Integrating MaaS360 with Microsoft to enforce device compliance through Azure AD Conditional Access

Microsoft Azure AD Conditional Access ensures that only trusted users from compliant and managed devices can access Microsoft-approved apps and services.

About this integration

This integration allows the syncing of device compliance information to an Azure AD tenant to support using MaaS360 Device Trust information in Azure AD Conditional Access rules. This integration is enabled by the Microsoft Endpoint Manager Partner Compliance Management capability. For more information on this capability, see https://docs.microsoft.com/mem/intune/protect/device-compliance-partners.

With this feature, MaaS360® uses the MS Graph API to sync device compliance information to Azure Active Directory (Azure AD) allowing Azure AD Conditional Access rules to use the MaaS360 Device status. Azure AD Conditional Access allows administrators to control and manage access to data (both personal data and the organization’s data) from BYOD and organization-owned devices.

Note: The Azure AD Conditional Access integration must be enabled in your MaaS360 Portal. Contact Customer Service or your Account Manager for activation.

Environment

Azure AD Conditional Access requires an Azure AD Premium subscription.
Device registration and user participation for device compliance require a Microsoft Intune license. The Intune license must be assigned to target device users.
You must have the Microsoft Authenticator app installed on iOS and Android devices. Push this app as a managed app from the MaaS360 App Catalog. The Microsoft Authenticator app is required to register the device in Azure AD.
A valid subscription to Microsoft Intune. The Microsoft Intune licenses must be assigned to users supported by this integration.

Configuration

You can configure this integration using one of the following methods:

Configure for all users: With this configuration, all devices in the organization are prompted to register. This configuration method only works on devices that complete the registration process.
Configure specific groups: With this configuration, you must configure Azure Visibility, which provides visibility for user group associations. For more information, see Configuring Azure AD integration with MaaS360.
You can only configure this service for Azure AD groups that are managed by MaaS360. See step 4 in Configuring Azure AD integration with MaaS360.

Onboarding workflow

Go to https://endpoint.microsoft.com and sign in to your Microsoft Azure account using your Azure credentials. The Azure Portal is displayed.
From the Microsoft Endpoint Manager admin center, select Tenant administration > Connectors and tokens > Partner compliance management.
Click Add compliance partner.

The Create Compliance Partner screen is displayed.
1. Go to the Basics tab and select IBM MaaS360 from the compliance partner list. Choose Android from the platform list, and then click Next.
2. In the Assignments tab, select Included groups > Assign to > All users, and then click Next.
3. In the Review + create tab, review the settings and then click Create.
  
  A message displays that the compliance partner was successfully created (tenant metadata is created on Intune). The Partner compliance management preview displays the partner-managed Android devices for IBM® MaaS360.
To configure partner-managed iOS devices, repeat step 5, but choose iOS in step a. Click Refresh on the Partner compliance management preview page and then go to step 7.
Log in to the MaaS360 Portal with your administrator username and password credentials.
From the MaaS360 Portal Home page, go to Setup > Azure Integration.
Enable the Device compliance status sync for Android and iOS checkbox, provide the Tenant ID (the unique identifier for the Azure Active Directory instance) and the Client ID for the Azure account that is enabled with the Intune license.
For detailed steps on registering the MaaS360 app in the Azure AD tenant and generating the Client ID (Application ID), see Registering MaaS360 app in the Azure AD tenant.

For more information, see https://docs.microsoft.com/en-us/azure/active-directory/develop/quickstart-register-app.
Click Configure. You are prompted to sign in to the Microsoft Azure Portal.
Select your Azure AD account from the list. The Permissions requested message for the unverified MaaS360 Azure Device Compliance Data Update is displayed.
Review the message and click Accept to allow the MaaS360 app permissions to specific resources from all users in your organization.
- If authentication is successful, the following message is displayed: Registration is successful. Window will automatically close in 5 seconds, and you are redirected back to the MaaS360 Portal.
- If the following message is displayed: Registration has failed. Window will automatically close in 5 seconds, review the settings that you configured in step 1 to step 7.
Go to Setup > Azure Integration. Under the Device compliance status sync for Android and iOS section, click Select groups.

The Select user groups screen is displayed.
From this screen, select the user groups that you want to configure:
- If you want to configure the service for all users, type All users in the Select Azure AD user group name field. The All users user group is automatically populated in the drop-down list.
  
  Select the user group and click Save.
- If you want to configure specific Azure user groups, when you start typing the name of the group in the Select Azure AD user group name field, suggestions from the list of the MaaS360 Managed Azure AD groups are displayed in the drop-down list.
  Select the groups and click Save.
  
  Note: You can configure up to 10 groups.
  
  You can only configure Azure AD groups that are managed by MaaS360. To view a list of groups, select Users > Groups.
  
  For more information, see step 4 in Configuring Azure AD integration with MaaS360.