Managing Microsoft Office 365 with the Graph APIs & VMware Workspace ONE

Feb 13, 2018
Ben Siler


Ben Siler is a product manager for VMware End-User Computing (EUC).

Share This Post On

If your IT organization is like most shops, you’re thinking about how to make the most of your Microsoft Office 365 investment. You need to make sure your data is safe, and you want employees to get the productivity boost your org expects from making Office apps available wherever, whenever, and on whatever device employees need. VMware Workspace ONE meets both needs: The solution keeps Office 365 corporate data safe and provides an employees-first digital workspace that’s been shown to increase productivity and employee satisfaction.

Because Office 365 is so important to our customers, we’ve added Office 365-specific methods, such as Microsoft’s newly released Intune app protection Graph APIs, to the Workspace ONE access management capabilities and unified endpoint management technology, powered by VMware AirWatch. In this blog post, I’ll share why Workspace ONE is the best solution for Office 365 success, as well as what we’ve learned from leading customers who integrated Office 365 into their digital workspaces.

What Are the Graph APIs?

Last week, Microsoft announced general availability of their Intune app protection Graph APIs. These Intune APIs are part of a larger set of APIs called the Microsoft Graph, which is intended to help partners integrate better with Microsoft products. Here at VMware, we’ve adopted those Office 365 APIs most useful for helping you accomplish your goal: securing and integrating Office 365 into your digital workspace.

Workspace ONE uses the newly released Intune app protection Graph APIs to complement your data loss protection (DLP) strategy if you use Office 365 apps, such as Microsoft OneDrive or Microsoft Outlook. Although Workspace ONE supports multiple Intune app protection APIs, the most useful APIs for IT organizations are the following:

  • Control save location from Office 365 apps. This setting allows you to control whether users can save directly to their device, or whether they have to save to Microsoft OneDrive or another repository.
  • Control cut/copy/paste from Office 365 apps. This setting allows you to control whether users can cut, copy, or paste text out of Office 365 apps. Of course, in a time when many devices have cameras and most can take screen captures, we recommend this setting is combined with a broader Workspace ONE DLP strategy to be successful.
  • Enforce app-level PIN in Office 365 apps. This setting allows you to require app-level PINs before users can open Office apps. Because PINs can be less secure, add another barrier employees must overcome and aren’t context-aware, this setting can be supplemented with passwordless authentication and conditional access enabled by Workspace ONE.

Advanced Uses of the Graph API

Workspace ONE also uses Microsoft’s Graph APIs for real-time risk management for Office data, revoking access to Office 365 if a device becomes risky.

Many IT departments are keenly aware of the risk of putting Office 365 data on varied devices that can access data anywhere, at any time. To manage this risk, IT can require devices to be enrolled in Workspace ONE management and be compliant with IT policy as a prerequisite for Office 365 access. This device enrollment and real-time compliance check at authentication ensures that devices in bad states (e.g. jailbroken, rooted, hosting known malicious apps, or other conditions IT defines) cannot access Office 365 data.

Once a user gains access to Office 365 on a safe device, however, Office 365 issues a session token that is stored on the user’s device. This token allows the user to get access to Office 365 later without authentication, making access easy for users.

The flip side is that the long-lived token also increases risk: After getting an Office 365 session on a safe device, the user can later jailbreak or root the device, download a malicious app, or violate other IT device policies. Because the device keeps its Office 365 session even if it becomes unsafe, these compromised devices can continue to access vital business resources. Workspace ONE solves this problem by integrating with Microsoft’s Graph API for Office 365 to revoke the user’s access token, killing the user’s session and forcing them to remediate and comply with IT policy before they can get access again.


Of course, Workspace ONE does much more for Office 365 than just manage Graph APIs. To help you meet your goals of securing Office 365 and providing easy access, Workspace ONE integrates Office 365 with other vital apps to create a digital workspace.

Multiplying the Value of Office 365

Office 365 is a huge investment for most organizations, so IT departments should think carefully about how to integrate it into their end-user strategy. When I ask IT leaders about their end-user goals, they talk about the potential of new apps, delivery methods, and IT strategies. They also talk about mitigating the risks of shadow IT, data loss, and accidental noncompliance as users take advantage of those same possibilities. Depending on how Office 365 is integrated into your digital workspace and secured, it can either empower employees with convenient, consumerized tech or increase risk as employees access vital data in unsafe ways.

“Workspace ONE extends the value of Office 365 by building bridges between Office 365 and the constellation of apps that feed data into it.”

Of course, Office 365 is only part of a worker’s day-to-day IT experience. The sales exec that crunches customer numbers in Excel has to draw that data from Salesforce, and the HR specialist who uses Microsoft Outlook to talk to employees about their benefits needs easy access to Workday for benefits information. Workspace ONE extends the value of Office 365 by building bridges between Office 365 and the constellation of apps that feed data into it. Users have all their apps in one place and are instantly signed in with secure, passwordless authentication, even when they jump between the Office 365 ecosystem and other app ecosystems.

Empowering your employees with the right set of apps and tools results in business success. According to research from Forbes Insights, employees in organizations that empower their workers with a digital workspace that includes apps such as Office 365 report a 34% increase in personal productivity and a 100% increase in service quality for the organization’s customers. (For more improvements coming from employee empowerment, see the table below from the full research report).


A Complete Strategy for Securing Office 365

The digital workspace can’t only do the work of providing easy access to Office 365 and supporting apps. It must also allow IT to fulfill the other half of its mission: protecting Office 365 data with endpoint management, access management, and (as discussed above) specialized integrations with Office 365 through Microsoft’s Graph APIs.

Workspace ONE is powered by AirWatch unified endpoint management (UEM) technology, which unifies IT’s app, endpoint, and access strategies. As multi-platform apps with strong native components, such as Office 365, become more important for workers, IT needs to consider how to deliver a consistently secure experience across multiplying endpoints and contexts. Workspace ONE gives you one way to handle platforms from Windows 10 and macOS to iOS, Android, and rugged devices. With a complete list of management capabilities at your disposal, Workspace ONE makes it possible for IT leaders to set a unified security strategy based on business needs and end-user requirements, rather than on the quirks of different management tools and device stacks.

Workspace ONE also takes care of your Office 365 client app strategy, marrying end-user-approved convenience with IT-caliber security. The Workspace ONE secure productivity apps suite provides a seamless and integrated app experience, giving users instant access to corporate email, calendar, contacts, files, browser, and people. With built-in security, these apps can help boost employee productivity, while upholding security and compliance standards. The apps integrate with Microsoft Exchange, Microsoft SharePoint and Microsoft OneDrive in the cloud with support for modern authentication for authentication and Azure Rights Management (RMS) for rights management. No matter how you deploy these, VMware Boxer, VMware Browser, VMware Content Locker and VMware People Search include full-spectrum mobile application management (MAM) capabilities for protecting your data.

Ultimately, Workspace ONE is designed for IT administrators to give choice to the end users. If you use Microsoft’s Office 365 clients, such as Microsoft Outlook, Microsoft Skype for Business, or Microsoft OneDrive, Workspace ONE protects your data with DLP features, ranging from endpoint management and compliance checking to enterprise device wipes that remove work data and apps (but not personal data and apps) from devices. If a device becomes compromised (for example, if it’s jailbroken or downloads a known malicious app), Workspace ONE can automatically remove all Office 365 and other workplace data from the device. In addition, Workspace ONE can instantly block access to Office 365 services if something goes wrong with a device (as covered in the “Advanced Uses of the Graph API” section above).

The Digital Workspace Complements Your Office 365 Investment

“This can be an important part of your strategy for ensuring you’re harnessing the winds of consumerization, rather than being blown into shadow IT and risk of data loss.”

When integrated into a digital workspace, Office 365 gives workers easy access to the productivity apps and data they need, on all the devices they want to use. This can be an important part of your strategy for ensuring you’re harnessing the winds of consumerization, rather than being blown into shadow IT and risk of data loss. Workspace ONE UEM technology ensures you can handle all the devices and use cases your workers have for Office 365, and Workspace ONE easy access features enable worker productivity as users transition seamlessly between Office 365 and supporting apps.

To learn more about how Workspace ONE can help protect Office 365 and magnify the value of your investment, contact your VMware EUC specialist today.

468 ad