- *BASICS*
- The Knox Ecosystem
- White Paper
- Samsung Knox Portal
- Knox Cloud Services
- General Knox Support
- Knox Licenses
- *FOR IT ADMINS*
- Knox Admin Portal
- Knox Suite
- Knox Platform for Enterprise
- Introduction
- How-to videos
- Before you begin
- Get started with UEMs
- Introduction
- Blackberry UEM
- Citrix Endpoint Management
- FAMOC
- IBM MaaS360
- Microsoft Intune
- MobileIron Cloud
- MobileIron Core
- Samsung Knox Manage
- SOTI MobiControl
- VMware Workspace ONE UEM
- Knox Service Plugin
- Release notes
- Migrate to Android 11
- FAQs
- Troubleshoot
- KBAs
- Knox Mobile Enrollment
- Introduction
- How-to videos
- Get started
- Features
- Register resellers
- Add an admin
- Create profiles
- Google device owner support
- MDM compatibility matrices
- Device users
- Activity log
- Enroll and unenroll devices
- Configure devices
- Provide KME feedback
- Use the Knox Deployment App (KDA)
- Recover Google FRP locked devices using KME
- Role-based access control (RBAC)
- Release notes
- FAQs
- Troubleshoot
- KBAs
- On-Premise
- Knox Configure
- Mobile
- Wearables
- Shared Device
- KBAs
- Knox Capture
- Introduction
- How it works
- How-to videos
- IT admins: Get started
- Getting started with Knox Capture
- Step 1: Launch Knox Capture
- Step 2: Create a scanning profile
- Step 3: Select apps and activities
- Step 4: Configure the scanner
- Step 5: Set keystroke output rules
- Step 6: Test apps in your configuration
- Step 7: Share your configuration
- Step 8: Deploy Knox Capture in Managed mode
- End users: Get started
- Features
- Release notes
- FAQs
- Troubleshoot
- Knox Asset Intelligence
- Knox Manage
- Introduction
- How-to videos
- Get started
- Video: Getting started with Knox Manage
- Integration with Managed Service Provider
- Access Knox Manage
- Configure basic environments
- Create user accounts
- Create groups
- Create organization
- Set up devices and profiles
- Set up Knox Manage deployment with a Knox Suite license
- Manage Chromebooks
- Manage Android devices with the Android Management API
- Manage Shared iPads
- Configure
- Licenses
- Organization
- Users
- Sync user information
- Groups
- Devices
- Content
- Applications
- View applications
- Add applications
- Introduction
- Add internal Android and iOS applications
- Add internal Windows applications
- Add public applications using Google Play Store
- Add public applications using iOS App Store
- Add public applications using Managed Google Play
- Add public applications using Managed Google Play Private
- Add public applications using Managed Google Play Store Private Web
- Add public applications using Microsoft Store
- Add Chrome OS applications
- Assign applications
- Introduction
- Assign internal Android and iOS apps
- Assign iOS App Store applications
- Assign Google Play applications
- Assign Managed Google Play applications
- Assign Managed Google Play Private applications
- Assign Managed Google Play public web apps
- Assign Windows applications
- Assign Chrome OS applications
- Manage applications
- Volume Purchase Program for iOS
- Profile
- Knox E-FOTA
- Certificates
- Advanced settings
- Monitor
- Kiosk devices
- Knox Remote Support
- Active Directory
- Microsoft Exchange
- Mobile Admin
- Appendix
- Release notes
- Features
- FAQs
- KBAs
- Knox E-FOTA
- Introduction
- How-to videos
- Get started
- Features
- EMM integration
- Appendix
- Release notes
- FAQs
- KBAs
- Troubleshoot
- Knox E-FOTA On-Premises
- Legacy Knox E-FOTA products
- Knox Guard
- Introduction
- How-to video
- Get started
- Using Knox Guard
- Dashboard
- Manage devices
- Introduction
- Accept or reject devices
- Upload devices
- Delete devices
- Complete payment
- Send payment overdue notification
- Enable or disable SIM control
- Download devices as CSV
- View device log
- View device deletion log
- Start and stop blinking reminder
- Lock and unlock devices
- Update lock message
- Send relock timestamp
- Turn on/off relock reminder
- Manage policies
- Manage licenses
- Manage resellers
- Manage admins and roles
- Activity log
- Knox Deployment App
- Release notes
- FAQs
- KBAs
- Support
- Samsung Care+ for Business
- *FOR RESELLERS*
- Knox Deployment Program
- *FOR MANAGED SERVICE PROVIDERS*
- Knox MSP Program
Sync user information with Azure AD through Microsoft Graph API
KM can integrate with the Microsoft Graph API in order to connect your Azure AD services to KM. When configured and set up as a sync service, this provides AD user accounts and group information to KM similar to sync services delivered through the LDAP protocol. Only one Azure AD service is allowed per KM tenant, so you cannot concurrently sync Azure AD through the LDAP protocol.
The following diagram provides a high-level overview of the major steps required to sync Azure AD with KM through the Microsoft Graph API.
Link a KM tenant to Azure AD with Microsoft Graph API
There are several tasks you must complete to fully register KM with Azure AD and the Microsoft Graph API:
- Add KM as an MDM app
- Add the KM enrollment endpoints
- Add the KM redirect URL and allow public client flows
- Configure KM as an MDM app
- Register Microsoft Graph API permissions
1. Add KM as an MDM app
- On the Azure portal, go to Azure Active Directory > Mobility (MDM and MAM) > Add Application. The Add an application page opens.
- Click On-premises MDM application. A profile dialog opens.
- For Name, enter Knox Manage.
- Click Add.
2. Add the KM enrollment endpoints
- On the Mobility (MDM and MAM) page on the Azure portal, select the new Knox Manage app. The app's MDM configuration page opens.
- Fill out the enrollment endpoints. These URLs are also available on the KM console, under Advanced > Azure AD Integration:
- MDM Terms of Use URL — https://stgemm.knoxemm.com:443/emm/termsofuse.do
- MDM Discover URL — https://stgemm.knoxemm.com:443/emm/windows/azure/discovery
- Click Save.
- Click On-Premises MDM application settings to go to the KM app configuration pages.
3. Add the KM redirect URL and allow public client flows
- On the Azure portal, go to Overview for the KM app.
- Click Authentication. The Platform configurations page opens.
- Click Add a platform > Web. The Configure web page opens.
- For Redirect URIs, enter https://stgemm.knoxemm.com:443/emm/permissions/stage/com. This URL is also available on the KM console, under Advanced > Azure AD Integration. Click Configure to save. You're returned to the Platform configurations page.
- Under Advanced Settings > Allow public client flows > Enable the following mobile and desktop flows, click Yes.
- Click Save.
4. Add the KM IDs and secret token
- On the Azure portal, go to Overview for the KM app.
- Copy the Application (client) ID and Directory (tenant ID) fields, respectively.
- On the KM console, go to Advanced > Azure AD Integration.
- Paste the copied IDs into the Directory ID and Application ID fields.
- Back on the Azure portal, go to Certificates & secrets > Client secrets > New client secret. The Add a client secret page opens.
- Enter the token parameters:
- Description — Enter a one-line summary for the token, for example Knox Manage secret.
- Expires — Choose a lifetime for the token, for example 24 months.
- Click Add to save the secret and return to the Certificates & secrets page.
- Under the list of secrets, click
next to the KM secret to copy its token.
- On the KM console, paste the token into the Application key field, and enter the token's expiry date.
- Click Verify. If the button is grayed out, then one or more fields is empty or incorrect.
5. Register the Microsoft Graph API permissions
KM needs three permissions from the Microsoft Graph API in order to sync AD information:
Permission type | Permission name | Requires Azure admin consent |
---|---|---|
Delegate | User.Read | No |
Application | Directory.Read.All | Yes |
Application | Device.ReadWrite.All | Yes |
To grant these permissions to KM:
- On the Azure portal, with the KM app selected, go to API permissions.
- Click Add a permission > Microsoft APIs, then select Microsoft Graph API from the list of commonly used Microsoft APIs.
- Based on the permission you're adding, click either Delegated permission or Application permissions type.
- Search for and select the permissions of the chosen type.
- Click Add permissions to add all the selected permissions.
- Repeat steps 2–5 for both types of permissions, based on the permissions listed in the preceding table.
- Click Grant admin consent for Azure AD tenant name to grant consent for the API permissions.
- On the KM console, check the approval status of the permissions on the Advanced > Azure AD Integration page, under MS Graph API Permission Setting. By default, KM automatically grants consent for the API permissions. Successfully granted permissions each receive the approved status after 1–5 minutes.
-
If all the permissions don't sync or receive the approved status after 1–5 minutes, you must grant explicit consent:
- In the Permission list, select all the API permissions, then click Approve.
- Click OK in the confirmation dialog. A Microsoft permissions dialog opens.
- Click Approve to consent and return to the KM console.
- (Optional) Click Test next to each permission to ensure it functions properly. If a permission passes, its Test Authorization status shows Succeeded. Once all the permissions pass, the overall Approval Result status changes to Succeeded.
Add Azure AD as a sync service
Once an Azure AD service is linked with your KM tenant, you can add it as a sync service to begin syncing user account and group information.
To add Azure AD with Microsoft Graph API as a sync service:
-
On the KM console, go to Advanced > Azure AD Integration > Sync Service Setting > Add.
IMPORTANT — Azure AD with Graph API can't be added as a sync service from the Advanced > AD/LDAP Sync > Sync Service page. - Give the service an appropriate name, like Azure AD (Graph API).
- Customize the user and group information and mapping fields as required.
- Click Save & Sync.
Manage and view the Azure AD sync service
After you add Azure AD as a sync service, you can view its users and groups, review its sync history, and modify the service just like sync services based on the LDAP protocol. You can perform these actions on the regular sync service pages, under:
- Advanced > AD/LDAP Sync > Sync Service
- Advanced > AD/LDAP Sync > Sync History
For more details on how to perform these actions, see Manage sync services and Monitor sync services.