Sync user information with Azure AD through Microsoft Graph API

KM can integrate with the Microsoft Graph API in order to connect your Azure AD services to KM. When configured and set up as a sync service, this provides AD user accounts and group information to KM similar to sync services delivered through the LDAP protocol. Only one Azure AD service is allowed per KM tenant, so you cannot concurrently sync Azure AD through the LDAP protocol.

The following diagram provides a high-level overview of the major steps required to sync Azure AD with KM through the Microsoft Graph API.

Link a KM tenant to Azure AD with Microsoft Graph API

There are several tasks you must complete to fully register KM with Azure AD and the Microsoft Graph API:

1. Add KM as an MDM app
2. Add the KM enrollment endpoints
3. Add the KM redirect URL and allow public client flows
4. Configure KM as an MDM app
5. Register Microsoft Graph API permissions

1. Add KM as an MDM app

1. On the Azure portal, go to Azure Active Directory > Mobility (MDM and MAM) > Add Application. The Add an application page opens.
2. Click On-premises MDM application. A profile dialog opens.
3. For Name, enter Knox Manage.
4. Click Add.

2. Add the KM enrollment endpoints

1. On the Mobility (MDM and MAM) page on the Azure portal, select the new Knox Manage app. The app's MDM configuration page opens.
2. Fill out the enrollment endpoints. These URLs are also available on the KM console, under Advanced > Azure AD Integration:
   • MDM Terms of Use URL — https://stgemm.knoxemm.com:443/emm/termsofuse.do
   • MDM Discover URL — https://stgemm.knoxemm.com:443/emm/windows/azure/discovery
3. Click Save.
4. Click On-Premises MDM application settings to go to the KM app configuration pages.

3. Add the KM redirect URL and allow public client flows

1. On the Azure portal, go to Overview for the KM app.
2. Click Authentication. The Platform configurations page opens.
3. Click Add a platform > Web. The Configure web page opens.
4. For Redirect URIs, enter https://stgemm.knoxemm.com:443/emm/permissions/stage/com. This URL is also available on the KM console, under Advanced > Azure AD Integration. Click Configure to save. You're returned to the Platform configurations page.
5. Under Advanced Settings > Allow public client flows > Enable the following mobile and desktop flows, click Yes.
6. Click Save.

4. Add the KM IDs and secret token

1. On the Azure portal, go to Overview for the KM app.
2. Copy the Application (client) ID and Directory (tenant ID) fields, respectively.
3. On the KM console, go to Advanced > Azure AD Integration.
4. Paste the copied IDs into the Directory ID and Application ID fields.
5. Back on the Azure portal, go to Certificates & secrets > Client secrets > New client secret. The Add a client secret page opens.
6. Enter the token parameters:
   • Description — Enter a one-line summary for the token, for example Knox Manage secret.
   • Expires — Choose a lifetime for the token, for example 24 months.
7. Click Add to save the secret and return to the Certificates & secrets page.
8. Under the list of secrets, click next to the KM secret to copy its token.
9. On the KM console, paste the token into the Application key field, and enter the token's expiry date.
10. Click Verify. If the button is grayed out, then one or more fields is empty or incorrect.

5. Register the Microsoft Graph API permissions

KM needs three permissions from the Microsoft Graph API in order to sync AD information:

Permission type	Permission name	Requires Azure admin consent
Delegate	User.Read	No
Application	Directory.Read.All	Yes
Application	Device.ReadWrite.All	Yes

To grant these permissions to KM:

1. On the Azure portal, with the KM app selected, go to API permissions.
2. Click Add a permission > Microsoft APIs, then select Microsoft Graph API from the list of commonly used Microsoft APIs.
3. Based on the permission you're adding, click either Delegated permission or Application permissions type.
4. Search for and select the permissions of the chosen type.
5. Click Add permissions to add all the selected permissions.
6. Repeat steps 2–5 for both types of permissions, based on the permissions listed in the preceding table.
7. Click Grant admin consent for Azure AD tenant name to grant consent for the API permissions.

8. The API permissions also require consent from KM. After adding them on the Azure portal, grant consent:

   NOTE — You may need to wait 1-5 minutes for the API permission to sync to the KM console.
   1. On the KM console, go to Advanced > Azure AD Integration.
   2. In the Permission list, select all the API permissions, then click Approve.
   3. Click OK in the confirmation dialog. A Microsoft permissions dialog opens.
   4. Click Approve to consent and return to the KM console. If the approval is successful, Approval result shows as Succeeded.

Add Azure AD as a sync service

Once an Azure AD service is linked with your KM tenant, you can add it as a sync service to begin syncing user account and group information.

To add Azure AD with Microsoft Graph API as a sync service:

1. On the KM console, go to Advanced > Azure AD Integration > Sync Service Setting > Add.

   IMPORTANT — Azure AD with Graph API can't be added as a sync service from the Advanced > AD/LDAP Sync > Sync Service page.
2. Give the service an appropriate name, like Azure AD (Graph API).
3. Customize the user and group information and mapping fields as required.
4. Click Save & Sync.

Manage and view the Azure AD sync service

After you add Azure AD as a sync service, you can view its users and groups, review its sync history, and modify the service just like sync services based on the LDAP protocol. You can perform these actions on the regular sync service pages, under:

• Advanced > AD/LDAP Sync > Sync Service
• Advanced > AD/LDAP Sync > Sync History

For more details on how to perform these actions, see Manage sync services and Monitor sync services.