Workspace ONE UEM integration with Microsoft allows customers to use Workspace ONE UEM device data such as device compliance state in the Azure AD conditional access policies. The integration gives you the ability to set different conditional access policies for individual Office 365 applications. Platform support for public beta release on Workspace ONE UEM 2008 console or later is limited to iOS, Android, and Windows 10 OOBE enrolled devices.

You can restrict access to individual Office 365 applications if the device is unmanaged and not compliant. For instance, you can opt to allow users to access Microsoft Word on any device while restricting access to OneDrive to only managed and compliant devices.

Prerequisites

Important: The APIs used to share device data with Azure AD Conditional Access Policies are in preview from Microsoft, consider limiting your use of this feature for testing purposes only.
Warning:

You cannot disable or re-enable the integration under the following circumstances:

  • If you remove VMware Workspace ONE mobile compliance partner from the partner compliance management in the Azure Active Directory.
  • If you remove Workspace ONE Conditional Access app in the enterprise applications from Azure Active Directory.

If you want to disable the integration, complete the following:

  • Disable conditional access settings in Workspace ONE UEM console.
  • Look up for the security group and manually remove the existing device records in the Azure Active Directory.
If you are making changes on the Azure device partner compliance, complete the following.
  • Navigate to Groups & Settings > All Settings > System > Enterprise Integration > Directory Service > Sync Azure Services to sync the latest information from the Azure portal.
  1. Navigate to Monitor > Intelligence, check the Opt-in box, and complete the process. For more information, see VMware Workspace ONE Intelligence documentation. You do not need VMware Workspace ONE Intelligence license to enable the integration.
  2. Workspace ONE Intelligent Hub 20.3 and above.
  3. For all your iOS and Android legacy devices make sure you install and register Microsoft Authenticator.
  4. For all Android enterprise devices, Microsoft Authenticator and all the applications used for conditional access must be pushed as a managed app.

Procedure

  1. Log into the Azure portal as an admin. Add VMware Workspace ONE mobile compliance as a device partner for the Android and iOS device type.
  2. In the Workspace ONE UEM console, navigate to Groups & Settings > All Settings > System > Enterprise Integration > Directory Services.
  3. Enter Azure Directory ID in the Directory ID text box. The Azure Directory ID is found in your Azure AD Directory Instance URL. For example, if your URL is acme.com/WS/ADExt/Dir/0a12bc34-56d7-93f1-g2h3-i4-jk56lm78n, only the last section 0a12bc34-56d7-93f1-g2h3-i4-jk56lm78n is your Directory ID.
    Note: Currently, we only support mapping one Azure tenant to one Workspace ONE UEM Customer OG.
  4. Enable Use Azure AD for Compliance.
    Note: This setting is visible only for a customer OG. Child OGs inherits this setting but is not visible in the user interface.
    A pop-up menu appears that redirects you to Microsoft for authenticating the Azure AD.
  5. Click Proceed.
    You are directed to a Microsoft webpage to authenticate and approve your permit.
  6. Accept the permissions.
    Once you accept the permissions, the Workspace ONE conditional access app is added to your Azure portal. For the Windows OOBE device type, admin must manually add the AirWatch By VMware application.
  7. Navigate to the Workspace ONE UEM console and complete the integration.
    A success message is displayed after the integration is complete.