VMware Workspace ONE Community
actyler555
Enthusiast
Enthusiast

Use compliance data in Azure conditional access policies

Hello everyone, we are currently using Workspace One for MDM in our environment and are starting to onboard some M365 software.  M365 and Azure have this great mechanism called conditional access control which allows you to restrict access to company resources hosted on the M365 platform using conditional access control policies.  Basically to confirm   the device is "trusted" prior to allowing it access.  Traditionally in order to utilize this on mobile devices, you were required to use Intune MDM which would not work for us today.  We'd have to drop Workspace One entirely which we aren't ready to do.

However, I've discovered this new option within the Workspace One console that appears to allow a Workspace One managed device to share compliance data with Intune.  Looks like exactly what we need.

https://docs.vmware.com/en/VMware-Workspace-ONE-UEM/services/Directory_Service_Integration/GUID-800F...

I found a great walkthrough too from someone that has actually done it here...

https://bloggerz.cloud/2021/03/31/vmware-workspace-one-compliance-partnership-with-intune-and-azure-...

 

Before we pull the trigger however, I have some questions.  Hoping someone in the community can help clarify.  We are using traditional LDAP authentication with Workspace One now and we have the AirWatch Cloud Connector installed on-premise.  Currently the LDAP config in Workspace One is configured for our on-premise domain, domain.local for example.  We do have full blown Azure integration with our on-premise environment, but we had to change everyone's UPN to use the public domain, domain.com for example.

Concerns are as follows...

 

1. What is the impact if we enable “Azure AD Integration”, “Use Azure AD for Identity Services”, and “Use compliance data in Azure conditional access policies for IOS” on our existing Workspace One environment.
    a. Is there any risk involved?
    b. Will it change how existing Workspace One devices function, any end user impact?
    c. Can this be easily reversed or is it a permanent change?
    d. Any licensing concerns from the VMware side?

2. Can this integration be limited to select IOS devices in Workspace One? By narrowing the scope to a group of users for example..
    a. Or will all Workspace One devices need to be enrolled into Intune and require an Intune license?

 

actyler555_0-1643909171425.png

 

 

Reply
0 Kudos
0 Replies