How To
Summary
Microsoft Azure AD Conditional Access ensures that only trusted users from compliant and managed devices can access Microsoft-approved apps and services.
Objective
This integration allows the syncing of device compliance information to an Azure AD tenant to support using MaaS360 Device Trust information in Azure AD Conditional Access rules. This integration is enabled by the Microsoft Endpoint Manager Partner Compliance Management capability. See https://docs.microsoft.com/mem/intune/protect/device-compliance-partners.
With this feature, MaaS360 uses the MS Graph API to sync device compliance information to Azure Active Directory (Azure AD) allowing the MaaS360 Device status to be used in Azure AD Conditional Access rules. Azure AD Conditional Access allows administrators to control and manage access to data (both personal data and the organization’s data) from BYOD and organization-owned devices.
Note: The Azure AD Conditional Access integration must be enabled in your MaaS360 Portal. Contact Customer Service or your Account Manager for activation.
Environment
- Azure AD conditional access requires an Azure AD Premium subscription.
- Device registration and user participation for device compliance require a Microsoft Intune license. The Intune license must be assigned to target device users.
- You must have the Microsoft Authenticator app installed on iOS and Android devices. Push this app as a managed app from the MaaS360 App Catalog. The Microsoft Authenticator app is required to register the device in Azure AD.
- A valid subscription to Microsoft Intune. The Microsoft Intune licenses must be assigned to users supported by this integration.
- Grant Access enforces your specified conditions to gain access to your applications, it does not inherently block all other applications.
- The most restrictive policy is enforced in scenarios where multiple Conditional Access policies are in scope.
- Using the Block Access control will block MaaS360 Enrollments. There is no method to exclude MaaS360 from this restriction.
Configuration scope
You can configure this integration using one of the following methods:
- Configure for all users
With this configuration, all devices in the organization are prompted to register. This configuration method only works on devices that complete the registration process.
- Configure specific groups
With this configuration, you must configure Azure Visibility, which provides visibility for user group associations. For more information, see https://www.ibm.com/docs/en/maas360?topic=maas360-configuring-azure-ad-integration.
You can only configure this service for Azure AD groups that are managed by MaaS360. See step 4 in https://www.ibm.com/docs/en/maas360?topic=maas360-configuring-azure-ad-integration.
Steps
Onboarding workflow
- Go to the Basics tab and select IBM MaaS360 from the compliance partner list. Choose Android from the platform list, and then click Next.
- In the Assignments tab, select Included groups > Assign to > All users, and then click Next.
- In the Review + create tab, review the settings and then click Create.
For detailed steps on registering the MaaS360 app in the Azure AD tenant and generating the Client ID (Application ID), see https://www.ibm.com/docs/en/maas360?topic=authentication-registering-maas360-app-in-azure-ad-tenant.
10. Review the message and click Accept to allow the MaaS360 app permissions to specific resources from all users in your organization.
If authentication is successful, the following message is displayed: Registration is successful. Window will automatically close in 5 seconds, and you are redirected back to the MaaS360 Portal.
If the following message is displayed: Registration has failed. Window will automatically close in 5 seconds, review the settings that you configured in step 1 to step 7.
- If you want to configure the service for all users, type All users in the Select Azure AD user group name field. The All users user group is automatically populated in the drop-down list.
Select the user group and click Save. - If you want to configure specific Azure user groups, when you start typing the name of the group in the Select Azure AD user group name field, suggestions from the list of MaaS360 Managed Azure AD groups are displayed in the drop-down list.
Select the groups and click Save. Note: You can configure up to 10 groups.
You can only configure Azure AD groups that are managed by MaaS360. To view a list of groups, select Users > Groups.
For more information, see step 4 in https://www.ibm.com/docs/en/maas360?topic=maas360-configuring-azure-ad-integration.
Related Information
Document Location
Worldwide
Was this topic helpful?
Document Information
Modified date:
02 July 2024
UID
ibm16433499