Enthusiast
Enthusiast

Conditional Access in O365 to MS Office

Good Afternoon All!   We have been told several times that we can set conditional access for O365 applications and DLP. All of the information we have been able to locate state we have to use Intune and their application to set this up. Please tell me this is not factual! Anyone setup conditional access for O365 apps? As in I want OneDrive to open in the Content Locker only, not the standalone MS app. HELP!! Beth

Labels (1)
11 Replies
Expert
Expert

Yes, Intune is required for setup. Airwatch and ViDM can help via the Graph API but intune and the licensing that goes with it are necessary.
0 Kudos
Enthusiast
Enthusiast

Luke, Do you know where I can find the instructions. I have searched resources and have not found the step-by-step instructions yet. Thanks  Beth
0 Kudos
Expert
Expert

https://docs.vmware.com/en/VMware-Workspace-ONE-UEM/1902/Intune_Integration/GUID-AWT-OFFICE365.html

This is the best I've seen really. I did some quick Outlook app testing last year and had to sue Microsoft intune docs to really figure it out. Once you get the console tied to your intune system you can use the WS1 console to do all the same work from DLP. You still need proper licensing to make it all work in O365. Haven't dabbled much in vIDM but apparently you can get conditional access working through that channel as well.

To clarify, you don't want people to be able to use the OneDrive app with their o365 account right?

0 Kudos
Expert
Expert

Why ask AirWatch or Microsoft when you can ask Luke? 🙂

Beth, I will be participating with O365/Intune/AirWatch integration as well. If I understand correctly, devices will still enroll in AirWatch but access O365 apps set up through Intune?
0 Kudos
Expert
Expert

Intune provides the ability to manage DLP for the o365 apps and provide conditional access based on enrollment. The graph API allows you to manage these settings from Airwatch, but not actually create policies etc. Such a confusing mess.
0 Kudos
Expert
Expert

Elizabeth, how's your setup coming along? My Intune admin has no clue and Microsoft said it can be done for sure. I've yet to read up on the documentation.
0 Kudos
Enthusiast
Enthusiast

hi,
i started the integration i think almost 7 month ago...
the support didnt know so much how to help me.
we had issues when trying to save settings in the Microsoft Intune® App Protection Policies
there was an error that took almost 2 month to resolve (at the end it was some conditional access in azure that cause it).
after this we gave up on this integration and decided to work with O365 apps as MAM without AW
Enthusiast
Enthusiast

Luke... thanks!

Thomas....having the same issue. My Intune admin is clueless and keeps asking me why AW is superior to Intune if AW needs Intune to work. SMH. The documentation is about as clear as mud. We had a SOW but ran out of time due to an untimely change in IDp to Okta.  So lost!

Hen.... Yikes. Was it that bad?
0 Kudos
Enthusiast
Enthusiast

Just want to add that it sounds like you're asking for two different things. Conditional access to Office 365 and Intune MAM are not the same thing; you can have one without the other. Conditional access provided by Microsoft is done using Azure AD's conditional access. Unless you're mobile devices are enrolled in Intune, you have limited options for enforcing conditional access on them. You can also use VMware Identity Manager for conditional access to O365 if you configure vIDM as a 3rd party Identity Provider in ADFS. Intune MAM, on the other hand, is used for DLP to control what you can and cannot do with the Office apps on mobile devices.
Contributor
Contributor

Hi,
Our purpose is to have a conditionnal access to O365 (no DLP) : only Cloud Aiwatch enrolled smartphones & tablets can have access to O365 apps.
As Mark said, is InTune required or not ?
Is vIDM required or can it be done with Azure AD's conditionnal access only ?
What about other devices : Windows laptops & desktops ?
Thanks,
0 Kudos
Enthusiast
Enthusiast

Mathleu,

In general, from an AirWatch perspective, you can implement conditional access to O365 in one of two ways:

1) Use vIDM
2) Use Azure AD's conditional access

Both solutions can be used for Windows laptops and desktops. Either solution will require that you enroll (or at least ' register'  them in Azure AD for Windows 10) these devices in Intune (for Azure AD Conditional Access) or AirWatch (for vIDM) to make the best use of them. If you don't enroll them, you won't be able to distinguish your managed devices from unmanaged devices and can only utilize policies that will apply to both.

Mark