Configuring a Citrix Gateway application on the Azure portal
The following section lists steps to configure a Citrix Gateway application on the Azure portal.
Prerequisite
- Azure global admin credentials
- Intune licensing is enabled
- For Intune Integration you need to create a Citrix Gateway application on Azure portal.
- Once the Citrix Gateway application is created, configure the OAuth policy on Citrix Gateway using the following application specific information:
- Client ID / Application ID
- Client Secret / Application Key
- Azure Tenant ID
- Citrix Gateway uses the app client id and client secret to communicate with Azure and check for NAC compliance.
To create Citrix Gateway App on Azure
- Log in to portal.azure.com
- ClickAzure Active Directory.
ClickApp registrationsand clickNew registration.
![Azure app registration]()
On theRegister an applicationpage, enter an app name and clickRegister.
![Name of app]()
Navigate toAuthentication, clickAdd URI, enter FDQN for Citrix Gateway, and clickSave.
![Redirect URL]()
Navigate to theOverviewpage to get Client ID, Tenant ID, and Object ID.
![Overview page]()
Navigate toAPI permissionsand clickAdd a permission.
- Scroll down and selectAzure AD Graph.
- ChooseApplication permissions, selectApplication.Read.All, and then clickAdd permissions.
- ClickGrant admin consent for
- Verify that the permissions are granted for your tenant.
![API permission]()
Note:
All Azure AD applications that call the
https://login.microsoftonline.comor thehttps://graph.windows.netservice endpoints require the API permission to be assigned for the gateway to be able to call the NAC API. The available API Permissions are:- Application.Read.All
- Application.ReadWrite.All
- Application.OwnedBy
- Directory.Read.All
The preferred permission isApplication.Read.All.
For more details, seehttps://techcommunity.microsoft.com/t5/intune-customer-success/support-tip-intune-service-discovery-api-endpoint-will-require/ba-p/2428040
Click theMicrosoft Graphtile to configure API permissions for Microsoft Graph.
![MS graph]()
Click theDelegated permissionstile.
![API permission for MS graph]()
Select the following permissions, and clickAdd permissions.
openid- Profile
- Directory.AccessAsUser.All
- User.Read
- User.Read.All
- User.ReadBasic.All
![API permission 1]()
![API permission 2]()
![API permission 3]()
Additional permission for Intune NAC check:
All Azure AD applications that call the
https://login.microsoftonline.comor thehttps://graph.windows.netservice endpoints require the API permission to be assigned for the gateway to be able to call the NAC API. The available API Permissions are:- Application.Read.All
- Application.ReadWrite.All
- Application.OwnedBy
- Directory.Read.All
The preferred permission isApplication.Read.All.
For more details, seehttps://techcommunity.microsoft.com/t5/intune-customer-success/support-tip-intune-service-discovery-api-endpoint-will-require/ba-p/2428040
Click theIntunetile to configure API permissions for Intune.
![Intune tile]()
Click theApplication permissionstile and theDelegated permissionstile to add permissions for Get_device_compliance and Get_data_warehouse respectively.
![API permission for intune]()
- Select the following permissions and clickAdd permissions.
- Get_device_compliance - Application permissions
- Get_data_warehouse - Delegated permissions
![API permission get device]()
![API permission get warehouse]()
The following page lists the configured API permissions.
![List of API permission]()
Navigate toCertificates & secretsand clickNew client secret.
![New client secret]()
Under theAdd a client secretpage, enter description, select expiry, and clickAdd.
![API permission]()
- The following screen shows the configured client secret.
Note
The client secret is displayed only once when it is generated. You must copy the displayed client secret locally. Use the same client secret along with client ID associated with the newly registered app while configuring the OAuth action on the Citrix Gateway appliance for Intune.
![API permission]()
The application configuration on Azure portal is now complete.