Skip to main content

Microsoft Entra ID Enrollment Guide for Windows Devices

  • Updated

Overview

Microsoft Entra ID (formerly Azure AD) enrollment allows Windows devices joined to an organisation's cloud directory to onboard into Mobile Guardian automatically or on demand.

Authentication is managed natively by Microsoft Entra ID. No secondary or local Mobile Guardian credentials are required from the end user.

Prerequisites

RequirementDetail
Entra ID LicenseMicrosoft Entra ID P1 / P2 or higher (included natively in Microsoft 365 Education A3 / A5).
User Sync RequirementUser accounts must be synchronised to the Mobile Guardian directory prior to enrollment. Enrollment requests will be denied if the target UPN is missing from the platform.
Admin PrivilegesGlobal Administrator or Intune Administrator privileges within the target Entra ID tenant.

 

Step-by-Step Implementation

Step 1: Grant Tenant Admin Consent

The tenant administrator must authorise the Mobile Guardian MDM enterprise application to interface with the school or organisation directory.

  1. Navigate to the following authorisation URL, replacing <tenant-id> with your unique directory ID:
    https://login.microsoftonline.com/<tenant-id>/adminconsent?client_id=<mobileguardian-app-client-id>
    (Note: Your specific client ID can be found in the Mobile Guardian console under Identity -> Overview).
  2. Authenticate using your administrative credentials, review the requested directory permissions matrix, and click Accept.

Verifying Consent Status

To confirm that the tenant registration was completed successfully:

  1. Open the Entra admin center and navigate to Identity -> Enterprise applications -> All applications.
  2. Search for Mobile Guardian.
  3. Select the application, choose Security -> Permissions, and review the Admin consent tab to verify the authorised scope.

Step 2: Configure Enrollment Discovery (Choose Method A or B)

Because enrollment can be handled via standard DNS discovery or natively via the cloud app gallery, implement the step below that matches your platform migration status.

Method A: DNS CNAME Mapping (Standard Workstations)

If using manual, user-driven device onboarding via Windows Settings, your public DNS records must map discovery strings directly to the cloud gateway. Add the following record to your external domain host:

  • Record Type: CNAME
  • Host / Name: EnterpriseEnrollment.<school-domain>
  • Value / Target: <enrollment-domain> (Provided specifically for your hosting region by Mobile Guardian support).

Example Configuration: For a school managing the domain school.edu routing to the regional server mdm-windows-enroll.mobileguardian.com, the resulting record string is:

EnterpriseEnrollment.school.edu CNAME mdm-windows-enroll.mobileguardian.com

Method B: Mobility Management (Post-Gallery Approval & Autopilot)

Once the platform's native application gallery profile is live, configuration transitions entirely inside the cloud identity console, unlocking support for Windows Autopilot:

  1. Open the Entra admin center and go to Identity -> Mobility (MDM and MAM).
  2. Click + Add application and select Mobile Guardian.
  3. Set the MDM user scope to All (or choose Some to specify a target user group for a phased rollout).
  4. Apply the following regional infrastructure URLs:
    • MDM discovery URL: https://<enrollment-domain>/EnrollmentServer/Discovery.svc
    • MDM terms of use URL: https://<enrollment-domain>/EnrollmentServer/TermsOfService.svc
    • MDM compliance URL: (Leave completely blank unless explicitly directed by support).
  5. Click Save.

 

Technical Authentication & Enrollment Workflow

[User / Device] ------------(1) Discovery Request------------> [Mobile Guardian MDM]
   |                                                                  |
   |-----(2) Auth Redirect-----> [Entra ID]                           |
   |<----(3) Issues JWT Token-----|                                   |
   |                                                                  |
   |-----------------------------(4) Submit CSR + JWT---------------->|
                                                                   [API Validate]
                                                                      |--> Verifies Signatures via JWKS
                                                                      |--> Validates User Sync Status
                                                                      |--> Issues Local CA Client Cert
  1. Discovery: The endpoint checks for an enrollment path using either the localised client domain CNAME or the server-side Entra MDM Mobility entry point.
  2. Federation Policy: Mobile Guardian responds, marking the authentication policy as Federated and pointing the client to the Microsoft OAuth endpoint.
  3. Identity Verification: The user authenticates natively against Entra ID. The platform returns a signed JSON Web Token (JWT) detailing the user account parameters (upn, oid, tid, deviceid).
  4. Validation Handshake: The device forwards its Certificate Signing Request (CSR) along with the raw JWT back to the MDM Enrollment Service.
  5. Directory Audit: The engine cross-checks the token properties against Microsoft's OIDC JWKS public key endpoints, validates that the user exists in the local database, signs the CSR with the root CA identity, and securely returns a WAP Provisioning Profile containing the unique client management certificate.

Related articles