Onboarding
Step by step guide to use RealmJoin Portal in a new tenant
Self-onboard RealmJoin Portal
App Permissions
First we start to connect the RealmJoin Portal
Visit https://portal.realmjoin.com and sign in as Global Admin of your Entra ID Tenant
The App will request basic permissions needed to interact with RealmJoin Portal. These permissions are required for any user interacting with RealmJoin Portal - e.g. to use self-services.
Click 'Accept' and continue
After successful login it will try to interact with Entra ID for the first time and will ask you to Connect RealmJoin Portal to Entra ID
Click 'Connect Now'
Several Permission can be granted, start with the RealmJoin Portal app and click 'Activate'
Authenticate and grant the basic permission for the RealmJoin Portal app
A Feature page will now be shown where granular control over the permission is given.
Click on 'Grant all' to grant all required permissions for the RealmJoin Portal
Copy the shown script via 'Copy to clipboard' to the clipboard and open a PowerShell 7 (Download). Copy the clipboard text to the PowerShell and Run the script. PowerShell 7 is needed as the Module 'Microsoft.Graph' used in the script works only flawlessly in PowerShell 7!
You will be asked for authentication with your Global Administrator account
If the tenant has never seen any 'Microsoft Graph Command Line Tools' you will see the following consent dialog which you need to 'Accept', otherwise this is skiped.
After two successful Authentications you will see a simple message in the browser indicating successful authentication
The script will run and show the following similar output:
All permissions are now set, navigate to the Browser and click 'I have executed the script'
A small dialog will show successful permission verification
👌 RealmJoin Portal is now successful connected!
Additional Permissions
Depending on the feature set you are going to use there are several additional permissions which can be granted.
RealmJoin Client App
Security Features
Optional Permissions
RealmJoin Client App
Activating permissions for the RealmJoin Client app will unlock an array of features exclusive to the RealmJoin Agent.
Let's connect the RealmJoin Client app to get the RealmJoin Agent working.
On the Feature page click on RealmJoin Client app 'Activate'
Accept the Consent dialog and the RealmJoin Client app is ready
The RealmJoin Client app will now show a button with 'Reactivate'. This indicates everything is ready.
Security Features
Now connect the optional Security features (an existing Microsoft Defender for Endpoint subscription is needed for this)
Click on Security features 'Activate'
'Accept' the Consent dialog and the Security features are ready
The feature page should now list also the Security features with 'Reactivate' which also indicates everything is ready.
You might not see all detailed permissions listed under RealmJoin client app and Security features as the tokens behind this are not yet issued. This is not an error and normal in the beginning.
Optional Features
There are several optional permissions which can be granted individually. The same way as we have already done it for the RealmJoin Portal app. As an example here the step-by-step walkthrough for Intune LAPS. The procedure is identical for all other Optional permissions.
Click on the 'Grant' link next to the Optional Permission
Copy the script to the clipboard by clicking 'Copy to clipboard'. As you can see highlighted in the picture below the script will only set the DeviceLocalCredential.Read.All permission.
Open the PowerShell again and copy the script into the terminal
Authenticate with your Global Admin
After two successful Authentications the script should be executed successful
Click on 'I have executed the script' to complete the process
The successful permission verification should be indicated with a small dialog
On the feature page you can see the optional Intune LAPS permission is now granted. Repeat this for all other optional permission to get full functionality of RealmJoin.
Permission Revocation
To Revoke a permission simply click on the 'Revoke' link next to the permission and execute the upcoming script again. Instead of granting permission the script template will now remove the permission. With this approach a granular control of the permissions for RealmJoin is given.
Next steps
If you want to use runbooks to automate daily operations, please continue by connecting to Azure Automation.
Last updated