Integrating Workspace ONE and Azure AD Conditional Access

From late 2020, Workspace ONE has been able to provide device posture information to Azure Active Directory (AD) so it can be used as part Azure AD’s powerful Conditional Access capabilities.

The purpose of this article was revalidate this integration for one of my customers (since this capability has been available for over a year now) which I’ve documented in this article.

This blog article references the following two excellent sources of information:

• Workspace One UEM 3rd party compliance integration – Microsoft Graph API by Sacha Warno. Sacha kindly tested and documented this capability when this service first became available.
  
• Use Compliance Data in Azure AD Conditional Access Policies (VMware official documentation)

The following diagram details the data flow of how this works. Taken from this announcement blog article.

Prerequisites

• Workspace ONE UEM 2010 or higher
• Navigate to Monitor > Intelligence, select the Opt-in box, and complete the process. For more information, see VMware Workspace ONE Intelligence documentation. You do not need the VMware Workspace ONE Intelligence license to enable the integration.
• For iOS, Android, and Windows devices, require Workspace ONE Intelligent Hub 20.3 and later.
• For macOS, require Workspace ONE Intelligent Hub 21.11 and later.
• Require a valid subscription to Microsoft Intune. Assign the Microsoft Intune licenses to users supported by this integration. For more information, see the Microsoft subscription.

Enabling Partner Compliance Management in Microsoft Endpoint Manager

1. Sign in to Microsoft Endpoint Manager admin center
2. Go to Tenant Administration > Connectors and Tokens > Partner Compliance management > Add Compliance Partner.

3. Select VMware Workspace ONE mobile compliance and your required platform as shown:

4. Click Next

5. Add the required Azure AD group or select Add all Users and click Next

6. Review the final settings and click Create

7. Repeat the above process for other platforms as required. ie. Android, macOS.

8. The Partner compliance management should look similar to the following:

Enabling compliance data in Azure from Workspace ONE UEM

If required, setup Azure AD with Workspace ONE UEM by following the instructions from the article Integrating Microsoft Azure Active Directory (AAD) with Workspace ONE UEM on Techzone.

1. In the Workspace ONE UEM console, navigate to Groups & Settings > All Settings > System > Enterprise Integration > Directory Services.
2. Enable Use Compliance Data in Azure AD for Conditional Access Policies.

Note: This setting is visible only for a customer OG. Child OGs inherit this setting but is not visible in the user interface.

3. For Windows: Enable Use Compliance Data in Azure for Conditional Access Policies for Windows.
4. For iOS, Android, and macOS: Enable Use Compliance Data in Azure Conditional Access Policies for iOS, Android and macOS. See the following:

5. Workspace ONE UEM performs a validation. After accepting permissions, a pop-up box displays. Click Proceed and login to Azure AD if required.

6. Click Accept to review and enable this integration.

7. You will be shown the following message when the integration has been activated.

8. Within the UEM console, click Complete

9. You should then see the following options within your UEM console:

Registering your devices to Azure AD

Windows 10 devices

Windows 10 OOBE/Autopilot devices are automatically registered to Azure AD. So no additional steps are required so that their compliance information is synchronised between Workspace ONE UEM and Azure AD.

iOS, iPadOS devices

Microsoft Authenticator is required on your iOS and iPadOS devices for this capability to work. The Microsoft Authenticator app on the device is used to register an AAD device object.

Therefore, you can use Workspace ONE UEM to deploy this application automatically to all of your mobile devices.

Sacha in his blog article details how you can send out a registration link to your end users, so it’s a nice end user experience (rather than just enabling Conditional Access below). At the time of Sacha writing his blog article, Hub notifications couldn’t include custom URL scheme to start apps, however this is now possible.

So open Workspace ONE Hub Services as shown and select Manage

Click Launch – Notifications – New and Create Notification

Enter a Name such as Mobile AAD Registration (or something user friendly for your staff). Then select Target Audience Type to Platform. Then select iOS and Android as shown.

Click Next. Enter detail as follows:

Scroll down to Links and enter the following details:

Specify Link as the following for iPhone and iPad devices:

airwatch://conditionalaccess?partner=microsoft

Click Next then click Create.

The Informational Notification will be sent to all Apple devices as shown:

Your users will be notified and within the Hub application under the For You tab, will see the following:

When users click Register, it will take them through the steps to register their device with Azure AD. The user experience is shown as follows:

If a user doesn’t pre-register their mobile device, they will be prompted to register their device when appropriate conditional access rules are enabled. For example, the user attempts to open Microsoft 365 (Word) and an Azure AD conditional access rule is defined (see below) that they can only do this from a compliant device. The user experience for registering a iOS device with Azure AD (using the Authenticator) is shown as follows:

Android

The process to register Android devices is the same as Apple devices, but select the Android platform when creating a new Informational notification. Change the text as appropriate for Android devices.

Specify Link as the following for Android devices:

awagent://com.airwatch.androidagent?component=conditionalaccess&partnertype=microsoft

macOS

The process to register Apple Mac devices is the same as iPhone and iPad devices, but select the Mac platform when creating a new Informational notification. Change the text as appropriate for Apple Mac devices.

wsonehub://conditionalaccess?partner=microsoft

Registered devices in Azure AD

Registered devices are visible in Azure AD by logging into the Azure AD portal. Select Devices – See all devices. Then select Activity (sort by latest update as the most current). From the screen capture below from my lab, you can see a registered Mac, iPad and Windows 10 laptop and their Compliance status.

Creating your Azure AD Conditional Access Policy

We’ll now create an Azure AD Conditional Access Policy to ensure that only compliant devices can access Office 365.

1. Logon to your Azure admin portal
2. Select Azure Active Directory – Security – Conditional Access
3. Create an Azure AD Conditional Access Policy as shown:

Device compliance status shown in Azure AD

Device compliance is shown in Workspace ONE UEM as follows:

Registered devices are visible in Azure AD by logging into the Azure AD portal. Select Devices – See all devices. Then select Activity (sort by latest update as the most current). From the screen capture below from my lab, you can see a registered Mac, iPad and Windows 10 laptop and their Compliance status.

User experience for non compliant devices

When a user attempts to open an Office mobile application and their device is not compliant, they will be shown the following message from Azure:

Once the device is compliant, they will then have seamless access into those Office mobile applications.

That’s it! You’ve now integrated Workspace ONE UEM with Azure AD conditional access. If you have any questions check out the updated Workspace ONE Community discussion here.

Updates

21st March – Detailed registration URLs for iOS, iPadOS, Android and macOS including process to send alerts to users via Hub Services