Gateway

Configuring a Citrix Gateway application on the Azure portal

The following section lists steps to configure a Citrix Gateway application on the Azure portal.

Prerequisite

  • Azure global admin credentials
  • Intune licensing is enabled
  • For Intune Integration you need to create a Citrix Gateway application on Azure portal.
  • Once the Citrix Gateway application is created, configure the OAuth policy on Citrix Gateway using the following application specific information:
    • Client ID / Application ID
    • Client Secret / Application Key
    • Azure Tenant ID
  • Citrix Gateway uses the app client id and client secret to communicate with Azure and check for NAC compliance.

To create Citrix Gateway App on Azure

  1. Log in to portal.azure.com
  2. Click Azure Active Directory.
  3. Click App registrations and click New registration.

    Azure app registration

  4. On the Register an application page, enter an app name and click Register.

    Name of app

  5. Navigate to Authentication, click Add URI, enter FDQN for Citrix Gateway, and click Save.

    Redirect URL

  6. Navigate to the Overview page to get Client ID, Tenant ID, and Object ID.

    Overview page

  7. Navigate to API permissions and click Add a permission.

    1. Scroll down and select Azure AD Graph.
    2. Choose Application permissions, select Application.Read.All, and then click Add permissions.
    3. Click Grant admin consent for <tenant> and select Yes.
    4. Verify that the permissions are granted for your tenant.

    API permission

    Note:

    All Azure AD applications that call the https://login.microsoftonline.com or the https://graph.windows.net service endpoints require the API permission to be assigned for the gateway to be able to call the NAC API. The available API Permissions are:

    • Application.Read.All
    • Application.ReadWrite.All
    • Application.OwnedBy
    • Directory.Read.All

    The preferred permission is Application.Read.All.

    For more details, see https://techcommunity.microsoft.com/t5/intune-customer-success/support-tip-intune-service-discovery-api-endpoint-will-require/ba-p/2428040

  8. Click the Microsoft Graph tile to configure API permissions for Microsoft Graph.

    MS graph

  9. Click the Delegated permissions tile.

    API permission for MS graph

  10. Select the following permissions, and click Add permissions.

    • Email
    • openid
    • Profile
    • Directory.AccessAsUser.All
    • User.Read
    • User.Read.All
    • User.ReadBasic.All

    API permission 1

    API permission 2

    API permission 3

    Additional permission for Intune NAC check:

    All Azure AD applications that call the https://login.microsoftonline.com or the https://graph.windows.net service endpoints require the API permission to be assigned for the gateway to be able to call the NAC API. The available API Permissions are:

    • Application.Read.All
    • Application.ReadWrite.All
    • Application.OwnedBy
    • Directory.Read.All

    The preferred permission is Application.Read.All.

    For more details, see https://techcommunity.microsoft.com/t5/intune-customer-success/support-tip-intune-service-discovery-api-endpoint-will-require/ba-p/2428040

  11. Click the Intune tile to configure API permissions for Intune.

    Intune tile

  12. Click the Application permissions tile and the Delegated permissions tile to add permissions for Get_device_compliance and Get_data_warehouse respectively.

    API permission for intune

  13. Select the following permissions and click Add permissions.
    • Get_device_compliance - Application permissions
    • Get_data_warehouse - Delegated permissions

    API permission get device

    API permission get warehouse

  14. The following page lists the configured API permissions.

    List of API permission

  15. Navigate to Certificates & secrets and click New client secret.

    New client secret

  16. Under the Add a client secret page, enter description, select expiry, and click Add.

    API permission

  17. The following screen shows the configured client secret.

    Note

    The client secret is displayed only once when it is generated. You must copy the displayed client secret locally. Use the same client secret along with client ID associated with the newly registered app while configuring the OAuth action on the Citrix Gateway appliance for Intune.

    API permission

The application configuration on Azure portal is now complete.

Configuring a Citrix Gateway application on the Azure portal