Connecting Microsoft Azure to Ivanti EPMM
This section covers setting up Ivanti EPMM to report the device compliance status to Microsoft Azure.
To view the Azure information about the device, go to the Device Details page. See Advanced searching for definitions.
Multiple Azure tenants
Starting from Ivanti EPMM 220.127.116.11, device users can connect to multiple Azure details and upload the device compliance status to its respective Azure tenant. A maximum of 36 tenants can be configured in Ivanti EPMM to push the Compliance status to.
Connecting the account
- Log in to Ivanti EPMM and go to Settings > System Settings.
- In the left navigational pane, select Microsoft Azure > Device Compliance for iOS & Android. The Device Compliance for iOS & Android page opens.
Select the Standard tenant type:
Once a tenant type is selected and added, this section will be disabled. Administrator can change the tenant type only after deleting all the added tenants.
- Select Submit.
- Select Add New Tenant.
- Enter the information for the following fields:
Azure Domain ID - This is the AAD Tenant ID.
Enrollment URL - (Optional) If the device is not MDM enrolled, device users will be pointed to this URL for enrollment. When configuring, use HTTPS format. If you host a page in your organization to redirect your device users for Enrollment information, add that link here. For example: https://<fqdn_of_EPMM>/mifs/aadIntuneEnrollment.jsp. If this field is left empty, the device user will be directed to a default enrollment URL / page that is hosted by Ivanti EPMM.
Remediation URL - (Optional) If the device is not in compliance, device users will be pointed to this URL for remediation. When configuring, use HTTPS format. If you host a page in your organization to redirect your device users for Remediation information, add that link here. For example: https://<fqdn_of_EPMM>/mifs/aadIntuneRemediation.jsp. If this field is left empty, the device user will be directed to a default enrollment URL / page that is hosted by Ivanti EPMM.
- Select Connect Account. The Connect Azure Account dialog box opens.
- Select Continue. The Microsoft Azure login page opens.
Log in using your Azure credentials.
Ivanti recommends using a global administrator privileged user to enable this feature.
- A Microsoft partnership page displays asking permission to connect Azure to Ivanti EPMM. Review the permissions and then click Accept.
If you log in and the page refreshes asking that you log in again, close the browser tab / window.
Once the necessary permissions are provided, Ivanti EPMM will be connected to Microsoft Azure, and, upon successful connection, the Administrator will be navigated back to Ivanti EPMM.
- In the Connect Azure Account dialog box, select the I have provided the consent check box and then click Confirm.
The Device Compliance for iOS & Android page refreshes to display Status: Enabled and three link options.
Repeat the above steps for adding multiple Microsoft Azure tenants.
Now that your Azure account is connected, add a new "Partner Device Compliance" policy to start reporting device compliance status to Azure. See Creating a partner device compliance policy.
Editing the account
The Administrator can edit the saved Azure tenant information.
If the tenant status is Enabled, administrator will be able to modify the Enrollment URL, or Remediation URL fields. The Azure domain ID field will be disabled.
If the status is Not Enabled, administrator can modify all fields.
Selecting Cancel in the Edit screen cancels editing and returns the administrator to the Device Compliance for iOS & Android page.
Validation of the Enrollment URL, or Remediation URL fields occur as per existing checks for single-tenant flow.
In the Device Compliance for iOS & Android page, select the Edit link. The page goes into Edit mode.
- Once the updated values are entered, Select the Connect button.
- Follow the process in Connecting the account.
If the device user changes the password for the AD account in the Azure portal, all the device users who have authenticated their clients (Ivanti [email protected]) using the same user (Azure) account will need to re-authenticate their Ivanti [email protected]. The device user will be prompted with a setup screen on Ivanti [email protected] to re-login via Authenticator.
Syncing the Device Compliance status of devices
Administrators can sync the Device Compliance status of any device(s) from Ivanti EPMM to Azure. In order for the sync to perform, at least one tenant is required to be connected. Syncing the Device Compliance status works only when the device is in active state.
When syncing for non-authenticated / non-related Azure devices, an error message displays listing device names. When the administrator performs a manual sync, a detailed Audit Log is generated for the device(s).
Applicable to all types of Azure tenants, for example: Standard, GCC_High, and DOD.
In the Admin Portal, go to Devices & Users > Devices.
Select device and choose Actions > Update Intune Compliance Status.
Disconnecting the account
To disconnect the account, select the Disconnect link. Ivanti EPMM will be disconnected from Microsoft Azure.
This is not the same as Deleting an account.
For more information, see De-provisioning of the Azure tenant.
Re-connecting a disconnected account
- Once the account is disconnected (Status displays as Not Enabled), a Connect link displays.
- Follow the process in Connecting the account.
Deleting an account
The delete option removes the saved tenant details from Ivanti EPMM.
IMPORTANT: This operation cannot be reverted.
- To delete the account, click on the Delete link.
- A dialog box opens asking confirmation of deletion. Select Yes.
- The account is disconnected and deleted.
What the device user sees
Device users may see screens that invite the device user to take action.
How do I access Microsoft 365 apps on my device?
Device out of compliance? Here's how to fix
Instructions for iOS and Android devices are provided on those pages for the device user to follow.
Azure account activity recorded in the logs
All activity of adding, editing, and deactivating an account are recorded in the Logs.