Enable and configure Intune Cross-Tenant Management

Avatar
Nerdio Product Support

Enable and configure Intune Cross-Tenant Management

This article guides you through the processes of adding and managing manage multiple additional Intune tenants via the Nerdio Manager console, as part of the Intune Cross-Tenant Management feature.

Note: Intune Cross-Tenant Management is currently in Public Preview.

Prerequisites

      Nerdio Manager subscription

The tasks in this procedure apply to the following Nerdio Managersubscription level(s):

AVD Core

True *

AVD Premium

True
 Windows 365

True *
 Unified Endpoint Management

True *

*The feature is fully functional in all subscriptions; however, initial setup makes use of AVD Premium Nerdio Manager features for Entra ID-based tenant linking. Subscribers to other plans will need to perform advanced configuration in the Azure CLI; see below for details.

       Role-based access control (RBAC) and permissions

Intune Cross-Tenant Management requires configuration in both Microsoft Azure/Entra and Nerdio Manager. The following sections outline the minimum access levels required.

Note: Configuration can be performed by a single administrator across the different platforms and tenants, or by a number of different administrators. The steps to which each role applies are outlined below.

             Nerdio Manager roles

The Admin role is required to enable and configure Intune Cross-Tenant Management in Nerdio Manager.

             Nerdio Manager access levels

Following the Principle of Least Privilege (PoLP), you can define a custom role to enable and configure Intune Cross-Tenant Management in Nerdio Manager. Full Access in the Intune module is required.

             Azure built-in roles

Following the Principle of Least Privilege (PoLP), configuring the necessary permissions to enable Intune Cross-Tenant Management in the secondary tenant(s) requires the following Azure built-in roles.

Important: An administrative account with these roles is required to create an app registration and configure the necessary permissions in each secondary tenant to be added to Nerdio Manager.

Role

Description

Purpose

Application Administrator

Create and manage app registrations

An administrator assigned this role is required to create a Service Principal for the Nerdio Manager app service in each secondary tenant.

This access is required to add or remove secondary tenant(s) only; it is not required for ongoing management.

Role Based Access Control Administrator or User Access Administrator

Manage access to Azure resources

An administrator assigned this role is required to to grant the necessary access to the Nerdio Manager app service in each secondary tenant.

This access is required whenever an Intune-managed function is added or removed for the tenant.

             Additional permissions

The Service Principal for the Nerdio Manager app service in each secondary tenant requires the permission LicenseAssignment.Read.All, in addition to the required Intune permissions for the functions to be managed. See Preparatory steps for configuration details.

       Preparatory steps

Before you can manage your secondary tenant(s) in Nerdio Manager, you need to determine the permissions needed to manage your chosen features, and configure a Service Principal in each secondary tenant with the required permissions.

Note: You need to create and configure a Service Principal in each target tenant. If you're adding multiple secondary tenants to Nerdio Manager, you'll need to repeat these preparatory steps for each tenant.

To determine the required permissions:

Consult Intune: Granular permissions to determine the permissions the Nerdio Manager app service requires to implement each of the features you want to manage in your secondary tenant(s), and note them down.

Tip: Alternatively, you can determine the required permissions within Nerdio Manager as follows:

  1. Navigate to Settings > Environment, and select the Integrations tab.

  2. Select the Intune tab.

  3. Under the Primary (Identity) Tenant heading, select the More options icon, and choose Configuration from the dropdown.

  4. Select the tooltip for each function to determine the permissions Nerdio Manager requires to manage the function in the secondary tenant(s).

To create and configure a Service Principal in the secondary tenant(s) (for AVD Core, Windows 365 and UEM subscriptions):

Important: When support for user context mode is added, migration of secondary tenants from application context to user context will not be available for Core subscribers who have manually provisioned the Nerdio Manager Service Principal in the secondary tenant via the Azure CLI .

  1. In the primary tenant, obtain and record the unique application ID for the Nerdio Manager application. You'll use this in the next step to create a Service Principal in the target tenant(s).

  2. Use the Azure CLI to create a Service Principal in the target tenant, specifying the ID of the primary tenant Nerdio Manager application.

  3. Add the required permissions you identified above, plus the permission LicenseAssignment.Read.All, to the Service Principal.

  4. Obtain the target tenant ID and note it down. This will be required to add the tenant to Nerdio Manager.

To create a Service Principal in a secondary tenant (for AVD Premium Nerdio Manager subscriptions):

  1. Navigate to https://entra.microsoft.com and log in with an admin ID granted the necessary permissions in the target tenant.

  2. In the navigation pane, select App registrations.

    1. Select + New registration.

    2. Enter the following information:

      • Name: Type the user-facing display name for the application.

      • Supported Account Types: Select Accounts in this organizational directory only.

      • Redirect URI: Leave this field blank; no Redirect URI is needed.

    3. Once you have entered the desired information, select Register.

    4. Copy the Application (client) ID to be used for linking in Nerdio Manager.

    5. From the menu, select Certificates & secrets.

    6. Select + New client secret.

    7. Enter a description and expiration time for the app registration.

      Tip: We recommend that you set the expiration time to a value greater than one year.

    8. Once you have entered the desired information, select Add.

    9. Copy the Value of the Client App Secret to be used for linking in Nerdio Manager.

      Important: You can only access the value of the Client App Secret upon initial creation. Double-check that you've copied the value down and stored it somewhere safe, as you won't be able to do so later.

    10. Before leaving the page, ensure that you have recorded the following information for the created app registration. This will be required to add the tenant to Nerdio Manager.

      • Tenant ID

      • Client App ID

      • Client App Secret.

    To add permissions to the Service Principal in a secondary tenant (for AVD Premium Nerdio Manager subscriptions):

    1. Locate the newly created app registration in the App registrations list, and select its display name to open its Overview page.

    2. In the navigation pane, select API permissions under the Manage heading.

    3. Select +Add a permission.

    4. Select Microsoft Graph.

    5. Select Application permissions.

    6. For each of the required permissions you identified above, plus the permission LicenseAssignment.Read.All, locate the permission in the list, and check its box.

    7. When you've checked all the required permissions, select Add permissions.

    8. Select Grant admin consent for <tenant name> to consent to the requested Nerdio Manager permissions on behalf of the tenant.

Add and enable secondary tenant(s) in Nerdio Manager

Once you've configured a service principal in the secondary tenant(s), you can link them from the Nerdio Manager instance in the primary tenant.

Note:

While Intune Cross-Tenant Management is in Preview, we recommend that you add secondary tenants one by one and closely monitor Nerdio Manager performance before adding further tenants.

Please raise a support ticket to report any adverse impact on performance.

To add the secondary tenant(s) to Nerdio Manager:

  1. In Nerdio Manager, navigate to Settings > Environment, and select the Azure tab.

  2. Expand the Primary Entra ID Tenant (AVD and Identity) heading.

  3. In the Linked Entra ID Tenants section, select Link using app credentials.

  4. If you have a Premium Nerdio Manager subscription,

    1. Enter the target Tenant ID you recorded above.

    2. In the Select app identity field, select Link a new app identity.

    3. In the Identity type field, select App registration.

    4. In the Identity name field, enter a friendly name that will enable you to easily identify the tenant later.

      Note: Once this friendly name is configured, Nerdio Manager will use it to identify the tenant in drop-down menus and UI screens. You can edit this name later if necessary.

    5. In the App ID field, enter the Client App ID you recorded above.

    6. In the Azure cloud field, select Azure Global (commercial) or Azure US Government, as applicable to the target tenant.

    7. In the Client app secret field, enter the Client App Secret you recorded above.

    Alternatively, if you have a Core Nerdio Manager subscription,

    1. Enter the target Tenant ID you recorded above.

    2. In the Select app identity field, select the Nerdio Manager application for which you created a Service Principal in the secondary tenant. The remaining fields will autofill.

  5. Select OK to link the secondary tenant to Nerdio Manager and close the editor.

    Important: It may take some time for the API permissions to be registered. We recommend that you wait at least an hour before moving on to the next step.

To enable Intune for a secondary tenant in Nerdio Manager:

  1. In Nerdio Manager, navigate to Settings > Environment, and select the Integrations tab.

  2. Expand the Intune heading.

    If the previous steps have been completed correctly, you'll see the secondary tenant listed, with the status Disabled showing in the Enabled column.

  3. Select the tenant's More options icon, and choose Configuration from the dropdown.

  4. Set the Current Status toggle to Enabled.

  5. Enable the desired Intune management functions for the tenant.

    Important: The selected functions should correspond exactly to the permissions you added to the app registration in the secondary tenant. If you want to manage additional functions, you'll need to manually add the corresponding permissions to the app registration.

  6. Select Save to commit your changes and exit the configuration screen.

    The tenant should now show as Enabled in the Intune tenant list.

Manage secondary tenant configuration in Intune

After you've enabled Intune for a secondary tenant, you can add or remove managed functions for the tenant or remove the tenant from the list of Intune-managed tenants altogether. Any changes to Intune-managed functions need to be made in parallel to the app registration in the secondary tenant and to the Intune integration in Nerdio Manager.

To modify Intune-managed features for a secondary tenant:

  1. Consult Intune: Granular permissions to determine the permissions the Nerdio Manager app service requires to implement each of the features you want to manage in your secondary tenant(s), and note them down.

  2. Using the Entra ID portal in the target tenant, locate the previously configured Nerdio Manager app registration and add or remove permissions to align with the modified set of Intune functions you want to manage. See the section of Preparatory steps relevant to your Nerdio subscription for configuration details.

  3. In Nerdio Manager, navigate to Settings > Environment, and select the Integrations tab.

  4. Expand the Intune heading.

  5. Select the target tenant's More options icon, and choose Configuration from the dropdown.

  6. Enable or remove the applicable Intune management functions for the tenant.

    Important: The enabled functions should correspond exactly to the permissions you added to the app registration in the secondary tenant. If you want to manage additional functions, you'll need to manually add the corresponding permissions to the app registration.

  7. Select Save to commit your changes and exit the configuration screen.

To remove a tenant from Intune management:

  1. In Nerdio Manager, navigate to Settings > Environment, and select the Integrations tab.

  2. Select the More options icon for the tenant you want to remove, and choose Configuration from the dropdown.

  3. Set the Current Status toggle to Disabled.

  4. Select Save to commit your changes and exit the configuration screen.

    The tenant should now show as Disabled in the Intune tenant list.

  5. The Service Principal is no longer required for Intune management in Nerdio Manager, so you can safely remove it from the tenant provided it is not in use by any other features.

    Important: Ensure that the Service Principal object is not required for AVD or Intune Insights before you remove it.

Need help?

Raise a support ticket for this item.

Was this article helpful?

0 out of 0 found this helpful
Have more questions? Submit a request

Related articles

Comments (0 comments)

Please sign in to leave a comment.