Configuring conditional access for Microsoft Entra integration with IBM MaaS360

Use this integration to enable only trusted users and groups from compliant and managed devices in the Microsoft Entra Portal to access Microsoft-approved apps and services.

The IBM® MaaS360® integration with Microsoft to enforce device compliance through Microsoft Entra ID Conditional Access (CA) enables the synchronization of device compliance information with a Microsoft Entra ID tenant. This integration helps MaaS360 Device Trust information to be seamlessly used in Microsoft Entra ID Conditional Access rules. The Microsoft Endpoint Manager Partner Compliance Management capability enables this integration. For more information on this capability, see https://docs.microsoft.com/mem/intune/protect/device-compliance-partners.

With this feature, IBM MaaS360 uses the System for Cross-Domain Identity Management (SCIM) user management API to sync device compliance information with Microsoft Entra ID, allowing Microsoft Entra ID CA rules to use the MaaS360 Device status. Microsoft Entra ID CA enables administrators to control and manage access to both personal and organizational data from BYOD and organization-owned devices.
Notes:
  • To enable CA for Microsoft Entra integration in your IBM MaaS360 Portal, contact IBM Support.
  • When the IBM MaaS360 infrastructure is upgraded and the gateway IP address changes, help ensure to update any Microsoft Entra Conditional Access policies that use Network Assignments and the specific MaaS360 instance gateway IP address with the new IP address.
  • IBM MaaS360 functions as a third‑party compliance partner and sends device compliance data to Microsoft Intune. Microsoft Intune synchronizes this information and uses it to determine device compliance status. In the Microsoft Entra ID portal, Microsoft Intune appears as the Mobile Device Management (MDM) authority for integration purposes only. IBM MaaS360 manages device enrollment and compliance.

Environment

  • Microsoft Entra ID Conditional Access requires a Microsoft Entra ID Premium subscription.
  • Device registration and user participation for device compliance require a Microsoft Intune license, which must be assigned to the target device users.
  • The Microsoft Authenticator app must be installed on iOS and Android devices. Push this app as a managed app from the MaaS360 App Catalog. The Microsoft Authenticator app is required to register the device in Microsoft Entra ID.
  • A valid subscription to Microsoft In tune is required. The Microsoft Intune licenses must be assigned to the users supported by this integration.

Configuration

Configure this integration by using one of the following methods.

Onboarding workflow

  1. Go to https://endpoint.microsoft.com and sign in to Microsoft Entra account by using valid credentials.
  2. From the Microsoft Endpoint Manager admin center, select Tenant administration > Connectors and tokens > Partner compliance management.
  3. Click Add compliance partner.

    1. On the Create Compliance Partner screen, go to the Basics tab and select IBM MaaS360 from the compliance partner list.
    2. Select Android from the platform list, and click Next.
    3. In the Assignments tab, select Included groups > Assign to > All users, and click Next.
    4. In the Review + create tab, review the settings, and click Create.

      You can see a message to indicate that the compliance partner was successfully created (tenant metadata is created on Intune). The Partner compliance management preview nowshows the partner-managed Android devices for IBM MaaS360.

  4. To configure partner-managed iOS devices, repeat the step 3, but choose iOS in step 3.a. Click Refresh on the Partner compliance management preview page and go to step 5.
  5. Log in to the IBM MaaS360 Portalwith your administrator username and password credentials.
  6. From the IBM MaaS360 Portal home page, go to Setup > Microsoft Entra integration > Conditional Access.
  7. Configure the Tenant ID (the unique identifier for the Microsoft Entra ID instance) and the Client ID for the Microsoft Entra account that is enabled with the Intune license.

    For detailed steps on registering the MaaS360 app in the Microsoft Entra ID tenant and generating the Client ID (Application ID), see Registering MaaS360 app in the Microsoft Entra ID tenant. For more information, see https://learn.microsoft.com/en-us/entra/identity-platform/quickstart-register-app?tabs=certificate.

  8. Click Configure. You are prompted to sign in to the Microsoft Entra Portal.
  9. Select your Microsoft Entra account from the list. The Permissions requested message for the unverified MaaS360 Microsoft Entra Device Compliance Data Update is displayed.
  10. Review the message and click Accept to allow the MaaS360 app permissions to specific resources from all users in your organization.
    • If authentication is successful, the following message is displayed and you are redirected to the MaaS360 Portal.

      Registration is successful. Window will automatically close in 5 seconds

    • If authentication fails, the following message is displayed and you must review the settings that you configured in the previous steps.

      Registration has failed. Window will automatically close in 5 seconds

  11. Go to Setup > Microsoft Entra integration. By default, the Select user groups screen is displayed.
  12. From the Select user groups screen, select the user groups that you want to configure.
    • To configure the service for all users, select All Users.

      To suppress the Microsoft Authenticator setup notification on devices when Conditional Access is enabled for all users, select Suppress notification to set up Microsoft Authenticator checkbox.

    • To configure specific Microsoft Entra user groups, select Specific groups.
      Follow the steps to select the required groups to synchronize.
      1. Click Edit.
      2. Click Manage groups to open the Manage groups page.
      3. Search the groups and select the group names in the Enabled groups section to add to the list.
      4. Click Confirm.