Microsoft Conditional Access is available for the applications that contain Microsoft Authentication Library (MSAL). This feature can be extended to applications that support SafariViewController and supports SSO extension. Since the iOS Boxer client leverages SafariViewController it can support Microsoft Conditional Access for iOS device 13 and above.

Complete the following steps to configure the profile.

Procedure

  1. Navigate to Resources > Profiles & Baselines > Profiles .
  2. Select Add > Apple iOS > Device Profile.
  3. Configure Profile General settings.
  4. Select SSO Extension payload.
  5. Configure the profile settings.
    Settings Description Recommended Settings
    Extension Type Select the type of SSO extension for the application. If Generic is selected, provide the Bundle ID of the application extension that performs SSO for the specified URLs in the Extension Identifier field. If Kerberos is selected, provide the Active Directory Realm and Domains. Generic SSO extension type settings.
    Extension Identifier Enter the Team Identifier of the application extension that performs SSO for the specified URLs. As a best practice, you can enter com.microsoft.azureauthenticator.ssoextension.
    Type Select either Credential or Redirect as extension type. Credentials extension is used for the challenge/response authentication. Redirect extension can use OpenID Connect, OAuth, and SAML authentication. It is a best practice to select Redirect as the extension type.
    URLs Enter one or more URL prefixes of identity providers where the application extension performs SSO. As a best practice, you can enter the following :
    Additional Settings Enter one or more URL prefixes of identity providers where the application extension performs SSO. As a best practice, you can enter the following : <dict> <key>TeamIdentifier</key> <string>SGGM6D27TK</string> </dict>
    Note: SGGM6D27TK is the identifier for Office apps
  6. Select Save and Publish.

What to do next

Configure the Authenticator application.

Do not use sharedDeviceMode as a configuration key. If the configuration key value is set, configure the value to be false under Resources > Apps > Native or Purchased > Select iOS Microsoft Authenticator > Assign > Select Assignment Name > Application Configuration.

Configuration Key Value Type Configuration Value Description
{sharedDeviceMode} Boolean False Do not use sharedDeviceMode. Apps like Microsoft Teams or Microsoft Onedrive do not have the support for sharedDeviceMode and could result in login failure.