Use Compliance Data in Azure AD Conditional Access Policies

Workspace ONE UEM integration with Microsoft allows customers to use UEM device data such as device compliance status in the Azure AD conditional access policies. The integration gives you the ability to set different conditional access policies for individual Office 365 applications. This feature supports iOS, Android, Windows OOBE enrolled devices, and macOS platforms.

Prerequisites

Note: We currently do not support FedRamp Workspace ONE UEM environment, Government Cloud Computing (GCC), or GCC high Azure environment.

  1. Navigate to Monitor > Intelligence, select the Opt-in box, and complete the process. For more information, see VMware Workspace ONE Intelligence documentation. You do not need the VMware Workspace ONE Intelligence license to enable the integration.
  2. The on-premises Workspace ONE UEM environment supports this feature. Using the feature requires the ETL connector be installed and connected to the nearest Intelligence data center. For more information, see Workspace ONE Intelligence Requirements.

    Note: It is important that you create a publicly resolvable URL for the UEM console and open the network for VMware Workspace ONE Intelligence to reach the publicly available console URL over port 443.

  3. For iOS, Android, and Windows devices, require Workspace ONE Intelligent Hub 20.3 and later.

  4. For macOS, require Workspace ONE Intelligent Hub 21.11 and later.

    Note: Microsoft Conditional Access for the macOS platform requires the email address of the user account in Workspace ONE UEM to be the same account used to log into the Microsoft application.

  5. For all Android enterprise devices, push Microsoft Authenticator and all the applications used for conditional access as a managed app.

  6. Require a valid subscription to Microsoft Intune. Assign the Microsoft Intune licenses to users supported by this integration. For more information, see the Microsoft subscription.

Warning: You cannot deactivate or re-enable the integration under the following circumstances:

  • If you remove VMware Workspace ONE mobile compliance partner from the partner compliance management in the Azure Active Directory.
  • If you remove Workspace ONE Conditional Access app in the enterprise applications from Azure Active Directory.

If you want to deactivate the integration, complete the following:

  • Deactivate conditional access settings in Workspace ONE UEM console.
  • Review the security group and manually remove the existing device records in the Azure Active Directory.

If you are making changes on the Azure device partner compliance, complete the following.

  • Navigate to Groups & Settings > All Settings > System > Enterprise Integration > Directory Service > Sync Azure Services to sync the latest information from the Azure portal.

You can restrict access to individual Office 365 applications if the device is unmanaged and not compliant. For instance, you can opt to allow users to access Microsoft Word on any device while restricting access to OneDrive to only managed and compliant devices.

Procedure

  1. Log into the Azure portal as an admin. Add VMware Workspace ONE mobile compliance as a device partner for Android devices and iOS devices. For more information, see support third-party device compliance partners in the Microsoft Intune documentation.

  2. In the Workspace ONE UEM console, navigate to Groups & Settings > All Settings > System > Enterprise Integration > Directory Services.

  3. Enter Azure Directory ID in the Directory ID text box.

    You can locate the Azure Directory ID by looking at your Azure AD Directory Instance URL. For example, if your URL is acme.com/WS/ADExt/Dir/0a12bc34-56d7-93f1-g2h3-i4-jk56lm78n, only the last section 0a12bc34-56d7-93f1-g2h3-i4-jk56lm78n is your Directory ID.

    Note: Currently, we only support mapping one Azure tenant to one Workspace ONE UEM Customer OG.

  4. Enable Use Compliance Data in Azure AD for Conditional Access Policies.

    Note: This setting is visible only for a customer OG. Child OGs inherit this setting but is not visible in the user interface.

  5. For Windows: Enable Use Compliance Data in Azure for Conditional Access Policies for Windows.

  6. For iOS, Android, and macOS: Enable Use Compliance Data in Azure Conditional Access Policies for iOS and Android.

    Note: This feature can be used for the macOS platform if previously enabled for iOS and Android. To enable for macOS, add the macOS platform in the Device Partner compliance blade, in the Intune console. To sync, click Sync Azure Services in the Workspace ONE UEM console.

  7. Navigate to the Workspace ONE UEM console and complete the integration.

    UEM performs a validation. After accepting permissions, a pop-up box displays. If you do not accept the permissions in Step 7, the complete integration step is dimmed.

    The complete integration step is active after accepting permissions in Step 7. A success message displays after completing the step.

    A success message is displayed after the integration is complete. Once you have successfully completed the integration, navigate to Azure AD to configure conditional access policies. Under Enable Policy, select On to enable the desired policy. For more information, see Create a device-based Conditional Access policy.

    Note: Users are blocked, and redirected to register their Workspace ONE enrolled devices with Intune and AAD only when they attempt to run an application with an AAD conditional access policy applied to it. Configuring Azure AD conditional access policies as Report Only does not direct users through registration.

  8. The Sync button syncs the information when there are changes to the Device partner compliance page in Intune.

  9. To send the compliance state of the device and the management state of the device to Azure manually, re-sync the data by clicking Re-sync.

    Note: Re-sync is not available for 4 hours after it completes.

Configure MS Conditional Access For Workspace ONE Boxer and iOS Native Mail

Microsoft Conditional Access is available for applications that contain Microsoft Authentication Library (MSAL). This feature can be extended to applications that support SafariViewController and SSO extension. Since the iOS Boxer client and iOS native mail client uses SafariViewController, it can support Microsoft Conditional Access for iOS devices 13 and later.

Complete the following steps to configure the profile.

Procedure

  1. Navigate to Resources > Profiles & Baselines > Profiles.

  2. Select Add > Apple iOS > Device Profile.

  3. Configure Profile General settings.

  4. Select SSO Extension payload.

  5. Configure the profile settings.

    Settings Description Recommended Settings
    Extension Type Select the type of SSO extension for the application. If Generic is selected, provide the Bundle ID of the application extension that performs SSO for the specified URLs in the Extension Identifier field. If Kerberos is selected, provide the Active Directory Realm and Domains. Generic SSO extension type settings.
    Extension Identifier Enter the Team Identifier of the application extension that performs SSO for the specified URLs. As a best practice, you can enter com.microsoft.azureauthenticator.ssoextension.
    Type Select either Credential or Redirect as extension type. Credentials extension is used for the challenge/response authentication. Redirect extension can use OpenID Connect, OAuth, and SAML authentication. It is a best practice to select Redirect as the extension type.
    URLs Enter one or more URL prefixes of identity providers where the application extension performs SSO. As a best practice, you can enter the following:

    https://login.microsoftonline.com

    https://login.windows.net

    https://sts.windows.net

    https://login.microsoft.com
    Additional Settings Enter one or more URL prefixes of identity providers where the application extension performs SSO. As a best practice, you can enter the following : <dict> <key>TeamIdentifier</key> <string>SGGM6D27TK</string> </dict>

    Note: SGGM6D27TK is the identifier for Office apps.

  6. Select Save and Publish.

  7. Configure the Authenticator application.

    1. Do not use sharedDeviceMode as a configuration key. If the configuration key value is set, configure the value to be false under Resources > Apps > Native or Purchased > Select iOS Microsoft Authenticator > Assign > Select Assignment Name > Application Configuration.

      Configuration Key -{sharedDeviceMode}

      Value Type - Boolean

      Configuration Value - False

      Description - Do not use sharedDeviceMode. Apps like Microsoft Teams or Microsoft Onedrive do not have the support for sharedDeviceMode and could result in login failure.

What to do next

Configure conditional access on Azure portal for native mail client.

Include Apple Internet Accounts under Cloud apps or action in your conditional access policy. For more information on creating a conditional access policy, see Create a device-based Conditional Access policy. After applying the policy, restart the device to take effect.

Parent topic: Directory Services Setup

check-circle-line exclamation-circle-line close-line
Scroll to top icon