Step by step guide to use RealmJoin Portal in a new tenant

Self-onboard RealmJoin Portal

App Permissions

First we start to connect the RealmJoin Portal

  1. Visit https://portal.realmjoin.com and sign in as Global Admin of your Entra ID Tenant

  1. The App will request basic permissions needed to interact with RealmJoin Portal. These permissions are required for any user interacting with RealmJoin Portal - e.g. to use self-services.

  1. Click 'Accept' and continue

  2. After successful login it will try to interact with Entra ID for the first time and will ask you to Connect RealmJoin Portal to Entra ID

  1. Click 'Connect Now'

  2. Several Permission can be granted, start with the RealmJoin Portal app and click 'Activate'

  1. Authenticate and grant the basic permission for the RealmJoin Portal app

  1. A Feature page will now be shown where granular control over the permission is given.

  1. Click on 'Grant all' to grant all required permissions for the RealmJoin Portal

  1. Copy the shown script via 'Copy to clipboard' to the clipboard and open a PowerShell 7 (Download). Copy the clipboard text to the PowerShell and Run the script. PowerShell 7 is needed as the Modul 'Microsoft.Graph' used in the script works only flawlessly in PowerShell 7!

  1. You will be asked for authentication with your Global Administrator account

  1. If the tenant has never seen any 'Microsoft Graph Command Line Tools' you will see the following consent dialog which you need to 'Accept', otherwise this is skiped.

  1. After two successful Authentications you will see a simple message in the browser indicating successful authentication

  1. The script will run and show the following similar output:

  1. All permissions are now set, navigate to the Browser and click 'I have executed the script'

  1. A small dialog will show successful permission verification

👌 RealmJoin Portal is now successful connected!

Depending on the feature set you are going to use there are several additional permissions which can be granted.

  • RealmJoin Client App

  • Security Features

  • Optional Permissions

Let's connect the RealmJoin Client app to get the RealmJoin Agent working.

  1. On the Feature page click on RealmJoin Client app 'Activate'

  1. Accept the Consent dialog and the RealmJoin Client app is ready

  1. The RealmJoin Client app will now show a button with 'Reactivate'. This indicates everything is ready.

Now connect the optional Security features (an existing Microsoft Defender for Endpoint subscription is needed for this)

  1. Click on Security features 'Activate'

  1. 'Accept' the Consent dialog and the Security features are ready

  1. The feature page should now list also the Security features with 'Reactivate' which also indicates everything is ready.

  1. You might not see all detailed permissions listed under RealmJoin client app and Security features as the tokens behind this are not yet issued. This is not an error and normal in the beginning.

There are several optional permissions which can be granted individually. The same way as we have already done it for the RealmJoin Portal app. As an example here the step-by-step walkthrough for Intune LAPS. The procedure is identical for all other Optional permissions.

  1. Click on the 'Grant' link next to the Optional Permission

  1. Copy the script to the clipboard by clicking 'Copy to clipboard'. As you can see highlighted in the picture below the script will only set the DeviceLocalCredential.Read.All permission.

  1. Open the PowerShell again and copy the script into the terminal

  1. Authenticate with your Global Admin

  1. After two successful Authentications the script should be executed successful

  1. Click on 'I have executed the script' to complete the process

  1. The successful permission verification should be indicated with a small dialog

  1. On the feature page you can see the optional Intune LAPS permission is now granted

Repeat this for all other optional permission to get full functionality of RealmJoin.

To Revoke a permission simply click on the 'Revoke' link next to the permission and execute the upcoming script again. Instead of granting permission the script template will now remove the permission. With this approach a granular control of the permissions for RealmJoin is given.

Next steps

If you want to use runbooks to automate daily operations, please continue by connecting to Azure Automation.

Last updated