admin consent for (your domain)’:
NOTE:
- Perform User-impacting remote actions‘: The permission DeviceManagementManagedDevices.PrivilegedOperations.All is required to unenroll or wipe a device.
- If you use ‘Modern Authentication for Exchange Online Mailbox’ for sending emails, you can use the app which is used for EBF Onboarder access also for the Exchange Online access and apply the required permissions to the user.
- Go to ‘Certificates & secrets’ and set up a new client secret.
- When you later setup a migration project with the EBF Onboarder, you will be asked to define the source system, the National Cloud and to insert your tenant ID (see chapter 03). The form will switch to ask you for the client_id and client_secret (Value) which you have received after creating your own app in the Azure Portal:
02.1.1. Using the EBF Onboarder shared app (not supported)
If you use the EBF Onboarder shared app to access your Intune server, you have to make sure that the Service Account meets certain requirements in order to allow the EBF Onboarder to retire your devices in Microsoft Intune as a source system.
Please verify with your Active Directory or O365 administrator that the Service Account meets the following requirements:
- Make sure to use a Service Account that doesn’t require Multi Factor Authentication. API requests of the EBF Onboarder do not support Multi Factor Authentication or Single Sign On.
- Make sure to use a Service Account created with your initial domain (yourcompany.onmicrosoft.com) and not your custom domain (e.g. @yourcompany.com).
- Make sure that the syntax of the account you use corresponds to the following format: ServiceOnboarder@YourOriginalDomain.onmicrosoft.com. ‘YourOriginalDomain’ is the original name of your domain created (not an alias or subdomain).
- Make sure that this account is at least a ’Limited Administrator’ with the roles ‘Intune Administrator’ and ‘User Administrator’.
- Make sure that you have direct access by logging into the Microsoft Portal (Default: https://portal.azure.com/) at least once with this Service Account, so that you can change the password if required (security policy at first login) or you can detect any access restrictions for this account in case they exist.
- Once the EBF Onboarder software accesses Intune for the first time, you will see a dialog box which asks you to give consent to adding rights to the EBF Onboarder app. This must be done by entering the credentials of a ‚Global Administrator‘ account. You can’t use the account created before for accessing the Microsoft Intune base.
Once you setup a migration project with the EBF Onboarder, you will be asked to define the source system, the region and to insert your Admin Service account and password (see chapter 03).
NOTE: We support different endpoints/regions that are provided by Microsoft. Please select your National Cloud.
03. Source system selection for the source system Microsoft Intune
When you setup a migration project with the EBF Onboarder, you will be asked to define the source system (please read the general documentation to learn more about this).
Select Microsoft Intune as source system, select your National Cloud and enter your tenant ID.
- If you have decided to use your own app, you need to enter your client_id and client_secret. Please make sure that you have followed all instructions of chapter 02.1.1.
- If you have decided to use a shared app, you can optionally insert your account details to check the registration status. If you do that and if you have followed all instructions of chapter 02.1.2, the EBF Onboarder will check the presence and the compliance of the devices in Microsoft Intune after the migration.
NOTE: Some UEM environments may have restrictions on incoming connections (IP filters, firewall). Please check with your target system administrator that the needed ports are open and that the EBF Onboarder IP address is whitelisted and read the general documentation to learn more about this.
04. Device selection for the source system Microsoft Intune
When you setup a migration project with the EBF Onboarder (please read the general documentation to learn more about this), you will be asked to select the users you want to migrate.
NOTE: For Microsoft Intune endpoints, the default setting is to add “users” to a group with membership type “assigned” in Azure Active Directory (AAD), not „devices“. The user accounts must exist in AAD before migration, as the EBF Onboarder doesn’t create user accounts.
05. Migration Launch Self Service (/ireg)
In some cases it is not possible to use an email or web clip to initiate the migration of a device. In this case you can provide your users with a static link to start the migration.
05.1. Prerequisites
The EBF Onboarder Self Service will use your Default Azure Identity Provider authenticating the user by their Azure AD email address and Azure AD password.
ATTENTION: The migration must exist already and the user must have been invited to migrate the device at least once.
05.2. Workflow
Please follow these steps to enable your users to start the migration using /ireg:
- Create a Redirect URI for the app created in chapter 02.1.2:
- Login into the Azure Portal.
- Go to ‘App registrations’, open your app and ‘Authentication’.
- Within ‘Platform configurations’ click on ‘+ Add a platform’.
- Click on ‘Web’ and enter the following for Redirect URIs: https://intune-onboarder.ebf.com/ireg
- Click on ‘Configure’.
- Provide your users with the following link: https://intune-onboarder.ebf.com/ireg
NOTE: This link needs to be opened on the device that should be migrated. The link must be opened in a browser that is not removed while the device is removed/retired from the source MDM system.
- The user needs to enter his email address and click on ‘Find’.
- The user needs to enter the Azure Active Directory Password and click on ‘Find’.
- If a user has more than one device registered on the source MDM system, a list of devices which are assigned to him is displayed. The correct device needs to be selecteed for the migration.
- The browser redirectes to the start page of the migration and the migration can be initiated by clicking on ‘Start Migration’.
- The user can follow the normal migration/enrollment process on the device.