The pandemic has acted as an accelerant for digital transformation, forcing organizations to adapt to the new normal of a distributed workforce. With that, adopting a Zero Trust approach to security is now seen as a critical end-user computing strategy, which ensures security for user and work data interaction outside the traditional network-based perimeters. Establishing and enforcing Conditional Access policies serves as the lynchpin to this Zero Trust security posture.
Microsoft 365 is the most widely used productivity service, and recent workplace dynamics have put a stronger emphasis on the need to manage and secure access to these resources based on the user’s identity, the devices’ health and device compliance policy.
On this note, we are excited to now make available integration of VMware Workspace ONE with Microsoft Endpoint Manager and Microsoft Azure Active Directory (Azure AD) for secure Conditional Access to Office 365 across end–user devices, no matter where they are located.
How Workspace ONE integrates with Azure AD to provide device telemetry
VMware Workspace ONE offers an industry-leading endpoint management solution and serves as the source of truth for device telemetry. Workspace ONE allows administrators to define a ‘compliant’ state of a device and evaluate compliance based on one of the most robust set of data points in the industry. It expands beyond the data retrieved from the device by an EMM vendor to aggregate device, app and user behavior data from multiple internal and external sources. Workspace ONE also leverages machine learning models to calculate a user risk score and enable Conditional Access based on device context, login risk and user behavior.
Via integration with Intune, now a part of Microsoft Endpoint Manager, Workspace ONE is now able to deliver this device posture to Microsoft Endpoint Manager and participate in Azure AD Conditional Access.
The integration targets any Workspace ONE Unified Endpoint Management (UEM) managed device and allows customers to take advantage of granular Azure AD Conditional Access policies. Platform support to integrate with the Intune APIs was made available with the Workspace ONE UEM 2008 version (August 2020 release). VMware has incorporated early feedback from customers and has promoted the integration from preview to general availability with our October release.
How to Establish Secure Conditional Access
Conditional Access is established as follows:
- When end users first attempt to consume a Microsoft 365 service that requires the user’s device to be marked as a compliant device, Azure AD will block unverified access and redirect the user to a remediation page.
- This page provides instructions to perform a one-time device registration enabling Workspace ONE Intelligent Hub to retrieve the Azure AD device identifier from Microsoft Authenticator.
- This identifier is subsequently used to send the device’s compliance status to the Intune to update the Azure AD Conditional Access policy resolution status.
- Future access to Microsoft 365 solutions is then seamlessly established based on device health and Azure compliance posture.
Behind the Scenes of the Azure AD Conditional Access integration
First time end user experience to connect Workspace ONE Intelligent Hub and Microsoft Authenticator
This integration now allows customers to leverage their investments in Workspace ONE for device management, certificate lifecycle management and device posture detection to control access to business-critical applications such as Office 365.
OS platform support for the initial release of this integration with Intune APIs is limited to iOS and Android. Feature parity for Windows 10 Out-of-the-Box Enrolled (OOBE) devices is currently available via Microsoft Graph APIs. Only Workspace ONE UEM compliance data is shared with Microsoft in this initial release.
Future enhancements of the integration will expand OS platform support to macOS, expand the ability to share additional compliance policy data, and focus on continually improving the end-user experience.