Use Compliance Data in Azure AD Conditional Access Policies

Workspace ONE UEM integration with Microsoft allows customers to use UEM device data such as device compliance status in the Azure AD conditional access policies. The integration gives you the ability to set different conditional access policies for individual Office 365 applications. This feature supports iOS, Android, Windows OOBE enrolled devices, and macOS platforms.

Prerequisites

Note: Workspace ONE on AWS GovCloud information system has a FedRAMP accreditation level of Moderate. Conditional Access is not FedRAMP authorized and could present risk. For more information, see FedRAMP Consideration.

This screenshot shows the introduction and opt-in screen for Workspace ONE Intelligence.

  1. Navigate to Monitor > Intelligence, select the Opt-in box, and complete the process. For more information, see VMware Workspace ONE Intelligence documentation. You do not need the VMware Workspace ONE Intelligence license to enable the integration.
  2. The on-premises Workspace ONE UEM environment supports this feature. Using the feature requires the ETL connector be installed and connected to the nearest Intelligence data center. For more information, see Workspace ONE Intelligence Requirements.

    Note: On-premises customers with closed network UEM console environments can now enable Microsoft Azure AD conditional access by enabling feature flag ConditionalAccessClosedNetworkSupportFeatureFlag. With this feature, your closed network UEM console no longer requires a publicly resolvable UEM console URL for VMware Workspace ONE Intelligence to reach out over port 443.

  3. For iOS, Android, and Windows devices, require Workspace ONE Intelligent Hub 20.3 and later.

  4. For macOS, require Workspace ONE Intelligent Hub 21.11 and later.

    Note: Microsoft Conditional Access for the macOS platform requires the email address of the user account in Workspace ONE UEM to be the same account used to log into the Microsoft application.

  5. Microsoft Authenticator required for all iOS and Android devices. For Android enterprise devices, configure Microsoft Authenticator and all applications used for conditional access as a managed app.

    As a best practice, consider preparing all targeted devices with a way to self register. Do this by adding platform specific registration weblinks.

    a) Move to the organization group that manages the devices you want to target.

    b) Navigate to Resources > Apps > Web Links and select the Add Application button.

    c) In the Details tab, for Name, enter Register Device MSFT Compliance.

    d) For URL, enter the platform specific destinations.

    • For iOS and macOS - airwatch://conditionalaccess?partner=microsoft

    This partial screenshot shows the Details tab for adding an Apple weblink.

    • For Android - awagent://com.airwatch.androidagent?component=conditionalaccess&partnertype=microsoft

    This partial screenshot shows the Details tab for adding an Android weblink.

    e) In the Assignment tab, select a smart group that contains all the devices managed by the OG you selected in step 5a.

    f) For Push Mode, enable the Auto option.

    This partial screenshot shows the Assignment tab for adding an Apple weblink. This partial screenshot shows the Assignment tab for adding an Android weblink.

    g) Select the Save and Publish button.

    h) Repeat steps 5a through 5g for each platform you want to target.

    Instruct users to register the device during the rollout phase of the feature. Later, with AAD CA already active but before accessing any Microsoft resources on newly enrolled resources, users should again use the web link to register.

  6. Require a valid subscription to Microsoft Intune. Assign the Microsoft Intune licenses to users supported by this integration. For more information, see the Microsoft subscription.

Warning: You cannot deactivate or re-enable the integration under the following circumstances:

  • If you remove VMware Workspace ONE mobile compliance partner from the partner compliance management in the Azure Active Directory.
  • If you remove Workspace ONE Conditional Access app in the enterprise applications from Azure Active Directory.

If you want to deactivate the integration, complete the following:

  • Deactivate conditional access settings in Workspace ONE UEM console.
  • Review the security group and manually remove the existing device records in the Azure Active Directory.

If you are making changes on the Azure device partner compliance, complete the following.

  • Navigate to Groups & Settings > All Settings > System > Enterprise Integration > Directory Service > Sync Azure Services to sync the latest information from the Azure portal.

You can restrict access to individual Office 365 applications if the device is unmanaged and not compliant. For instance, you can opt to allow users to access Microsoft Word on any device while restricting access to OneDrive to only managed and compliant devices.

Procedure

  1. Log into the Azure portal as an admin. Add VMware Workspace ONE mobile compliance as a device partner for Android devices and iOS devices. For more information, see support third-party device compliance partners in the Microsoft Intune documentation.

    Set up the AAD CA policies to only allow access to Office 365 apps from managed devices. Set up the policy for iOS and Android and modern authentication apps to only allow compliant devices.

    This partial screenshot shows the Azure console iOS Compliance configuration screen.

  2. In the Workspace ONE UEM console, navigate to Groups & Settings > All Settings > System > Enterprise Integration > Directory Services.

  3. Enter Azure Directory ID in the Directory ID text box.

    You can locate the Azure Directory ID by looking at your Azure AD Directory Instance URL. For example, if your URL is acme.com/WS/ADExt/Dir/0a12bc34-56d7-93f1-g2h3-i4-jk56lm78n, only the last section 0a12bc34-56d7-93f1-g2h3-i4-jk56lm78n is your Directory ID.

    Note: Currently, we only support mapping one Azure tenant to one Workspace ONE UEM Customer OG.

  4. Enable Use Compliance Data in Azure AD for Conditional Access Policies.

    Note: This setting is visible only for a customer OG. Child OGs inherit this setting but is not visible in the user interface.

  5. For Windows: Enable Use Compliance Data in Azure for Conditional Access Policies for Windows.

  6. For iOS, Android, and macOS: Enable Use Compliance Data in Azure Conditional Access Policies for iOS and Android.

    Note: This feature can be used for the macOS platform if previously enabled for iOS and Android. To enable for macOS, add the macOS platform in the Device Partner compliance blade, in the Intune console. To sync, click Sync Azure Services in the Workspace ONE UEM console.

  7. Navigate to the Workspace ONE UEM console and complete the integration.

    UEM performs a validation. After accepting permissions, a pop-up box displays. If you do not accept the permissions in Step 7, the complete integration step is dimmed.

    The complete integration step is active after accepting permissions in Step 7. A success message displays after completing the step.

    A success message is displayed after the integration is complete. Once you have successfully completed the integration, navigate to Azure AD to configure conditional access policies. Under Enable Policy, select On to enable the desired policy. For more information, see Create a device-based Conditional Access policy.

    Note: Users are blocked, and redirected to register their Workspace ONE enrolled devices with Intune and AAD only when they attempt to run an application with an AAD conditional access policy applied to it. Configuring Azure AD conditional access policies as Report Only does not direct users through registration.

  8. The Sync button syncs the information when there are changes to the Device partner compliance page in Intune.

  9. To send the compliance state of the device and the management state of the device to Azure manually, re-sync the data by clicking Re-sync.

    Note: Re-sync is not available for 4 hours after it completes.

Configure MS Conditional Access For Workspace ONE Boxer and iOS Native Mail

Microsoft Conditional Access is available for applications that contain Microsoft Authentication Library (MSAL). This feature can be extended to applications that support SafariViewController and SSO extension. Since the iOS Boxer client and iOS native mail client uses SafariViewController, it can support Microsoft Conditional Access for iOS devices 13 and later.

Complete the following steps to configure the profile.

This screenshot shows the Profiles screen in Resources, Profiles & Baselines, which enables you to create an iOS device profile using MS Conditional Access.

Procedure

  1. Navigate to Resources > Profiles & Baselines > Profiles.

  2. Select Add > Apple iOS > Device Profile.

  3. Configure Profile General settings.

  4. Select SSO Extension payload.

  5. Configure the profile settings.

    This screenshot shows the SSO Extension payload screen for an iOS device profile, prepopulated with the best practice settings for MS Conditional Access.

    Settings Description Recommended Settings
    Extension Type Select the type of SSO extension for the application. If Generic is selected, provide the Bundle ID of the application extension that performs SSO for the specified URLs in the Extension Identifier field. If Kerberos is selected, provide the Active Directory Realm and Domains. Generic SSO extension type settings.
    Extension Identifier Enter the Team Identifier of the application extension that performs SSO for the specified URLs. As a best practice, you can enter com.microsoft.azureauthenticator.ssoextension.
    Type Select either Credential or Redirect as extension type. Credentials extension is used for the challenge/response authentication. Redirect extension can use OpenID Connect, OAuth, and SAML authentication. It is a best practice to select Redirect as the extension type.
    URLs Enter one or more URL prefixes of identity providers where the application extension performs SSO. As a best practice, you can enter the following:

    https://login.microsoftonline.com

    https://login.windows.net

    https://sts.windows.net

    https://login.microsoft.com
    Additional Settings Enter one or more URL prefixes of identity providers where the application extension performs SSO. As a best practice, you can enter the following : <dict> <key>TeamIdentifier</key> <string>SGGM6D27TK</string> </dict>

    Note: SGGM6D27TK is the identifier for Office apps.

  6. Select Save and Publish.

  7. Configure the Authenticator application.

    1. Do not use sharedDeviceMode as a configuration key. If the configuration key value is set, configure the value to be false under Resources > Apps > Native or Purchased > Select iOS Microsoft Authenticator > Assign > Select Assignment Name > Application Configuration.

      Configuration Key -{sharedDeviceMode}

      Value Type - Boolean

      Configuration Value - False

      Description - Do not use sharedDeviceMode. Apps like Microsoft Teams or Microsoft Onedrive do not have the support for sharedDeviceMode and could result in login failure.

What to do next

Configure conditional access on Azure portal for native mail client. Include Apple Internet Accounts under Cloud apps or action in your conditional access policy. For more information on creating a conditional access policy, see Create a device-based Conditional Access policy. After applying the policy, restart the device to take effect.

You can also configure Shared Device Mode (SDM) for Microsoft Azure Conditional Access Policies on Android Devices.

check-circle-line exclamation-circle-line close-line
Scroll to top icon