Azure Tenant

Overview

This section contains information describing the process for setting up MobileIron Core to Microsoft Azure Tenant.

A growing number of organizations are using Microsoft's productivity apps on mobile devices, such as Microsoft 365, OneDrive, etc. These kind of deployments give device users access to their organization's resources using various devices and apps from anywhere and using only their credentials. If the credentials get compromised, any unauthorized person can also login and get complete access to the organization's data. Just focusing on who can access the organization's resources is no longer sufficient; IT administrators must know how and from which device the organization's resource is accessed from. They have to make sure that data is accessed from the devices that meets the corporate compliance policy and have these corporate policies on each and every device. Administrators should also be able to block access to unauthorized devices by defining conditional access policies.

Using Microsoft's Intune device compliance APIs allow organizations to update the device compliance status in the Microsoft Azure Active Directory (AAD.) Using conditional access from AAD, if the device is non-compliant, administrators can block the device from accessing apps. By connecting Core to the AAD, administrators will be able to use the device compliance status of MobileIron's managed devices for conditional access to Microsoft 365 apps.

Requirements

Microsoft

MobileIron Core customers must have a valid subscription to Microsoft Intune and assign a Microsoft Intune license to device users supported by this integration.

For Microsoft licensing for Microsoft 365 App services, please see:

https://www.microsoft.com/en-us/microsoft-365/enterprise/compare-office-365-plans

MobileIron

  • MobileIron Core - Administrators will need Core version 11.0.0.0 through the latest version as supported by MobileIron.

    • For instructions on how to set up Android Enterprise, see the MobileIron Core Device Management Guide for Android and Android Enterprise Devices.

NOTE: If you do not have a link to your Core instance, contact your MobileIron Customer Success Manager.
  • MobileIron Mobile@Work for iOS (client) – version 12.0 through the latest version as supported by MobileIron.
  • MobileIron Mobile@Work for Android (client) – version 8.0 through the latest version as supported by MobileIron.

Supported OS versions

  • iOS 12.0 through the latest version as supported by MobileIron

  • Android 8.0 through the latest version as supported by MobileIron

Multiple Core support

If you have multiple Cores connected to the same Azure tenant, you should not disconnect from a single Core from Azure tenant. Your options are:

  • Disconnect from all Cores

  • Disable compliance policy for AAD compliance integration from a specific (single) Core so that it does not upload device data to Azure

NOTE: Be sure to disable the compliance policy prior to disconnecting Core.

Technical support

For additional help with this feature, contact MobileIron Technical Support.

From the Core administrator's point of view

Below lists the process from the Core administrator's perspective.

  1. Administrator applies Intune licenses to device users. See Apply the Intune license to device users.

  2. Administrator logs into Azure Portal.

  3. Administrator adds MobileIron as an Azure compliance partner. See Adding MobileIron as a compliance partner.

  4. Administrator creates the Conditional Access policy for the apps. See Creating a conditional access policy in Microsoft Endpoint Manager.

  5. Administrator sets up the connection between MobileIron and Azure. This allows client devices to report compliance status to Azure. See Connecting Microsoft Azure to MobileIron Core.

  6. Administrator creates the device compliance policy in Core. See Creating a partner device compliance policy.

  7. When the device checks in, the device compliance status is sent to the Azure portal.

  8. The Conditional Access policy goes into effect. Depending upon whether the device is compliant or not, the access to the app(s) is granted or denied.

  9. Administrator can disconnect from Azure. See De-provisioning of the Azure tenant.

NOTE: MobileIron recommends the administrator run tests on each and every Microsoft app: Outlook, Word, Excel, Powerpoint, OneDrive, etc.

From the device user's point of view

Below lists the process from the device user's perspective.

  1. Device user's device is enrolled with MobileIron Mobile@Work. See Installing Mobile@Work for iOS and Android.

  2. Log into the AAD account. This requires the Authenticator app to be installed on the device (see Required MobileIron client device user action and use cases.)

    • If Authenticator is available on device, device user logs into AAD account using their Microsoft credentials.

    • If Authenticator is not installed on the device, device user is guided to install the Authenticator and then log in using their Microsoft credentials.

Note The Following:  

  • If the device is compliant, device user can access Microsoft 365 apps.

  • If the device is not compliant, an error displays stating the app cannot be opened.

Next steps 

Apply the Intune license to device users