*BASICS*
The Knox Ecosystem
White Paper
- Introduction
  - The Samsung Knox Platform
  - Feature Summary
- Core Platform Security
- Network Security
  - Virtual Private Networks
  - Network Platform Analytics
- Certificate Management
- Device Management
- User Authentication
  - Biometric Authentication
- App and Data Protection
- Appendix
Samsung Knox Portal
Knox Cloud Services
- Sign in with SSO
General Knox Support
Knox Licenses
*FOR IT ADMINS*
Knox Admin Portal
- About
- Introduction
  - Select Knox services
- Features
- Knox Remote Support
- Release notes
Knox Suite
- Introduction
- How-to videos
- Get started
- Learn more about Knox Suite
- Enterprise Edition devices
- FAQs
- KBAs
Knox Platform for Enterprise
- Introduction
- How-to videos
- Before you begin
  - Before you begin
- Get started with UEMs
- Knox Service Plugin
- Release notes
- Migrate to Android 11
  - Device management modes
  - Prepare Knox for Android 11
- FAQs
- Troubleshoot
  - Get device logs
- KBAs
Knox Mobile Enrollment
- Introduction
- How-to videos
- Get started
- Features
- Release notes
- FAQs
- Troubleshoot
  - Get support
- KBAs
- On-Premise
Knox Configure
- Mobile
- Wearables
- Shared Device
- KBAs
Knox Capture
- Introduction
- How it works
- How-to videos
- IT admins: Get started
- End users: Get started
  - Getting started with Knox Capture
- Features
- Release notes
- FAQs
- Troubleshoot
Knox Asset Intelligence
- Introduction
- How-to videos
- Get started
- Set up reported device data
- Features
- Troubleshoot
  - Device-side errors
  - Portal-side errors
- Release notes
- FAQs
- KBAs
Knox Manage
- Introduction
- How-to videos
- Get started
- Configure
- Monitor
- Kiosk devices
- Knox Remote Support
- Active Directory
- Microsoft Exchange
- Mobile Admin
- Appendix
- Release notes
- Features
- FAQs
- KBAs
Knox E-FOTA
- Introduction
- How-to videos
- Get started
- Features
- EMM integration
- Appendix
  - Install an app to devices through an EMM
  - EMM compatibility matrix
- Release notes
- FAQs
- KBAs
- Troubleshoot
- Knox E-FOTA On-Premises
- Legacy Knox E-FOTA products
  - Knox E-FOTA Advanced
  - Knox E-FOTA on MDM
Knox Guard
- Introduction
- How-to video
- Get started
  - Get access to the portal
  - Knox Guard status flow
- Using Knox Guard
- Release notes
- FAQs
- KBAs
- Support
Samsung Care+ for Business
- Introduction
- Get started
- Submit claim
- Features
- Release notes
- FAQs
*FOR RESELLERS*
Knox Deployment Program
- Introduction
- Get started
  - Get access to the Reseller Portal
  - Buy from a reseller
- Features
- Release notes
- FAQs
- KBAs
*FOR MANAGED SERVICE PROVIDERS*
Knox MSP Program
- Introduction
- How-to video
- Get started
  - Firewall exceptions
  - Before you begin
- Features
- Release notes
- FAQs
- KBAs
- Glossary

Sync user information with Azure AD through Microsoft Graph API

KM can integrate with the Microsoft Graph API in order to connect your Azure AD services to KM. When configured and set up as a sync service, this provides AD user accounts and group information to KM similar to sync services delivered through the LDAP protocol. Only one Azure AD service is allowed per KM tenant, so you cannot concurrently sync Azure AD through the LDAP protocol.

NOTE — Syncing AD organizations through the Microsoft Graph API isn't currently supported.

The following diagram provides a high-level overview of the major steps required to sync Azure AD with KM through the Microsoft Graph API.

Azure AD sync workflow diagram

Link a KM tenant to Azure AD with Microsoft Graph API

There are several tasks you must complete to fully register KM with Azure AD and the Microsoft Graph API:

Add KM as an MDM app
Add the KM enrollment endpoints
Add the KM redirect URL and allow public client flows
Configure KM as an MDM app
Register Microsoft Graph API permissions

1. Add KM as an MDM app

On the Azure portal, go to Azure Active Directory > Mobility (MDM and MAM) > Add Application. The Add an application page opens.
Click On-premises MDM application. A profile dialog opens.
For Name, enter Knox Manage.
Click Add.

2. Add the KM enrollment endpoints

On the Mobility (MDM and MAM) page on the Azure portal, select the new Knox Manage app. The app's MDM configuration page opens.
Fill out the enrollment endpoints. These URLs are also available on the KM console, under Advanced > Azure AD Integration:
- MDM Terms of Use URL — https://stgemm.knoxemm.com:443/emm/termsofuse.do
- MDM Discover URL — https://stgemm.knoxemm.com:443/emm/windows/azure/discovery
Click Save.
Click On-Premises MDM application settings to go to the KM app configuration pages.

3. Add the KM redirect URL and allow public client flows

On the Azure portal, go to Overview for the KM app.
Click Authentication. The Platform configurations page opens.
Click Add a platform > Web. The Configure web page opens.
For Redirect URIs, enter https://stgemm.knoxemm.com:443/emm/permissions/stage/com. This URL is also available on the KM console, under Advanced > Azure AD Integration. Click Configure to save. You're returned to the Platform configurations page.
Under Advanced Settings > Allow public client flows > Enable the following mobile and desktop flows, click Yes.
Click Save.

4. Add the KM IDs and secret token

On the Azure portal, go to Overview for the KM app.
Copy the Application (client) ID and Directory (tenant ID) fields, respectively.
On the KM console, go to Advanced > Azure AD Integration.
Paste the copied IDs into the Directory ID and Application ID fields.
Back on the Azure portal, go to Certificates & secrets > Client secrets > New client secret. The Add a client secret page opens.
Enter the token parameters:
- Description — Enter a one-line summary for the token, for example Knox Manage secret.
- Expires — Choose a lifetime for the token, for example 24 months.
Click Add to save the secret and return to the Certificates & secrets page.
Under the list of secrets, click next to the KM secret to copy its token.
On the KM console, paste the token into the Application key field, and enter the token's expiry date.
Click Verify. If the button is grayed out, then one or more fields is empty or incorrect.

5. Register the Microsoft Graph API permissions

KM needs three permissions from the Microsoft Graph API in order to sync AD information:

Permission type	Permission name	Requires Azure admin consent
Delegate	User.Read	No
Application	Directory.Read.All	Yes
Application	Device.ReadWrite.All	Yes

To grant these permissions to KM:

On the Azure portal, with the KM app selected, go to API permissions.
Click Add a permission > Microsoft APIs, then select Microsoft Graph API from the list of commonly used Microsoft APIs.
Based on the permission you're adding, click either Delegated permission or Application permissions type.
Search for and select the permissions of the chosen type.
Click Add permissions to add all the selected permissions.
Repeat steps 2–5 for both types of permissions, based on the permissions listed in the preceding table.
Click Grant admin consent for Azure AD tenant name to grant consent for the API permissions.
On the KM console, check the approval status of the permissions on the Advanced > Azure AD Integration page, under MS Graph API Permission Setting. By default, KM automatically grants consent for the API permissions. Successfully granted permissions each receive the approved status after 1–5 minutes.
If all the permissions don't sync or receive the approved status after 1–5 minutes, you must grant explicit consent:
1. In the Permission list, select all the API permissions, then click Approve.
2. Click OK in the confirmation dialog. A Microsoft permissions dialog opens.
3. Click Approve to consent and return to the KM console.
4. (Optional) Click Test next to each permission to ensure it functions properly. If a permission passes, its Test Authorization status shows Succeeded. Once all the permissions pass, the overall Approval Result status changes to Succeeded.

Add Azure AD as a sync service

Once an Azure AD service is linked with your KM tenant, you can add it as a sync service to begin syncing user account and group information.

To add Azure AD with Microsoft Graph API as a sync service:

On the KM console, go to Advanced > Azure AD Integration > Sync Service Setting > Add.

IMPORTANT — Azure AD with Graph API can't be added as a sync service from the Advanced > AD/LDAP Sync > Sync Service page.
Give the service an appropriate name, like Azure AD (Graph API).
Customize the user and group information and mapping fields as required.
Click Save & Sync.

Manage and view the Azure AD sync service

After you add Azure AD as a sync service, you can view its users and groups, review its sync history, and modify the service just like sync services based on the LDAP protocol. You can perform these actions on the regular sync service pages, under:

Advanced > AD/LDAP Sync > Sync Service
Advanced > AD/LDAP Sync > Sync History

For more details on how to perform these actions, see Manage sync services and Monitor sync services.