After a great MVP Summit and a session at a great Experts Live, it’s finally time for a new blog post. This blog post will be about conditional access for managed apps (MAM CA). About a month ago, I did a first post about this feature when it was still in preview. The good news is that the first part of this feature is now production ready for all tenants. In this post I’ll go through an introduction of MAM CA, the flow of MAM CA, the prerequisites of MAM CA, the configuration of MAM CA and the end-user experience of MAM CA.
By now, I think, everybody should be familiar with the mobile app management without enrollment (MAM-WE, previously also referred to as MDM-less MAM) feature. MAM-WE helps with making sure that company data and resources are protected, even though the device is not managed. MAM CA adds an additional layer to that picture. MAM CA helps with making sure that only mobile apps that support Intune MAM policies are allowed to access Office 365 services (for now only Exchange Online). That enables us to allow access to Office 365 services, without the need to require enrollment and only for apps that can be managed.
Now let’s have a look at the flow that is used by MAM CA, by going through the steps in the picture shown below.
Note: In the above picture CP is referring to the Company Portal app on Android and AA is referring to the Azure Authenticator app on iOS.
- Start: The end-user signs in to a managed app;
- App Approved?: When the end-user is restricted with MAM CA policies, a check is done to see if it’s an approved app. The approved apps are stored on a list in Azure AD and during the sign-in the app is validated with that list. When the app is not on the list, the end-user will be prompted that it’s not allowed to sign in via the app;
- CP/AA Present?: When it’s an approved app, a check is done to see if the broker app is installed on the device. On iOS this is the Azure Authenticator app and on Android this is the Company Portal app. When the broker app is not installed on the device, the end-user will be prompted to install the app;
- AAD Registered?: When the broker app is installed, and the end-user is signed in, a check is done to see if the device is registered in Azure AD. When the device is not registered in Azure AD, the end-user will be prompted to register the device.
- Approved: When the device is registered in Azure AD, the end-user can access Exchange Online via the managed app.
Note: The device registration in Azure AD will create a device record and certificate against which tokens are issued. There is no management profile installed on the device and there are no policies applied to the device. The device record in Azure AD only contains the alternativeSecurityIds, the deviceOSType, the deviceOSVersion and the displayName properties.
After knowing what MAM CA is and knowing how MAM CA works, it’s time to look at the perquisites and the configuration.
Before starting looking at the configuration, it’s good to be aware of the following prerequisites/ requirements/ limitation.
- The end-user must be licensed for Enterprise Mobility + Security or Azure Active Directory premium;
- At this moment MAM CA is only available for Exchange Online;
- The end-user must install the broker app on their device;
- MAM CA relies on modern authentication.
Now let’s have a look at the configuration options for MAM CA. The MAM CA polices contain three different configuration sections. These three sections together are the targeted MAM CA policy. Let’s go through these three section and see how they can be used.
An additional consideration for MAM CA is to close the gap for apps that don’t support modern authentication. Without closing that gap, apps that don’t support conditional access might still be able to connect. Let’s go through a method to close that gap.
After configuring MAM CA, it’s time to have a look at the end-user experience. I’m going to show the end-user experience of an end-user signing in to an approved app. However, before showing that experience it’s good to mention a few important facts about the end-user experience.
- Every Exchange Active Sync mail client, including the built-in mail clients on iOS and Android, will be blocked. Instead end-users receive an email informing them that they need to use the Outlook mail app (see also this post);
- If an end-user is targeted with MAM CA and “normal” conditional access (Device CA) policies, the end-user must meet one of the two requirements:
- The used app is allowed by MAM CA;
- The used device is managed by Microsoft Intune (hybrid or standalone) and compliant, or it’s a domain-joined PC.
Now let’s have a look at the Microsoft Outlook app and the flow that I described earlier. The end-user signs in to the Microsoft Outlook app and is prompted to install the Azure Authenticator app (see first screenshot). Once the end-user signs in to the Microsoft Outlook app and the Azure Authenticator app is installed, the end-user is prompted to open the Azure Authenticator app (see second screenshot).
|Azure Authenticator app not installed||Azure Authenticator app is installed|
After switching to, and signing in to, the Azure Authenticator app, and the device is not registered, the end-user is prompted to register the device (see first screenshot). Once the device is successfully registered, and the end-user is successfully signed in, the end-user will be allowed access and receive the configured MAM policies (see second screenshot).
|Device is not registered||Device is registered|
Fore more information about MAM CA and related components, please refer to:
- Allow only mobile apps that support Intune MAM policies to access Office 365 services: https://docs.microsoft.com/en-us/intune/deploy-use/allow-policy-managed-apps-access-to-o365
- What to expect when using an app with MAM CA: https://docs.microsoft.com/en-us/intune/deploy-use/use-apps-with-mam-ca
- Create an Exchange Online conditional access to only allow apps supported by MAM: https://docs.microsoft.com/en-us/intune/deploy-use/mam-ca-for-exchange-online
- Block apps that do not use modern authentication (ADAL): https://docs.microsoft.com/en-us/intune/deploy-use/block-apps-with-no-modern-authentication