Workspace ONE UEM integration with Microsoft allows customers to use Workspace ONE UEM device data such as device compliance state in the Azure AD conditional access policies. The integration gives you the ability to set different conditional access policies for individual Office 365 applications. Platform support for this feature is limited to iOS, Android, and Windows 10 OOBE enrolled devices.

You can restrict access to individual Office 365 applications if the device is unmanaged and not compliant. For instance, you can opt to allow users to access Microsoft Word on any device while restricting access to OneDrive to only managed and compliant devices.

Prerequisites

  1. Navigate to Monitor > Intelligence, check the Opt-in box, and complete the process. For more information, see VMware Workspace ONE Intelligence documentation. You do not need the VMware Workspace ONE Intelligence license to enable the integration.
  2. This feature is also supported for on-premise Workspace ONE UEM environment, however ETL connector is required to be installed and connected to the nearest Intelligence data center. For more information, see Workspace ONE Intelligence requirement.
    Note: It is important that you create a publicly resolvable URL for the UEM console and open the network for VMware Workspace ONE Intelligence to reach the publicly available console URL over port 443.
  3. Workspace ONE Intelligent Hub 20.3 and above.
  4. For all your iOS and Android legacy devices make sure you install and register Microsoft Authenticator.
  5. For all Android enterprise devices, Microsoft Authenticator and all the applications used for conditional access must be pushed as a managed app.
  6. You require a valid subscription to Microsoft Intune, and the Microsoft Intune licenses must be assigned to the users supported by this integration. For more information, see the Microsoft subscription.
Warning:

You cannot disable or re-enable the integration under the following circumstances:

  • If you remove VMware Workspace ONE mobile compliance partner from the partner compliance management in the Azure Active Directory.
  • If you remove Workspace ONE Conditional Access app in the enterprise applications from Azure Active Directory.

If you want to disable the integration, complete the following:

  • Disable conditional access settings in Workspace ONE UEM console.
  • Look up for the security group and manually remove the existing device records in the Azure Active Directory.
If you are making changes on the Azure device partner compliance, complete the following.
  • Navigate to Groups & Settings > All Settings > System > Enterprise Integration > Directory Service > Sync Azure Services to sync the latest information from the Azure portal.

Procedure

  1. Log into the Azure portal as an admin. Add VMware Workspace ONE mobile compliance as a device partner for the Android and iOS device type. For more information, see support third-party device compliance partners in the Microsoft Intune documentation.
  2. In the Workspace ONE UEM console, navigate to Groups & Settings > All Settings > System > Enterprise Integration > Directory Services.
  3. Enter Azure Directory ID in the Directory ID text box. The Azure Directory ID is found in your Azure AD Directory Instance URL. For example, if your URL is acme.com/WS/ADExt/Dir/0a12bc34-56d7-93f1-g2h3-i4-jk56lm78n, only the last section 0a12bc34-56d7-93f1-g2h3-i4-jk56lm78n is your Directory ID.
    Note: Currently, we only support mapping one Azure tenant to one Workspace ONE UEM Customer OG.
  4. Enable Use Azure AD for Compliance.
    Note: This setting is visible only for a customer OG. Child OGs inherits this setting but is not visible in the user interface.
    A pop-up menu appears that redirects you to Microsoft for authenticating the Azure AD.
  5. Click Proceed.
    You are directed to a Microsoft webpage to authenticate and approve your permit.
  6. Accept the permissions.
    Once you accept the permissions, the Workspace ONE conditional access app is added to your Azure portal. For the Windows OOBE device type, admin must manually add the AirWatch By VMware application.
  7. Navigate to the Workspace ONE UEM console and complete the integration.

    UEM performs a validation. If the permissions have been accepted. A pop-up box appears. If you do not accept the permissions in step 6, the complete integration step is greyed out.

    If you have accepted the permissions in step 6, the complete integration step will be active and upon completing the step, a success message is displayed.

    A success message is displayed after the integration is complete. Once you have successfully completed the integration, navigate to Azure AD to configure conditional access policies. Under Enable Policy select On to enable the desired policy. For more information, see Create a device-based Conditional Access policy.
    Note: Users are blocked, and redirected to register their Workspace ONE enrolled devices with Intune and AAD only when they attempt to run an application with a AAD conditional access policy applied to it. Configuring Azure AD conditional access policies as Report Only does not direct users through registration.
  8. If any changes are made to the Device partner compliance page in Intune, then the Sync button syncs the information.
  9. If you want to manually send the compliance state of the device and management state of the device to Azure, of then they can Resync the data by clicking Re-sync.
    Note: Once the resync is done, it is grayed for next four hours.
  10. Once you have successfully completed the migration, navigate to Azure AD to configure conditional access policies. Under Enable Policy, select On to enable the desired policy. For more information, see Create a device-based Conditional Access policy.