Azure Tenant

Overview

This section contains information describing the process for setting up Core to Microsoft Azure Tenant.

A growing number of organizations are using Microsoft's productivity apps on mobile devices, such as Microsoft 365, OneDrive, etc. These kind of deployments give device users access to their organization's resources using various devices and apps from anywhere and using only their credentials. If the credentials get compromised, any unauthorized person can also login and get complete access to the organization's data. Just focusing on who can access the organization's resources is no longer sufficient; IT administrators must know how and from which device the organization's resource is accessed from. They have to make sure that data is accessed from the devices that meets the corporate compliance policy and have these corporate policies on each and every device. Administrators should also be able to block access to unauthorized devices by defining conditional access policies.

Using Microsoft's Intune device compliance APIs allow organizations to update the device compliance status in the Microsoft Azure Active Directory (AAD.) Using conditional access from AAD, if the device is non-compliant, administrators can block the device from accessing apps. By connecting Core to the AAD, administrators will be able to use the device compliance status of Core's managed devices for conditional access to Microsoft 365 apps.

Requirements

Microsoft

Core customers must have a valid subscription to Microsoft Intune and assign a Microsoft Intune license to device users supported by this integration.

For Microsoft licensing for Microsoft 365 App services, please see:

https://www.microsoft.com/en-us/microsoft-365/enterprise/compare-office-365-plans

Core

  • Core - Administrators will need Core version 11.0.0.0 or supported newer versions.

If you do not have a link to your Core instance, contact your Ivanti Customer Success Manager.

Supported OS versions

Note The Following:  

The Microsoft website states:

  • For more information, see https://www.microsoft.com/en-in/microsoft-365/microsoft-365-and-office-resources?rtc=1#coreui-heading-3b8v07b

Unsupported OS versions

Behavior if unsupported device OS versions is used:

Multiple Core support

If you have multiple Cores connected to the same Azure tenant, you should not disconnect from a single Core from Azure tenant. Your options are:

  • Disconnect from all Cores

  • Disable compliance policy for AAD compliance integration from a specific (single) Core so that it does not upload device data to Azure

Be sure to disable the compliance policy prior to disconnecting Core.

Technical support

For additional help with this feature, contact Ivanti Technical Support.

From the Core administrator's point of view

Below lists the process from the Core administrator's perspective.

  1. Administrator applies Intune licenses to device users. See Apply the Intune license to device users.

  2. Administrator logs into Azure Portal.

  3. Administrator adds Core as an Azure compliance partner. See Adding Core as a compliance partner.

  4. Administrator creates the Conditional Access policy for the apps. See Creating a conditional access policy in Microsoft Endpoint Manager.

  5. Administrator sets up the connection between Core and Azure. This allows client devices to report compliance status to Azure. See Connecting Microsoft Azure to Core.

  6. Administrator creates the device compliance policy in Core. See Creating a partner device compliance policy.

  7. When the device checks in, the device compliance status is sent to the Azure portal.

  8. The Conditional Access policy goes into effect. Depending upon whether the device is compliant or not, the access to the app(s) is granted or denied.

  9. Administrator can disconnect from Azure. See De-provisioning of the Azure tenant.

Ivanti recommends the administrator run tests on each and every Microsoft app: Outlook, Word, Excel, Powerpoint, OneDrive, etc.

From the device user's point of view

Below lists the process from the device user's perspective.

  1. Device user's device is enrolled with Mobile@Work. See Installing Mobile@Work for iOS and Android.

  2. Log into the AAD account. This requires the Authenticator app to be installed on the device (see Required client device user action and use cases.)

    • If Authenticator is available on device, device user logs into AAD account using their Microsoft credentials.

    • If Authenticator is not installed on the device, device user is guided to install the Authenticator and then log in using their Microsoft credentials.

Note The Following:  

  • If the device is compliant, device user can access Microsoft 365 apps.

  • If the device is not compliant, an error displays stating the app cannot be opened.

Next steps 

Apply the Intune license to device users