Conditional Access policies in Azure AD

In Azure AD, Conditional Access policies use Compliance data by integrating Workspace ONE UEM with Microsoft. Customers are enabled to use Workspace ONE UEM device data using Workspace ONE UEM integration with Microsoft, such as device compliance state in the Azure AD conditional access policies. The integration provides this ability for individual Office 365 applications to set different conditional access policies. Platform aid for this feature is limited to Windows 10 OOBE, iOS, and Android-enrolled devices.

If the device is not compliant and unmanaged, the admin can restrict access to individual Office 365 applications. For instance, while restricting access to OneDrive to only managed and compliant devices, the admin can opt to enable users to access Microsoft Word on any device.

Note: Workspace One currently does not support Government Cloud Computing (GCC), FedRamp Workspace ONE UEM environment, and GCC high Azure environment.

Prerequisites

  1. Go to Monitor, navigate to Intelligence, select check on the Opt-in box, and complete the process. The admin does not need the VMware Workspace ONE Intelligence license to enable the integration.
  2. ETL connector is required to be connected and installed to the nearest Intelligence data center, although this feature also aids for on-premise Workspace ONE UEM environment.
    Note: It is important that the admin opens the VMware Workspace ONE Intelligence network and creates a publicly resolvable URL for the UEM console to reach the publicly available console URL over port 443.
  3. Workspace ONE Intelligent Hub 20.3 or higher.
  4. Ensure the admin installs and registers Microsoft Authenticator for all the iOS and Android legacy devices.
  5. All Microsoft Authenticator, Android enterprise devices, and all the applications used for conditional access must be pushed to the device as a managed app.
  6. The Microsoft Intune licenses must be designated to the users, and a valid subscription is required to Microsoft Intune and supported by this integration.

 

Warning

Under the following circumstances, the admin cannot disable or re-enable the integration:

  • If the admin removes the partner compliance management from the VMware Workspace ONE mobile compliance partner in the Azure Active Directory.
  • From Azure Active Directory, if the admin removes Workspace ONE Conditional Access app.

Complete the following if the admin wants to disable the integration:

  • In the Workspace ONE UEM console, disable conditional access settings.
  • In the Azure Active Directory, look up for and manually remove the security groups the existing device records.

Complete the following if the admin is making changes on the Azure device partner compliance.

  • To sync the latest information from the Azure portal, go to Groups & Settings, navigate to All Settings, click on system, select Enterprise Integration, go to Directory Service, and select Sync Azure Services.

Procedure

  1. Log in to the Azure portal as an admin. For the Android and iOS device types, add VMware Workspace ONE mobile compliance as a device partner. In the Microsoft Intune documentation, see support third-party device compliance partners for more information.
  2. In the Workspace ONE UEM console, go to Groups & Settings, navigate to All Settings, click on System, select Enterprise Integration and click on Directory Services.
  3. In the Directory ID text box, enter Azure Directory ID. Within the Azure AD Directory Instance URL, the Azure Directory ID is found. For example, Only the last section 0a12bc34-56d7-93f1-g2h3-i4-jk56lm78n is your Directory ID if the URL is acme.com/WS/ADExt/Dir/0a12bc34-56d7-93f1-g2h3-i4-jk56lm78n
    Note: Currently, Workspace One only supports mapping one Workspace ONE UEM Customer OG to one Azure tenant.
  4. The use of Azure AD is enabled for compliance.
    Note: Only for a customer OG, this setting is visible. Child OGs are not visible in the user interface, although they inherit this setting.
    For authenticating the Azure AD, a pop-up menu appears that redirects the admin to Microsoft.
  5. Click on Proceed. The admin is directed to a Microsoft web page to authenticate and approve your permit.
  6. The permissions are accepted. The Workspace ONE conditional access app is available on the Azure portal once accepted permissions. Admin must manually add and configure the AirWatch By VMware application for the Windows OOBE device type.
  7. Complete the integration by going to the Workspace ONE UEM console. If the permissions have been accepted, UEM performs a validation. A pop-up box appears. The complete integration step is disabled if the admin does not accept the permissions required in step 6. The complete integration step upon completing the steps will be active, and if the admin has accepted the permissions in step 6, a success message is displayed.
    After the integration is complete, a success message is displayed. Navigate to Azure AD once the admin has successfully completed the integration to configure conditional access policies. Select On to enable the desired policy under Enable Policy.
    Note: Only when users attempt to run an application with an AAD conditional access policy applied to it, they are blocked and redirected to register their Workspace ONE enrolled devices with Intune and AAD. Users are not directed through registration by configuring Azure AD conditional access policies as Report Only.
  1. The Sync button syncs the information if any changes are made to the Device partner compliance page in Intune.
  2. The admin can Resync the data by clicking Re-sync to manually send the management state of the device to Azure and the device’s compliance state.
    Note: Once the resync is completed, it is greyed for the next four hours.
  3. Navigate to Azure AD to configure conditional access policies once the admin has successfully completed the migration. Select On to enable the desired policy under Enable Policy.

Leave a comment

This site uses Akismet to reduce spam. Learn how your comment data is processed.