- 01. Introduction
- 02. Prerequisites for the target system Microsoft Intune
- 03. Target system selection for the target system Microsoft Intune
- 04. Device selection for the target system Microsoft Intune
- 05. Migration monitoring for the target system Microsoft Intune
- 06. Migration Launch Self Service (/ireg)
There is a general documentation available for the EBF Onboarder, where you can find information about its prerequisites and the whole migration project. It describes how you can setup a migration project, how you can setup invitation emails and reminders which guide your users through the migration. It also tells you how to initiate the migration process and how to track the migration status.
This documentation complements the general EBF Onboarder documentation and provides more detailed information for the target system Microsoft Intune about:
- the prerequisites for the target system,
- the target system selection during the migration project setup,
- the device selection during the migration project setup,
- the monitoring of the migration project.
02. Prerequisites for the target system Microsoft Intune
02.1. Microsoft Intune Service Account
You need to create an Intune Service Account to allow the EBF Onboarder to access your target system.
- This can be done with the help of the EBF Onboarder and its shared app (see chapter 02.1.1).
- Or you can create an app yourself, if you want to have full control over the app and client permissions (see chapter 02.1.2).
- The EBF Onboarder will not support Multi Factor Authentication (MFA) for the Intune Service Account as API requests of the EBF Onboarder do not support Multi Factor Authentication or Single Sign On (see chapter 02.1.1).
- But you can use Multi Factor Authentication for your users. The EBF Onboarder is able to migrate devices if you use Multi Factor Authentication and the Microsoft Company Portal will accept the user credentials with MFA (security reinforced) during registration.
02.1.1. Using the EBF Onboarder shared app (default)
If you use the EBF Onboarder shared app to access your Intune server, you have to make sure that the Service Account meets certain requirements in order to allow the EBF Onboarder to register your devices in Microsoft Intune as a target system.
Please verify with your Active Directory or O365 administrator that the Service Account meets the following requirements:
- Make sure to use a Service Account that doesn’t require Multi Factor Authentication. API requests of the EBF Onboarder do not support Multi Factor Authentication or Single Sign On.
- Make sure to use a Local User of the AD Microsoft environment (not a Global User).
- Make sure that the syntax of the account you use corresponds to the following format: ServiceOnboarder@YourOriginalDomain.onmicrosoft.com. ‘YourOriginalDomain’ is the original name of your domain created (not an alias or subdomain).
- Make sure that this account is at least a ’Limited Administrator’ with the roles ‘Intune Administrator’ and ‘User Administrator’.
- Make sure that you have direct access by logging into the Microsoft Portal at least once with this Service Account, so that you can change the password if required (security policy at first login) or you can detect any access restrictions for this account in case they exist.
- Once the EBF Onboarder software accesses Intune for the first time, you will see a dialog box which asks you to give consent to adding rights to the EBF Onboarder app. This must be done by entering the credentials of a ‚Global Administrator‘ account. You can’t use the account created before for accessing the Microsoft Intune base.
Once you setup a migration project with the EBF Onboarder, you will be asked to define the target system and to insert your tenant ID (see chapter 03). You can optionally insert your account details to check the registration status:
02.1.2. Using your own app
Using your own app instead of the shared app enables you to reduce the applied roles and provides full control over the app and client permissions. You will need your tenant ID, the client ID and client secret for your Azure tenant to customize the app.
Follow these steps to create the app:
- Create your own app for the EBF Onboarder:
- Login into the Azure Portal.
- Go to ‘App registrations’.
- Register a new app by clicking on ‘New registration’.
- Enter a user-facing display name and set up the app for ‘Accounts in this organizational directory only (Single tenant)’ and ‘Register’.
You will find your application (client) ID and directory (tenant) ID on the next page. Copy them as you will need them during the setup of a migration project with the EBF Onboarder.
- Go to ‘API permissions’ and
- delete the existing permission ‘User.Read’,
- click on ‘Add a permission‘ and select ‚Microsoft Graph’,
- select ‘Application permissions’,
- add the following permissions for the Service Account:
- and ‘Grant admin consent for (your domain)’.
- ‘Writing groups’ is only necessary, if you want to add migrated users to a group.
- ‘DeviceManagementServiceConfig.ReadWrite.All’ is required, if the device serials should be added to corporate owned devices. Otherwise the devices will be enrolled as personal owned devices.
- ‘Perform User-impacting remote actions’ is required, if you want to unenroll or wipe a device.
- Go to ‘Certificates & secrets’ and set up a new client secret.
- When you later setup a migration project with the EBF Onboarder, you will be asked to define the target system and to insert your tenant ID (see chapter 03). The form will switch to ask you for the client_id and client_secret which you have received after creating your own app in the Azure Portal:
02.2. Best practice: If the target system requires a client app
The target system Microsoft Intune requires in most cases the Company Portal app to be installed to register a device. Best practice is to push this app to the device with the help of the source MDM. You need to make sure that this app is not removed from the device during unenrollment from the source MDM, so that it can be used to register the device during the migration.
This applies to any other app which will be used on the target system.
03. Target system selection for the target system Microsoft Intune
When you setup a migration project with the EBF Onboarder, you will be asked to define the target system (please read the general documentation to learn more about this).
Select Microsoft Intune as target system and enter your tenant ID.
- If you have decided to use a shared app, you can optionally insert your account details to check the registration status. If you do that and if you have followed all instructions of chapter 02.1.1, the EBF Onboarder will check the presence and the compliance of the devices in Microsoft Intune after the migration (see chapter 05.2).
- If you have decided to use your own app, you need to enter your client_id and client_secret. Please make sure that you have followed all instructions of chapter 02.1.2.
NOTE: Some UEM environments may have restrictions on incoming connections (IP filters, firewall). Please check with your target system administrator that the needed ports are open and that the EBF Onboarder IP address is whitelisted and read the general documentation to learn more about this.
03.1. Selecting MAM as a target
You can also select ‘Microsoft MAM only’ as a target. In this case it is not an UEM migration, but a migration of Managed Applications such as MS Outlook or OneDrive for O365 customers:
04. Device selection for the target system Microsoft Intune
When you setup a migration project with the EBF Onboarder (please read the general documentation to learn more about this), you will be asked to select the users you want to migrate.
NOTE: For Microsoft Intune, the default setting is to add “users” to the group in Azure Active Directory (AAD), not „devices“. The user accounts must exist in AAD before migration, as the EBF Onboarder doesn’t create user accounts.
When you select the single users, you can choose to which group the users should be added by selecting ‘Add to Group’:
NOTE: When you type in several letters, a list of groups starting with these letters will be displayed. This will allow you to get access to the list you are looking for faster, instead of waiting for the full list of groups to be loaded.
05. Migration monitoring for the target system Microsoft Intune
Administrators can follow the status of a migration project easily. Depending on the project progress, they can take actions to drive the migration forward.
NOTE: Please read the general documentation to learn more about this and read chapter 05.1 and 05.2 of this documentation to find out which additional information are provided for the target system Microsoft Intune.
05.1. Graphic and mouse-over information
There is a colored icon in the right column which illustrates the migration status. When you hover your mouse over the icon, you will see more information for the corresponding device.
For Microsoft Intune as a target system, there is an additional status available which is indicated with a green icon. The status is ‘Interrupted’ and is different from the status ‘Success’, which is also indicated with a green icon.
|Color||Status||Invitation sent||Invitation received||Retiring Succeeded||App Store Redirection Succeeded||Pop-up|
The migration was interrupted after retiring the device and was not restarted with the EBF Onboarder, but the device was registered manually in Microsoft Intune. The software will detect the presence and compliance of the device in Microsoft Intune and will change the status to ‘Confirmed Enrollment’.
|.||.||.||x||The pop-up provides the timestamp of the sending date of the last invitation sent, the date of the registration in Microsoft Intune and the retiring date.|
NOTE: Please read the general documentation for an explanation of all icons.
05.2. Check mark information
There are two types of check marks which indicate the status of the device on the source or target system. Check marks which refer to the status of the device detected on the target system (when the migration has started or when the device was detected on the target system for registration) are presented with bright colors:
For Microsoft Intune as a target system, there is an additional information available which refers to the compliance of the device which you find in the table below.
It is recommended to enable the EBF Onboarder to check the device status directly. This will allow the EBF Onboarder to double-check the presence of the device in the target system Microsoft Intune and to check the status which should be ‘compliant’.
|Check Mark||Description||Migration started|
|The device was confirmed as registered and compliant at 11:13 and the welcome message was sent by the EBF Onboarder to the user’s email address at 12:03.|
The blue check mark confirms that the device has been registered on the target system and the pop-up provides a timestamp for this (cached). It also confirms that the device is confirmed as compliant for Microsoft Intune.
|The device was confirmed as registered (the last SyncDateTime is the date of the registration). The welcome message was not sent to the device, the last notification received was an invitation/reminder message.|
The green check mark indicates that the device was not confirmed as compliant, but it was registered by the user in Microsoft Intune.
NOTE: Please read the general documentation for an explanation of all check marks.
06. Migration Launch Self Service (/ireg)
In some cases it is not possible to use an email or web clip to initiate the migration of a device. In this case you can provide your users with a static link to start the migration.
The EBF Onboarder Self Service will use your Default Azure Identity Provider authenticating the user by their Azure AD email address and Azure AD password.
ATTENTION: The migration must exist already and the user must have been invited to migrate at least once.
Please follow these steps to enable your users to start the migration:
- Provide your users with the following link: https://intune-onboarder.ebf.com/ireg
NOTE: The user needs to open the link on the device that needs to be migrated. The link needs be opened in a browser that is not removed when the device is removed/retired from the previous MDM system.
- The user needs to enter his email address and click on ‘Next’.
- The user will be asked to enter his Azure Active Directory Password and click on ‘Find’.
- The user will be provided with a list of devices which are assigned to him and needs to choose the device which should be migrated.
- The user will be directed to the start page of the migration and can initiate the migration process by clicking on ‘Start Migration’.
- The user can follow the normal migration/enrollment process.