Gateway

Configuring a Citrix Gateway application on the Azure portal

The following section lists steps to configure a Citrix Gateway application on the Azure portal.

Prerequisites

  • Azure global admin credentials
  • Intune licensing is enabled
  • For Intune Integration you must create a Citrix Gateway application on the Azure portal.
  • Once the Citrix Gateway application is created, configure the OAuth policy on Citrix Gateway using the following application specific information:
    • Client ID / Application ID
    • Client Secret / Application Key
    • Microsoft Entra Tenant ID
  • Citrix Gateway uses the app client id and client secret to communicate with Azure and check for NAC compliance.

To create a Citrix Gateway app on Azure

  1. Log in to portal.azure.com
  2. Click Microsoft Entra ID.
  3. Click App registrations and click New registration.

    Azure app registration

  4. On the Register an application page, enter an app name and click Register.

    Name of app

  5. Navigate to Authentication, click Add URI, enter FDQN for Citrix Gateway, and click Save.

    Redirect URL

  6. Navigate to the Overview page to get Client ID, Tenant ID, and Object ID.

    Overview page

  7. Navigate to API permissions and click Add a permission.

    API permission

    Note:

    All Microsoft Entra ID applications that call the https://login.microsoftonline.com, https://graph.microsoft.com, or https://graph.windows.net service endpoints require the API permission to be assigned for the gateway to be able to call the NAC API. The available API Permissions are:

    • Application.Read.All
    • Application.ReadWrite.All
    • Application.OwnedBy
    • Directory.Read.All

    The preferred permission is Application.Read.All.

    For more details, see https://techcommunity.microsoft.com/t5/intune-customer-success/support-tip-intune-service-discovery-api-endpoint-will-require/ba-p/2428040

  8. Click the Microsoft Graph tile to configure API permissions for Microsoft Graph.

    MS graph

  9. Click the Delegated permissions tile.

    API permission for MS graph

  10. Select the following permissions and click Add permissions.

    • Email
    • openid
    • Profile
    • Directory.AccessAsUser.All
    • User.Read
    • User.Read.All
    • User.ReadBasic.All

    API permission 1

    API permission 2

    API permission 3

    Permissions for Intune NAC check:

    All Microsoft Entra ID applications that call the https://login.microsoftonline.com, https://graph.microsoft.com, or https://graph.windows.net service endpoints require the API permission to be assigned for the gateway to be able to call the NAC API. The available API Permissions are:

    • Application.Read.All
    • Application.ReadWrite.All
    • Application.OwnedBy
    • Directory.Read.All

    The preferred permission is Application.Read.All.

    For more details, see https://techcommunity.microsoft.com/t5/intune-customer-success/support-tip-intune-service-discovery-api-endpoint-will-require/ba-p/2428040

    Note:

    If a customer is only using the Intune Action for NAC check, then the only permission required is Application.Read.All in Microsoft Graph.

  11. Click the Intune tile to configure API permissions for Intune.

    Intune tile

  12. Click the Application permissions tile and the Delegated permissions tile to add permissions for Get_device_compliance and Get_data_warehouse respectively.

    API permission for Intune

  13. Select the following permissions, and click Add permissions.
    • Get_device_compliance - Application permissions
    • Get_data_warehouse - Delegated permissions

    Note:

    For the Intune NAC check, the only permission required is Get_device_compliance.

    API permissions get device

    API permission gets warehouse

  14. The following page lists the configured API permissions.

    List of API permission

  15. Navigate to Certificates & secrets and click New client secret.

    New client secret

  16. Under the Add a client secret page, enter a description, select expiry, and click Add.

    API permission

  17. The following screen shows the configured client secret.

    Note

    The client secret is displayed only once when it is generated. Copy the displayed client secret locally. Use the same client secret along with the client ID associated with the newly registered app while configuring the OAuth action on the Citrix Gateway appliance for Intune.

    API permission

The application configuration on the Azure portal is now complete.

Configuring a Citrix Gateway application on the Azure portal