Integrating Workspace ONE and Azure AD Conditional Access

From late 2020, Workspace ONE has been able to provide device posture information to Azure Active Directory (AD) so it can be used as part Azure AD’s powerful Conditional Access capabilities.

The purpose of this article was revalidate this integration for one of my customers (since this capability has been available for over a year now) which I’ve documented in this article.

This blog article references the following two excellent sources of information:

The following diagram details the data flow of how this works. Taken from this announcement blog article.

How it works flow diagram

Prerequisites

  • Workspace ONE UEM 2010 or higher
  • Navigate to Monitor > Intelligence, select the Opt-in box, and complete the process. For more information, see VMware Workspace ONE Intelligence documentation. You do not need the VMware Workspace ONE Intelligence license to enable the integration.
  • For iOS, Android, and Windows devices, require Workspace ONE Intelligent Hub 20.3 and later.
  • For macOS, require Workspace ONE Intelligent Hub 21.11 and later.
  • Require a valid subscription to Microsoft Intune. Assign the Microsoft Intune licenses to users supported by this integration. For more information, see the Microsoft subscription.

Enabling Partner Compliance Management in Microsoft Endpoint Manager

  1. Sign in to Microsoft Endpoint Manager admin center
  2. Go to Tenant Administration > Connectors and Tokens > Partner Compliance management > Add Compliance Partner.
Partner Compliance management

3. Select VMware Workspace ONE mobile compliance and your required platform as shown:

4. Click Next

5. Add the required Azure AD group or select Add all Users and click Next

6. Review the final settings and click Create

7. Repeat the above process for other platforms as required. ie. Android, macOS.

8. The Partner compliance management should look similar to the following:

Enabling compliance data in Azure from Workspace ONE UEM

If required, setup Azure AD with Workspace ONE UEM by following the instructions from the article Integrating Microsoft Azure Active Directory (AAD) with Workspace ONE UEM on Techzone.

  1. In the Workspace ONE UEM console, navigate to Groups & Settings > All Settings > System > Enterprise Integration > Directory Services.
  2. Enable Use Compliance Data in Azure AD for Conditional Access Policies.

Note: This setting is visible only for a customer OG. Child OGs inherit this setting but is not visible in the user interface.

  1. For Windows: Enable Use Compliance Data in Azure for Conditional Access Policies for Windows.
  2. For iOS, Android, and macOS: Enable Use Compliance Data in Azure Conditional Access Policies for iOS, Android and macOS. See the following:

5. Workspace ONE UEM performs a validation. After accepting permissions, a pop-up box displays. Click Proceed and login to Azure AD if required.

6. Click Accept to review and enable this integration.

7. You will be shown the following message when the integration has been activated.

8. Within the UEM console, click Complete

9. You should then see the following options within your UEM console:

Deploy Microsoft Authenticator

Microsoft Authenticator is required on your devices for this capability to work. The Microsoft Authenticator app on the device is used to register an AAD device object. Therefore, you can use Workspace ONE UEM to deploy this application to all of your devices.

Sacha in his blog article details how you can send out a registration link to your end users, so it’s a nice end user experience (rather than just enabling Conditional Access below)

Creating your Azure AD Conditional Access Policy

We’ll now create an Azure AD Conditional Access Policy to ensure that only compliant devices can access Office 365.

  1. Logon to your Azure admin portal
  2. Select Azure Active Directory – Security – Conditional Access
  3. Create an Azure AD Conditional Access Policy as shown:

User experience for registering devices

The user experience for registering a device with Azure AD (using the Authenticator) is shown as follows:

Device compliance status shown in Azure AD

Device compliance is shown in Workspace ONE UEM as follows:

The device compliance is updated quite quickly into Azure AD as follows:

User experience for non compliant devices

When a user attempts to open an Office mobile application and their device is not compliant, they will be shown the following message from Azure:

Once the device is compliant, they will then have seamless access into those Office mobile applications.

That’s it! You’ve now integrated Workspace ONE UEM with Azure AD conditional access. If you have any questions check out the updated Workspace ONE Community discussion here.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s