Workspace ONE UEM integration with Microsoft allows customers to use UEM device data such as device compliance status in the Azure AD conditional access policies. The integration gives you the ability to set different conditional access policies for individual Office 365 applications. This feature supports iOS, Android, Windows OOBE enrolled devices, and macOS platforms.
Note: We currently do not support FedRamp Workspace ONE UEM environment, Government Cloud Computing (GCC), or GCC high Azure environment.
The on-premises Workspace ONE UEM environment supports this feature. Using the feature requires the ETL connector be installed and connected to the nearest Intelligence data center. For more information, see Workspace ONE Intelligence Requirements.
Note: On-premises customers with closed network UEM console environments can now enable Microsoft Azure AD conditional access by enabling feature flag ConditionalAccessClosedNetworkSupportFeatureFlag. With this feature, your closed network UEM console no longer requires a publicly resolvable UEM console URL for VMware Workspace ONE Intelligence to reach out over port 443.
For iOS, Android, and Windows devices, require Workspace ONE Intelligent Hub 20.3 and later.
For macOS, require Workspace ONE Intelligent Hub 21.11 and later.
Note: Microsoft Conditional Access for the macOS platform requires the email address of the user account in Workspace ONE UEM to be the same account used to log into the Microsoft application.
Microsoft Authenticator required for all iOS and Android devices. For Android enterprise devices, configure Microsoft Authenticator and all applications used for conditional access as a managed app.
Warning: You cannot deactivate or re-enable the integration under the following circumstances:
If you want to deactivate the integration, complete the following:
If you are making changes on the Azure device partner compliance, complete the following.
You can restrict access to individual Office 365 applications if the device is unmanaged and not compliant. For instance, you can opt to allow users to access Microsoft Word on any device while restricting access to OneDrive to only managed and compliant devices.
Log into the Azure portal as an admin. Add VMware Workspace ONE mobile compliance as a device partner for Android devices and iOS devices. For more information, see support third-party device compliance partners in the Microsoft Intune documentation.
In the Workspace ONE UEM console, navigate to Groups & Settings > All Settings > System > Enterprise Integration > Directory Services.
Enter Azure Directory ID in the Directory ID text box.
You can locate the Azure Directory ID by looking at your Azure AD Directory Instance URL. For example, if your URL is acme.com/WS/ADExt/Dir/0a12bc34-56d7-93f1-g2h3-i4-jk56lm78n, only the last section 0a12bc34-56d7-93f1-g2h3-i4-jk56lm78n is your Directory ID.
Note: Currently, we only support mapping one Azure tenant to one Workspace ONE UEM Customer OG.
Enable Use Compliance Data in Azure AD for Conditional Access Policies.
Note: This setting is visible only for a customer OG. Child OGs inherit this setting but is not visible in the user interface.
For Windows: Enable Use Compliance Data in Azure for Conditional Access Policies for Windows.
For iOS, Android, and macOS: Enable Use Compliance Data in Azure Conditional Access Policies for iOS and Android.
Note: This feature can be used for the macOS platform if previously enabled for iOS and Android. To enable for macOS, add the macOS platform in the Device Partner compliance blade, in the Intune console. To sync, click Sync Azure Services in the Workspace ONE UEM console.
Navigate to the Workspace ONE UEM console and complete the integration.
UEM performs a validation. After accepting permissions, a pop-up box displays. If you do not accept the permissions in Step 7, the complete integration step is dimmed.
The complete integration step is active after accepting permissions in Step 7. A success message displays after completing the step.
A success message is displayed after the integration is complete. Once you have successfully completed the integration, navigate to Azure AD to configure conditional access policies. Under Enable Policy, select On to enable the desired policy. For more information, see Create a device-based Conditional Access policy.
Note: Users are blocked, and redirected to register their Workspace ONE enrolled devices with Intune and AAD only when they attempt to run an application with an AAD conditional access policy applied to it. Configuring Azure AD conditional access policies as Report Only does not direct users through registration.
The Sync button syncs the information when there are changes to the Device partner compliance page in Intune.
To send the compliance state of the device and the management state of the device to Azure manually, re-sync the data by clicking Re-sync.
Note: Re-sync is not available for 4 hours after it completes.
Microsoft Conditional Access is available for applications that contain Microsoft Authentication Library (MSAL). This feature can be extended to applications that support SafariViewController and SSO extension. Since the iOS Boxer client and iOS native mail client uses SafariViewController, it can support Microsoft Conditional Access for iOS devices 13 and later.
Complete the following steps to configure the profile.
Navigate to Resources > Profiles & Baselines > Profiles.
Select Add > Apple iOS > Device Profile.
Configure Profile General settings.
Select SSO Extension payload.
Configure the profile settings.
| Settings | Description | Recommended Settings |
|---|---|---|
| Extension Type | Select the type of SSO extension for the application. If Generic is selected, provide the Bundle ID of the application extension that performs SSO for the specified URLs in the Extension Identifier field. If Kerberos is selected, provide the Active Directory Realm and Domains. | Generic SSO extension type settings. |
| Extension Identifier | Enter the Team Identifier of the application extension that performs SSO for the specified URLs. | As a best practice, you can enter com.microsoft.azureauthenticator.ssoextension. |
| Type | Select either Credential or Redirect as extension type. Credentials extension is used for the challenge/response authentication. Redirect extension can use OpenID Connect, OAuth, and SAML authentication. | It is a best practice to select Redirect as the extension type. |
| URLs | Enter one or more URL prefixes of identity providers where the application extension performs SSO. | As a best practice, you can enter the following: https://login.microsoftonline.com https://login.windows.net https://sts.windows.net https://login.microsoft.com |
| Additional Settings | Enter one or more URL prefixes of identity providers where the application extension performs SSO. | As a best practice, you can enter the following : <dict> <key>TeamIdentifier</key> <string>SGGM6D27TK</string> </dict> |
Note: SGGM6D27TK is the identifier for Office apps.
Select Save and Publish.
Configure the Authenticator application.
Do not use sharedDeviceMode as a configuration key. If the configuration key value is set, configure the value to be false under Resources > Apps > Native or Purchased > Select iOS Microsoft Authenticator > Assign > Select Assignment Name > Application Configuration.
Configuration Key -{sharedDeviceMode}
Value Type - Boolean
Configuration Value - False
Description - Do not use sharedDeviceMode. Apps like Microsoft Teams or Microsoft Onedrive do not have the support for sharedDeviceMode and could result in login failure.
Configure conditional access on Azure portal for native mail client.
Include Apple Internet Accounts under Cloud apps or action in your conditional access policy. For more information on creating a conditional access policy, see Create a device-based Conditional Access policy. After applying the policy, restart the device to take effect.
Parent topic: Directory Services Setup
