Microsoft Conditional Access is available for the applications that have Microsoft Authentication Library (MSAL). This feature may be extended to applications that support SSO extension and that support SafariViewController. For iOS devices 13 and above, it can support Microsoft Conditional Access since the iOS native mail client and iOS Boxer client leverage SafariViewController.

The following steps should be completed to configure the profile.

Procedure

1. Go to Resources, navigate to Profiles & Baselines and click on Profiles.
2. Go to Add, select Apple iOS, and click on Device Profile.
3. Profile General settings are configured.
4. The SSO Extension payload is configured.
5. The profile settings are configured.

• Extension Type: For the application, select the type of SSO extension. The Bundle ID of the application extension is provided if Generic is selected that performs SSO for the designated URLs in the Extension Identifier field. Provide the Active Directory Realm and Domains if Kerberos is selected.
• Generic SSO extension type settings are recommended.
• Extension Identifier: Provide the Team Identifier that performs SSO of the application extension for the specified URLs.
  Enter com.Microsoft.azureauthenticator.ssoextension as a best practice.

• Type: As extension type, choose either Credential or Redirect. For the challenge/response authentication, credentials extension is used. OpenID OAuth, Connect, and SAML authentication can be used by Redirect extension. Select Redirect as the extension type is considered a good practice.

• URLs: Identity providers provide one or more URL prefixes where the application extension performs SSO. Enter the following as a best practice:
  • https://login.microsoftonline.com
  • https://login.windows.net
  • https://login.microsoft.com
  • https://sts.windows.net
• Additional Settings Where the application extension performs SSO, provide one or more URL prefixes of identity providers.
  Provide the following : <dict> <key>TeamIdentifier</key> <string>SGGM6D27TK</string> </dict> as a best practice
  Note: For Office apps, SGGM6D27TK is the identifier

6. Save and Publish are selected.

7. The Authenticator application is configured.

As a configuration key, do not use shared device mode. Configure the value to be false if the configuration key value is set by navigating to Resources, selecting Apps, clicking on Native or Purchased, Selecting iOS Microsoft Authenticator, going to Assign, selecting Assignment Name, and clicking on Application Configuration.

• Value Type – Boolean
• Configuration Key -{sharedDeviceMode}
• Configuration Value – False
• Description – SharedDeviceMode should not be used. For sharedDeviceMode, apps like Microsoft Onedrive or Microsoft Teams do not have the support and could result in a login failure.

What to do next

Conditional access is configured on the Azure portal for a native mail client.

Under Cloud apps or action in the conditional access policy, include Apple Internet Accounts. The admin may need to restart the device after applying the policy to take it into effect.