Entra ID environments

Overview

This guide desctibes an example desktop client provisioning scenario in an Entra ID environment.

The guide assumes that our goal is to provision desktop clients for a set of users in a specific Entra group.

Please note that it is just a reference, you should adjust it to work with your specific environment and preferred tooling.

Generating enrollment tokens

To automate the process as much as possible we've prepared an example PowerShell script which can be used to generate enrollment tokens for all users in a specified group.

The script can be downloaded here.

The assumption is that this script will be run by an Entra administrator on a domain-joined machine.

Prerequisites

network access to a Defguard instance
Defguard user account with admin privileges
domain-joined machine
Entra user account with User Administrator and Attribute Assignment Administrator roles
custom security attribute set (default expected name is Defguard, but a different one can be used) with following attributes defined in Entra:
- EnrollmentUrl (String)
- EnrollmentToken (String)

Defguard authentication

To securely access your Defguard instance's REST API you need to generate an API Token.

Entra authentication

By default the script will use current user's credentials for Entra authentication.

It will present an interactive propmt for selecting a user account. If this fails the script will attempt the device code auth flow as a fallback.

Required parameters

Url - URL of your Defguard instance
ApiToken - your API token for Defguard API access
GroupName - name of user group for which to generate enrollment tokens

Optional parameters

AttributeSetName - name of custom security attribute set where the provisioning config data will be stored
EnrollmentTokenExpirationTime - how long should the generated enrollment tokens be valid for (default is 24h); should be specified as human-readable string, e.g 24h, 1d, 2w etc

Example script execution command

.\GenerateEnrollmentTokensEntraID.ps1 -Url "https://defguard.example.com" -ApiToken "dg-your-generated-token" -GroupName "DgProvisioning"

Client provisioning scenario

Setup target users
- prepare a user group containing all the users you intend to perform client provisioning for
User synchronization
- Configure OpenID directory synchronization as described here
- IMPORTANT: enable the Prefetch users option to create directory users in Defguard
Token Generation
- Generate enrollment tokens for users using the helper script
Client Installation
- Install the defguard-client application on user machines using the MSI installer
- Pass the PROVISIONING=1 argument to execute provisioning script during installation
- Example command: msiexec /i defguard-client.msi PROVISIONING=1 ADAttribute="description"
Automatic Configuration
- During installation, the bundled script fetches provisioning configuration from Entra ID
- The configuration is written to the client's data directory as explained here
User Enrollment
- When the user launches the client for the first time, they are guided through the enrollment process
- The enrollment uses the pre-configured token and URL from the provisioning file
Client Ready
- Once enrollment is complete, the user can establish VPN connections and access protected resources

PreviousOn-premise Active Directory environments NextOverview

Last updated 1 day ago

Was this helpful?