Intel vPro® Platform
Intel Manageability Forum for Intel® EMA, AMT, SCS & Manageability Commander
2994 Discussions

Intel EMA - Unable to successfully validate Entra ID (Azure AD) settings

Giri_S
Novice
‎04-24-2025 04:08 AM
711 Views

Hello Guys,

 

We are in the process of setting up Intel EMA in our environment using Azure AD as the authentication method. We have completed the initial configuration steps; however, we are currently unable to integrate Azure AD with Intel EMA. When attempting to connect Azure AD from Intel EMA, we are encountering the following error. Could you please help us identify what went wrong and guide us through the troubleshooting steps or any additional configurations we may need to perform?

 

Giri_S_0-1745491638810.png

 

1. In your Azure AD tenant (note that this is NOT the same as an Intel® EMA
tenant), create a new app registration. This app will be associated with Intel® EMA
once Intel® EMA is installed, and Intel® EMA will use this app to interact with
Azure AD to exchange information.
a. Go to Azure Active Directory > App Registration and create anew app
registration.
b. Supported account types for the new app must be Accounts in this
organizational directory only.
c. Configure the Redirect URI, choosing Web as the Platform.
d. Enter https://<EMA FQDN or IP>/api/latest/azureLogin as the
Redirect URL value.
NOTE
This URL is case sensitive
2. In the Certificates & Secrets section for the newly registered app, add a new
client secret:
a. At the time of client secret creation, record the client secret's value, as it is
only displayed once. You will need this value later when you configure Intel®
EMA's Web Server settings after installation. Be sure to secure this sensitive
information.
b. Consider the expiration date for the client secret. Note that before it expires,
you will need to create a new client secret and update the Web Server settings
in Intel® EMA.
3. In the API permissions section for the newly registered app, add the required
permissions:
a. Ensure that a "Delegated" permission type for Microsoft Graph with
“User.Read” permission exists.
b. Add a permission for Microsoft Graph with "Application" Type and with
"GroupMember.Read.All" permission.
c. Click to Grant admin consent for these API permissions.
4. Go to Overview section of the newly registered app and copy/record the Azure
AD Directory (tenant) ID, the Azure AD Application (client) ID, to go with the
Azure AD Client Secret Value you created above. Use these values to configure the
Intel® EMA Web Server after initial server installation

 

Thank you

0 Kudos

Link Copied

16 Replies
Arun_Intel1
Employee
‎04-24-2025 02:00 PM
655 Views

Hi Giri_S


Greetings!


We see that you are unable to successfully Validate the Entra ID (Azure AD) settings,


Please find the Intel® Endpoint Management Assistant (Intel® EMA) Deployment Guide for Microsoft Azure, in the link given below, and find the Appendix A - Notes on Active Directory Integration for reference.

https://www.intel.com/content/www/us/en/content-details/841816/intel-endpoint-management-assistant-intel-ema-deployment-guide-for-microsoft-azure.html#page=30


Please keep us posted for any further queries or share your observation.


Best Regards

Arun

Intel Customer Support Technician

intel.com/vPro




0 Kudos
Copy link
Giri_S
Novice
‎04-25-2025 04:05 AM
631 Views
In response to Arun_Intel1
Hi Arun,

We have installed Intel EMA on on-premises server and trying connect Azure AD from Intel EMA only for user authentication.

When trying to connect Azure AD from Intel EMA by providing the client id, tenant id and client secret as global admin in the initial setup. During this setup, we are getting this error.
In response to Arun_Intel1
0 Kudos
Copy link
Arun_Intel1
Employee
‎04-25-2025 05:17 PM
606 Views

Hi Giri_S


Greetings!


We see that you are trying to connect to the Azure AD, from the Intel EMA,

Please refer to the link given below for the prerequisites that needs to be considered for connecting to the Azure AD and share your observations :

https://docs.microsoft.com/en-us/azure/active-directory/hybrid/how-to-connect-install-prerequisites


Thanks & Regards

Arun

Intel Customer Support Technician

intel.com/vPro


0 Kudos
Copy link
Giri_S
Novice
‎04-28-2025 04:51 AM
555 Views
In response to Arun_Intel1
Hi Arun,

Thanks for the information.

We have an exisiting Azure AD setup and app registered in Azure AD to connect with Intel EMA.
In response to Arun_Intel1
0 Kudos
Copy link
Arun_Intel1
Employee
‎04-28-2025 04:41 PM
525 Views

Hi Giri_S,


Greetings!


Thanks for confirming, please share us your observation if the issue has been resolved after following the document, if the issue still persists, please share the Intel EMA server logs for us to further investigate, and if you would like to share it through the email, please let us know so that we can write an email to your mail id to which you can revert.


Thanks & Regards

Arun

Intel Customer Support Technician

intel.com/vPro


0 Kudos
Copy link
Arun_Intel1
Employee
‎05-02-2025 03:59 PM
440 Views

Hi Giri_S,


Greetings!


Thank you for contacting Intel, please feel free to revert for any further query!


Thanks & Regards

Arun

Intel Customer Support Technician



0 Kudos
Copy link
AndreMatsuoka
Beginner
‎05-05-2025 05:05 AM
403 Views

What was the solution, I have the same problem

0 Kudos
Copy link
Arun_Intel1
Employee
‎05-05-2025 12:59 PM
382 Views

Hi AndreMatsuoka,


Greetings!


Please refer to the link below, and refer to the page 45 on Appendix A:

https://www.intel.com/content/www/us/en/content-details/841816/intel-endpoint-management-assistant-intel-ema-deployment-guide-for-microsoft-azure.html#page=30


We may have to configure Entra first then install EMA with Entra ID as it is not possible to jump from On-premises to Windows AD or Entra AD.

 


Please follow the steps given below as well on how to integrate Azure AD with Intel EMA

  

Integrating Azure Active Directory (Azure AD) with Intel Endpoint Management Assistant (EMA) allows you to leverage Azure AD's identity and access management capabilities for user authentication and authorization within the EMA environment. This integration can streamline user management and enhance security. Here’s a step-by-step guide on how to integrate Azure AD with Intel EMA:

 

Prerequisites:

 

Azure AD Subscription: Ensure you have an active Azure AD subscription and administrative access to manage Azure AD settings.

 

Intel EMA Installation: Ensure Intel EMA is installed and configured in your environment.

 

Administrative Access: You need administrative access to both Azure AD and Intel EMA to perform the integration.

 

Steps to Integrate Azure AD with Intel EMA:

 

1. Configure Azure AD:

Register EMA as an Application:

Log in to the Azure portal.

Navigate to "Azure Active Directory" > "App registrations."

Click "New registration" to register Intel EMA as an application.

Provide a name for the application and set the redirect URI to the EMA server URL.

Configure API Permissions:

After registering the application, go to "API permissions."

Add permissions required for EMA, such as "User.Read" and "Directory.Read.All."

Generate Client Secret:

Go to "Certificates & secrets" and create a new client secret.

Note the client secret value, as it will be needed for EMA configuration.

 

2. Configure Intel EMA:

Access EMA Console:

Log in to the Intel EMA console with administrative credentials.

Set Up Azure AD Integration:

Navigate to the settings or configuration section related to authentication.

Select Azure AD as the authentication provider.

Enter the application ID, client secret, and tenant ID obtained from Azure AD.

Test Integration:

Test the integration by logging into EMA using Azure AD credentials.

Ensure that users can authenticate and access EMA based on their Azure AD roles and permissions.

 

3. Manage Users and Roles:

Assign Roles in Azure AD:

Use Azure AD to manage user roles and permissions. Assign users to groups that correspond to EMA roles.

Configure EMA Access:

In the EMA console, map Azure AD groups to EMA roles to control access and permissions.

Additional Considerations:

Security: Ensure that the integration is secure by using HTTPS for all communications and regularly updating credentials and secrets.

Documentation: Refer to Intel EMA and Azure AD documentation for detailed instructions and best practices.

Monitoring: Monitor authentication logs and user activity to ensure the integration is functioning correctly and securely.

By following these steps, you can successfully integrate Azure AD with Intel EMA, enhancing user management and security within your EMA environment.


Thanks & Regards

Arun

Intel Customer Support Technician

intel.com/vPro


0 Kudos
Copy link
Giri_S
Novice
‎05-08-2025 04:13 AM
329 Views
In response to Arun_Intel1
Hi Arun,

We have followed the recommended steps; however, when we enter the Azure Entra ID details—specifically the Tenant ID and Client Secret—and click “Save and Sync Web Settings” in Intel EMA, we encounter the error message: “Unable to successfully validate Entra ID (Azure AD) settings.”

Thank you
In response to Arun_Intel1
0 Kudos
Copy link
AndreMatsuoka
Beginner
‎05-08-2025 10:54 AM
295 Views

These permissions were configured, and the configuration worked

 

AndreMatsuoka_0-1746727941276.png

 

 

 

Now I have another error, 

AndreMatsuoka_1-1746725548896.png

 

added the user, but it didn't go through

AndreMatsuoka_2-1746728377647.png

 

 

log

2025-05-08 15:09:46.4014 [ERROR], Message: Error trying to login with Entra ID (Azure AD), Exception:System.Net.Http.HttpRequestException An error occurred while sending the request. at System.Runtime.ExceptionServices.ExceptionDispatchInfo.Throw()
at System.Runtime.CompilerServices.TaskAwaiter.HandleNonSuccessAndDebuggerNotification(Task task)
at MeshWebCore.WebApi.Frameworks.MicrosoftIdentity.Wrapper.MicrosoftIdentityWrapper.<RedeemAuthorizationCodeForAccessTokenAsync>d__9.MoveNext()
--- End of stack trace from previous location where exception was thrown ---
at System.Runtime.ExceptionServices.ExceptionDispatchInfo.Throw()
at System.Runtime.CompilerServices.TaskAwaiter.HandleNonSuccessAndDebuggerNotification(Task task)
at MeshWebCore.WebApi.Controllers.AzureLoginController.<AzureLoginAsync>d__14.MoveNext()
2025-05-08 15:10:58.6210 [ERROR], Message: Error trying to login with Entra ID (Azure AD), Exception:System.Net.Http.HttpRequestException An error occurred while sending the request. at System.Runtime.ExceptionServices.ExceptionDispatchInfo.Throw()
at System.Runtime.CompilerServices.TaskAwaiter.HandleNonSuccessAndDebuggerNotification(Task task)
at MeshWebCore.WebApi.Frameworks.MicrosoftIdentity.Wrapper.MicrosoftIdentityWrapper.<RedeemAuthorizationCodeForAccessTokenAsync>d__9.MoveNext()
--- End of stack trace from previous location where exception was thrown ---
at System.Runtime.ExceptionServices.ExceptionDispatchInfo.Throw()
at System.Runtime.CompilerServices.TaskAwaiter.HandleNonSuccessAndDebuggerNotification(Task task)
at MeshWebCore.WebApi.Controllers.AzureLoginController.<AzureLoginAsync>d__14.MoveNext()
2025-05-08 15:12:45.5481 [ERROR], Message: Error trying to login with Entra ID (Azure AD), Exception:System.Net.Http.HttpRequestException An error occurred while sending the request. at System.Runtime.ExceptionServices.ExceptionDispatchInfo.Throw()
at System.Runtime.CompilerServices.TaskAwaiter.HandleNonSuccessAndDebuggerNotification(Task task)
at MeshWebCore.WebApi.Frameworks.MicrosoftIdentity.Wrapper.MicrosoftIdentityWrapper.<RedeemAuthorizationCodeForAccessTokenAsync>d__9.MoveNext()
--- End of stack trace from previous location where exception was thrown ---
at System.Runtime.ExceptionServices.ExceptionDispatchInfo.Throw()
at System.Runtime.CompilerServices.TaskAwaiter.HandleNonSuccessAndDebuggerNotification(Task task)
at MeshWebCore.WebApi.Controllers.AzureLoginController.<AzureLoginAsync>d__14.MoveNext()
2025-05-08 15:18:44.9622 [ERROR], Message: There is no matching State value from the auth code request.
2025-05-08 15:38:48.6294 [ERROR], Message: Error trying to login with Entra ID (Azure AD), Exception:System.Net.Http.HttpRequestException An error occurred while sending the request. at System.Runtime.ExceptionServices.ExceptionDispatchInfo.Throw()
at System.Runtime.CompilerServices.TaskAwaiter.HandleNonSuccessAndDebuggerNotification(Task task)
at MeshWebCore.WebApi.Frameworks.MicrosoftIdentity.Wrapper.MicrosoftIdentityWrapper.<RedeemAuthorizationCodeForAccessTokenAsync>d__9.MoveNext()
--- End of stack trace from previous location where exception was thrown ---
at System.Runtime.ExceptionServices.ExceptionDispatchInfo.Throw()
at System.Runtime.CompilerServices.TaskAwaiter.HandleNonSuccessAndDebuggerNotification(Task task)
at MeshWebCore.WebApi.Controllers.AzureLoginController.<AzureLoginAsync>d__14.MoveNext()

 

 

 

0 Kudos
Copy link
Giri_S
Novice
‎05-12-2025 07:53 AM
149 Views
In response to AndreMatsuoka
Hi Andre,

My server is located behind the corporate firewall. Do I need to open any specific ports to enable communication with Azure AD, or configure any SSL certificates? If so, could you please provide the required port numbers? Also, if SSL is needed, should it be configured with internal one or external one?
In response to AndreMatsuoka
0 Kudos
Copy link
Jimmy_Wai_Intel
Employee
‎05-12-2025 08:40 AM
138 Views
In response to Giri_S

Hi Andre,

Your EMA server needs to have a valid public web server certificate configured in IIS at port 443. It also needs to be able to access the following URLs without going thru a proxy server.

 

https://graph.microsoft.com
https://login.microsoftonline.com

 

Regards,

Jimmy Wai

Technical Sales Specialist, Intel

In response to Giri_S
0 Kudos
Copy link
Giri_S
Novice
‎05-13-2025 12:26 AM
98 Views
In response to Jimmy_Wai_Intel
Hi Jimmy,

We have got the external certificate but we where unable to bind it to 443 port. Our Intel EMA server is not exposed outside the corporate firewall. Do you have any idea whether the th server needs to be exposed to external network? We are able to bind the internal certificate but not able to bind with external certificate. Could you please suggest and schedule a call if any calls support available for this case?

Thank you
In response to Jimmy_Wai_Intel
0 Kudos
Copy link
Jimmy_Wai_Intel
Employee
‎05-13-2025 09:31 AM
83 Views
In response to Giri_S

Hi Giri,

From my experience with customers, Entra ID integration does require a public certificate installed on the Intel EMA server. Entra ID seems to validate the identity of the server during the registration process. An internal certificate, which cannot be validated, cannot work with the process.

Regards,

Jimmy Wai

Technical Sales Specialist, Intel

In response to Giri_S
0 Kudos
Copy link
Giri_S
Novice
‎05-14-2025 02:17 AM
42 Views
In response to Jimmy_Wai_Intel
Hi Jimmy,

We have configured the public SSL certificate to the port 443 and the connection is now secure. But still we are getting the same issue. Could you please advise us on this case?

Thank you
In response to Jimmy_Wai_Intel
0 Kudos
Copy link
Arun_Intel1
Employee
‎05-08-2025 04:32 PM
273 Views

Hi AndreMatsuoka/ Guru_S,


Greetings!


Hope the information provided was useful, thank you for contacting Intel!


Thanks & Regards

Arun

Intel Customer Support Technician

intel.com/vPro


0 Kudos
Copy link
Reply

Community support is provided Monday to Friday. Other contact methods are available here.

Intel does not verify all solutions, including but not limited to any file transfers that may appear in this community. Accordingly, Intel disclaims all express and implied warranties, including without limitation, the implied warranties of merchantability, fitness for a particular purpose, and non-infringement, as well as any warranty arising from course of performance, course of dealing, or usage in trade.

For more complete information about compiler optimizations, see our Optimization Notice.