Hi Miguel,

Yes i've added the -useccauth parameter too. To no avail.

Kindest regards

Yasser

yes it it an azure ad account account... our main purpose is to get the EMA_API-CreateOrDeleteClientCredentialsForTenant.ps1 script working - and to do this - we need client credential tokens - so i've tried to generate them and it doesn't seem to work for me...

Hello, Yasser,

Azure AD is supported by EMA; however, in these instances, it is not possible to use APIs to retrieve a token for a user. Client credentials authentication is an available alternative for these instances; explained in the Intel® EMA API Guide.pdf available in the Intel® EMA zip file.

Intel® Endpoint Management Assistant (Intel® EMA) v 1.13.0.0

https://www.intel.com/content/www/us/en/download/19449/intel-endpoint-management-assistant-intel-ema.html

Regards,

Miguel C.

Intel Customer Support Technician

Dear Miguel,

I quote from section 2.2 from the API document:

2.2 Azure AD Authentication

Note: Azure AD authentication requires the Azure AD setup procedure that is documented in the installation prerequisites section of the Intel® EMA Server Installation and Maintenance Guide. Currently, Azure AD user login is supported only for direct interactions with the Intel EMA web interface. On Intel EMA instances configured to use Azure AD authentication, it is not possible for external applications or scripts to retrieve a token for an Azure AD user using the REST API. API integrations implementing authentication via Client Credentials will work on all Intel EMA instances, including those configured to use Azure AD login. API actions available to Client Credentials are limited. See the online API documentation on any Intel EMA instance at https:///swagger for details. API integrations implementing user login via Password and/or Windows Domain authentication will continue to work with Intel EMA instances configured to use those authentication methods.

I have gone to the swagger page and got this:

Submits a batch request to perform an out of band PowerOn operation on multiple endpoints

Dear Miguel,

Sorry for being impatient - is there any update to my latest response?

Many thanks for your guidance!

Kindest regards

Yasser

Hello, Yasser,

You need to use the client credentials for Azure AD (Azure Entra) instead of the tenant.

It is possible to do this by going to his https://www.city.ac.uk/samples/RestAPI/AccessToken.html for example (server name may be different), scroll to the bottom of the page and use the Client credentials now since you are using Azure Entra. Client ID is in xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx format. You will need both an Entra Client ID and a Client secret.

Regards,

Miguel C.

Intel Customer Support Technician

Hello, Yasser,

By any chance, have you been able to test our last recommendation?

Regards,

Miguel C.

Intel Customer Support Technician

Dear Miguel,

I seem to have some luck - for anyone with the same issue - I copied the sample folder from the decomressed installer files to a test  intel ema environment to this folder: C:\inetpub\wwwroot of the test environment.

Then i logged into the intel ema console on the test environment on a browser with a tenant administrator account and then on a seperate tab opened:

https://testenvironment.uk/Samples/RestApi/ClientCredentials.html

and selected the checkbox at the top saying Enable Session Cookie...

the I went to the Post Credentials section
Chose Scope as EndpointManager
Client secret - i made up a password with capitals and special characters and mixed case
Token lifetime i chose 24
Max failed login attempts i chose 10

i pressed the blue Post Credentials button and got a response...

What i needed from the resultant credentials box was the:
client_id and I needed to remember the password I inputted...

then i logged into the Intel EMA host as the azure hybrid account that was Tenant Administrator and ran a powershell session
to test my new credentials:

.\Set-IntelEMAEndpointPowerState.ps1 -emaServerURL ourintelEMAserver.uk -emaAPIVersion latest -powerState PowerOn -hostname TESTHOST -useCCAuth -verbose

and it prompted for the client ID and secret - which i entered - and the script worked!

Many thanks Miguel!

I appreciate it!

Have a great day/night!

The only thing i forgot how I managed to get was the tenant id - can you remind me of that Miguel to make it a complete answer?

for what it's worth - this is what seems to work for me.

Kindest regards

Yasser

Hello, Yasser,

Using Azure Entra has this limitation, the Tenant ID is missing.  We need to use the option below:

Scroll to the bottom of the page and use the Client credentials now since you are using Azure Entra. Client ID is in xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx format. You will need both an Entra Client ID and a Client secret.

Regards,

Miguel C.

Intel Customer Support Technician