Microsoft Conditional Access via Partner compliance management

Overview

Ensuring that end users are accessing organization data on a trusted organization device is a key component to many best practice device security practices. Combining Microsoft Conditional Access to validate the user, in conjunction with Addigy to secure the device, allows Apple admins to make sure corporate assets are being accessed in a secure manner.

After this article please check out the Addigy Compliance Engine as it is a key part of the Conditional Access solution, and how the macOS devices are calculated as compliant or not. 

Also, see Microsoft Conditional Access using Certificates for a workflow for Conditional Access that does not require Microsoft Enterprise Mobility + Security (E3 or E5).

High Level Technical Overview

Using the Addigy Compliance Engine, Azure Conditional Access, and Addigy, only devices registered to users and marked as compliant will be able to access data and apps that are behind a configured Conditional Access policy. When the Corporate Conditional Access controlled resources are attempted to be accessed, Azure Conditional Access will check the Azure Device ID of the device making the request (provided in the access request via the WPJ (Workplace Join) certificate) and its Compliance State as sent over to Azure from Addigy as part of the Partner compliance management integration.

About the beta

Microsoft Conditional Access via Partner compliance management with a new feature and we would love your feedback and ideas on how to improve the feature.

If you would like to participate in the next generation real-time Compliance Engine and Conditional Access beta, you can enable this on your Accounts page in Addigy.

Beta Note: At the start of the beta this feature will be 1-1 as in 1 Azure Tenant ID to 1 Addigy Instance. Multi-Tenant (1 Azure Tenant ID per Addigy Organization Policy) is under consideration and research.

Requirements

• Azure AD (P1 or P2) subscription plan with Conditional Access (Find more information here)
  • Azure AD Admin rights for integration connection via admin consent experience login
    • Domain or Global Admin
• Microsoft Enterprise Mobility + Security (E3 or E5) for users to preform the WPJ device registration (Find more info here)
• Azure AD User Group for desired Device Compliance registration users
• Addigy Account using Addigy MDM
• macOS devices on macOS v10.15 and up

Technical Workflow

Below we discuss the technical workflow connecting Addigy and Azure as part of the Partner compliance management integration, setting up the user one time Conditional Access registration (WPJ (Workplace Join)) workflow in Self Service, and setting up Conditional Access Policies that grant or deny macOS device access based on this device state sent over as part of the registration.

Enabling Partner compliance management for Addigy

The first step needed to allow for the integration connection between Addigy and Azure is to add Addigy as a partner

1. Navigate to endpoint.microsoft.com 
2. Open the Tenant Administration blade (what is a blade?)
   
3. Open the  Connectors and tokens blade
   
4. Open the Cross platform > Partner compliance management blade
   
5. Chose Add compliance partner to start the partner wizard
   
6. Select Addigy from the Compliance partner dropdown in the wizard
   
7. Select the macOS platform from the Platform dropdown 
   
   
   
8. Click Next to advance
9. Select you desired user group that will have Workplace Join and Registration ability. If desired this can be a group you define (ex: An organization Department that dynamically updates in Azure AD, a static group of testers you manually add to a user group, or a specific user). This can also be assigned to All Users that way any member of this Azure AD tenant could preform the registration and have their device become compliant. However; please contact support to obtain the ID of this object for step # of the Connecting Addigy to Azure/Intune Partner compliance management section.
   Note: Please take note of what group you select. You will need the Object ID of that group in the next section.
   
10. Click Next to advance
11. Review your configuration and confirm and save the configuration via the Create button
    
    
    
12. The endpoint.microsoft.com session can now be closed as the Addigy partner connection is enabled and waiting for the Addigy side activation and first service heartbeat.
    

Connecting Addigy to Azure/Intune Partner compliance management

Now with Intune listening for service partner activation we will kick off the Addigy to Azure connection

1. Navigate to Account > Integrations > Third Party Add-Ons > Microsoft Intune
   
   
   
2. Input your Azure AD Tenant ID in to the Tenant ID box. Then input the the Group Object ID of the group you selected in step #9 of the prior section.
   Note: Clicking Find in Azure will take you to the respective landing pages for the tenant info that holds the Tenant ID and the Groups blade so you can search, then copy and paste the Group ID.
   Optional: If you want to present users a internal KB if they are not enrolled in Addigy and attempt to access Microsoft Conditional Access content you can set that URL here.
   
   
   Note: The Tenant ID can be found on the Azure AD portal home screen:
   
   
3. With your Azure AD Tenant ID entered click the Connect button.
   Note: At the start of the beta this feature will be 1-1 as in 1 Azure Tenant ID to 1 Addigy Instance. Multi-Tenant (1 Azure Tenant ID per Addigy Organization Policy) is under consideration and research.
   
   
   
4. When redirected in a new tab to the Azure AD Admin Consent Experience Sign-In preform an Azure AD sign in with an account with proper admin rights to grant domain or global consent to the partner app. After you are signed in click the Accept button to allow the integration.
   
   
   
5. The integration will now process and connect the needed services. Once that process is complete the UI will show the following green signifiers that the integration connection was successful. Additionally; endpoint.microsoft.com > Tenant Administration > Connectors and tokens > Cross platform > Partner compliance management will show the Addigy partner listed and with a successful heartbeat as shown in the following example.
   

Configuring Self Service for End User Registration and Microsoft SSOe

The last configuration step needed is to enable end users to preform the registration on device so that they can get their device AAD ID and login.keychain AAD certificate to use for browser and app sign in at Conditional Access posture and prompt.

1. In Addigy navigate to Policies
2. Select the desired policy
3. Click on the Self Service Tab
4. Click on the desired Self Service configuration
5. Edit the Self Service configuration via the Edit Configuration button
6. Under the Integrations section check the box to enable the Intune integrations inside of Self Service (lower left corner of Self Service app)
   
7. Click Save and Review then confirm that change for deployment
8. Device will now see the registration workflow option in Self Service after policy deployment

Additionally, to reduce the number of sign-ins for the end user please configure the SSOe profile for Microsoft apps and browser sessions. For more on that navigate here.

Troubleshooting

• After inputting your Azure Tenant ID and attempting to connect you get an error on the redirect and admin consent sign-in on Azure:
  
  
  • Cause: The first section of this setup workflow was not completed properly when enabling Partner compliance management for Addigy as a compliance partner. If that is not added the API will not have rights to call out for setup. Additionally; it it was just added recently (as it would be for this process) you might need to re-run the connection again.