LogoLogo
LogoLogo
  • Welcome
    • Navigation
  • RealmJoin Deployment
    • Onboarding
    • Required Permissions
    • Infrastructure Considerations
      • Multi User Devices
    • Migration to RealmJoin vNext
  • User, Group and Device Management
    • Overview
    • User Profile
    • Organization Details
    • User, Group and Device Lists
      • Advanced Search
      • User Details
      • Group Details
      • Device Details
    • User and Group Settings
      • Available RealmJoin Policies
  • App Management
    • Packages
      • Package Store
        • Application Store Details
      • Package Management
      • Package Details
      • Package Assignments
        • Package Migration
      • Package Settings
      • Packaging Requests
        • Organic Packages
    • AVD Templates
  • Automation
    • Connecting Azure Automation
      • Required Permissions
      • Runbook Parameters
    • Runbooks
      • Runbook Customization
      • Runbook Permissions
      • Naming Conventions
      • Runbook Scheduling
      • Runbook Logs
        • Runbook Job Details
      • Runbooks Changelog
    • Requirements
    • Remediation Scripts
  • RealmJoin Agent
    • Features
      • Local Admin Password Solution (LAPS)
        • KeyVault
        • Application Insights
      • Notifications
      • AnyDesk Integration
        • AnyDesk configuration
      • App Deployment using the Agent
        • RealmJoin ESP
    • Deploying the Agent
    • User Interface
  • Logs
    • Connecting Azure Log Analytics Workspace
    • Audit Log
  • RealmJoin Settings
    • Overview
    • General
    • Roles and Permissions
      • Pre-defined Roles
      • Custom Roles
        • Available Permissions
    • Group Namespaces
    • Workplace Cloud Storage
    • Self Service Forms
  • Developer Reference
    • RealmJoin API
      • Authentication
    • Interacting with Runbooks
    • Simulating a Runbook Environment
    • Local Admin Password Management
  • Other
    • FAQ
      • Security
    • Troubleshooting
      • Package Installation Issues
        • Collecting Logfiles
        • Logfiles Structure
        • Analysing chocolatey.log
        • Troubleshooting failed chocolatey packages
        • Troubleshooting failed craft packages
        • Fixes for common issues
        • Intunewin Debugging
      • LAPS Issues
        • LAPS account passwords cannot be retrieved
        • Requested LAPS Accounts are not being created
    • Changelog
  • Legal
    • Licensing
    • Support
  • RealmJoin Website
Powered by GitBook
On this page
  • Self-onboard RealmJoin Portal
  • App Permissions
  • Additional Permissions
  • RealmJoin Client App
  • Security Features
  • Optional Features
  • Permission Revocation
  • Next steps

Was this helpful?

Edit on GitHub
  1. RealmJoin Deployment

Onboarding

Step by step guide to use RealmJoin Portal in a new tenant

Last updated 7 months ago

Was this helpful?

Self-onboard RealmJoin Portal

App Permissions

First we start to connect the RealmJoin Portal

  1. Visit and sign in as Global Admin of your Entra ID Tenant

  1. The App will request basic permissions needed to interact with RealmJoin Portal. These permissions are required for any user interacting with RealmJoin Portal - e.g. to use self-services.

  1. Click 'Accept' and continue

  2. After successful login it will try to interact with Entra ID for the first time and will ask you to Connect RealmJoin Portal to Entra ID

  1. Click 'Connect Now'

  2. Several Permission can be granted, start with the RealmJoin Portal app and click 'Activate'

  1. Authenticate and grant the basic permission for the RealmJoin Portal app

  1. A Feature page will now be shown where granular control over the permission is given.

  1. Click on 'Grant all' to grant all required permissions for the RealmJoin Portal

  1. You will be asked for authentication with your Global Administrator account

  1. If the tenant has never seen any 'Microsoft Graph Command Line Tools' you will see the following consent dialog which you need to 'Accept', otherwise this is skiped.

  1. After two successful Authentications you will see a simple message in the browser indicating successful authentication

  1. The script will run and show the following similar output:

  1. All permissions are now set, navigate to the Browser and click 'I have executed the script'

  1. A small dialog will show successful permission verification

👌 RealmJoin Portal is now successful connected!

Additional Permissions

Depending on the feature set you are going to use there are several additional permissions which can be granted.

  • RealmJoin Client App

  • Security Features

  • Optional Permissions

RealmJoin Client App

Let's connect the RealmJoin Client app to get the RealmJoin Agent working.

  1. On the Feature page click on RealmJoin Client app 'Activate'

  1. Accept the Consent dialog and the RealmJoin Client app is ready

  1. The RealmJoin Client app will now show a button with 'Reactivate'. This indicates everything is ready.

Security Features

Now connect the optional Security features (an existing Microsoft Defender for Endpoint subscription is needed for this)

  1. Click on Security features 'Activate'

  1. 'Accept' the Consent dialog and the Security features are ready

  1. The feature page should now list also the Security features with 'Reactivate' which also indicates everything is ready.

  1. You might not see all detailed permissions listed under RealmJoin client app and Security features as the tokens behind this are not yet issued. This is not an error and normal in the beginning.

Optional Features

There are several optional permissions which can be granted individually. The same way as we have already done it for the RealmJoin Portal app. As an example here the step-by-step walkthrough for Intune LAPS. The procedure is identical for all other Optional permissions.

  1. Click on the 'Grant' link next to the Optional Permission

  1. Copy the script to the clipboard by clicking 'Copy to clipboard'. As you can see highlighted in the picture below the script will only set the DeviceLocalCredential.Read.All permission.

  1. Open the PowerShell again and copy the script into the terminal

  1. Authenticate with your Global Admin

  1. After two successful Authentications the script should be executed successful

  1. Click on 'I have executed the script' to complete the process

  1. The successful permission verification should be indicated with a small dialog

  1. On the feature page you can see the optional Intune LAPS permission is now granted. Repeat this for all other optional permission to get full functionality of RealmJoin.

Permission Revocation

To Revoke a permission simply click on the 'Revoke' link next to the permission and execute the upcoming script again. Instead of granting permission the script template will now remove the permission. With this approach a granular control of the permissions for RealmJoin is given.

Next steps

Copy the shown script via 'Copy to clipboard' to the clipboard and open a PowerShell 7 (). Copy the clipboard text to the PowerShell and Run the script. PowerShell 7 is needed as the Module 'Microsoft.Graph' used in the script works only flawlessly in PowerShell 7!

Activating permissions for the RealmJoin Client app will unlock an array of features exclusive to the .

If you want to use to automate daily operations, please continue by connecting to .

Download
RealmJoin Agent
runbooks
Azure Automation
https://portal.realmjoin.com