Compliance Integration with MS Office 365 using Intelligence and Graph APIs

Zero Trust for MS Office 365 Overview

The concept of Zero Trust assumes that any connection to sensitive data is untrusted even coming from a corporate device and requires further checks during authentication and access. The concept specifies 5 pillars that need to be addressed when implementing Zero Trust. For an overview of those five pillars and matching VMware solutions, see Introduction to VMware Zero Trust on Tech Zone.

There are different possibilities to achieve Zero Trust and secure access to sensitive data in productivity suites like Office 365, some of which are discussed in the Tech Zone blog post Exploring Workspace ONE Compliance Integrations into Microsoft Office 365 and Azure AD.

This tutorial is an extension to the 3-part series. Parts 1, 2, and 3 walked you through the setup of Authentication, ZTNA-based, and Graph API-based compliance integrations with Office 365.

This extension is closely related to the Graph API integration of part 3 and addresses use cases that can be solved with Workspace ONE Intelligence such as compliance for Hybrid AAD joined and Workplace joined Windows devices.

The following topics will be covered:

  • Overview of components required for Zero Trust leveraging the Intelligence Custom Connectors together with Microsoft’s Graph API.
  • Setting up sensors, Azure AD enterprise app, and Freestyle automation to enable Windows device compliance.

Audience

This tutorial is intended for IT professionals and VMware Workspace ONE administrators of existing production environments. Familiarity with Active Directory, identity management, and directory services is assumed. Knowledge of other technologies, such as Azure AD, is also helpful.

If you are new to Workspace ONE, review the Evaluation Guide: Managing Apps and Devices with Cloud-Based VMware Workspace ONE which has step-by-step exercises implementing features like mobile single sign-on (SSO) in UEM and Workspace ONE Access.

Zero Trust through Graph API Integration - Architecture

This guide builds on the previously released Compliance Integration with MS Office 365 using Graph API guide leveraging the product features Partner Compliance and Windows MDM Azure AD integration.

Although Workspace ONE does not support non-OOBE Hybrid AD joined or registered Windows clients natively, you can leverage Workspace ONE Intelligence, sensors, and custom connectors to transmit the compliance state to Azure AD and leverage it in Azure AD Conditional Access as with the other API-based methods.

A computer screen with text and icons

Description automatically generated

Figure 1: Compliance using Intelligence and Graph API-based integration for Windows 10/11

For a demo of the steps discussed in this tutorial, watch the Custom API Zero Trust Integration with Azure AD video.

Setting Up Workspace ONE for Windows Device Compliance

In this section, we walk through the setup of sensors, Azure AD enterprise app, and Freestyle automation to enable Windows device compliance.

Requirements for Workspace ONE UEM and Graph API

Before you can proceed, you must have the following components installed and configured:

  • An existing Workspace ONE environment
  • Access to Azure AD Conditional Access Policies
  • Rights to add an Azure AD enterprise app and set the required permissions
  • Azure AD Premium P1 license

To communicate the device state to Azure AD, we need to know the device identifier used by Azure AD for the device record and save it with our device. We also want to gather how that device is associated with Azure AD; for example, if it is Azure AD joined, Hybrid AD joined, or just registered. The following GitHub repository has all the required sensor definitions for you.

A screenshot of a computer

Description automatically generated

Figure 2: Sensor definitions on Github

For a general overview of sensors, check out Windows Sensor documentation in VMware Docs.

Set Up Sensors

Copy the script definition from GitHub and UEM under Resources > Sensors and add the sensors for Windows as a PowerShell script.

For Hybrid joined, you must add sensors to retrieve the variable for domain joined, Azure AD joined, and the Azure AD device ID. For registered or workplace joined devices you must add the sensor definition for workplacejoined status and the workplacejoined device ID which is different from the Azure AD device ID that we can use with Hybrid or Azure AD joined devices.

A screenshot of a computer

Description automatically generated

Figure 3: Sensor section in Workspace ONE UEM

Use Automatic Architecture recognition and either System or Current User context. Current User context is only required for Workplace joined devices.

A screenshot of a computer

Description automatically generated

Figure 4: Sensor details

Then assign the sensor to the smart group for the devices you want to target and choose the right deployment type such as Schedule for system context and Event for user context type sensors.

A screenshot of a computer

Description automatically generated

Figure 5: Sensor assignment deployment settings

After adding all the sensors that you want to use, wait for the devices to retrieve the definitions and report back the sensor data. You can see the sensor data in the device details for Workspace ONE UEM cloud environments or you might need to check Intelligence for on-premises UEM environments.

A screenshot of a computer

Description automatically generated

Figure 6: UEM device details Hybrid joined

A screenshot of a computer

Description automatically generated

Figure 7: UEM device details for workplacejoined

Set Up Azure AD Enterprise App

Now, we have all the device information from UEM to build Freestyle automations and target the correct device in Azure AD.

To build out that part of the integration, we must add an enterprise application in Azure AD which we can give the correct permissions to update the device. Add the app through app registrations and set the permissions.

A screenshot of a computer

Description automatically generated

Figure 8: Azure App registration

We want to achieve two main actions with the integration:

  1. Revoke the user session – we need the Microsoft Graph User Read Write All permission.
  2. Update the device managed and compliance state – we require the Microsoft Graph Device Read Write All permission.

A screenshot of a computer

Description automatically generated

Figure 9: Azure App API permissions

Intelligence must authorize with Azure AD (now known as Entra ID) to perform the required API calls for the automation. To achieve this, we require the Application (Client) ID and must create a secret to use as client credentials to request authorization in the form of OAuth Access tokens.

A screenshot of a computer

Description automatically generated

Figure 10: Azure Application ID

A screenshot of a computer

Description automatically generated

Figure 11: Azure App Secret

Set Up Freestyle Automation

Now that the application is set up, go to Intelligence to add a custom connector integration under Integrations > Workflow Connectors.

For more information, see Intelligence Custom Connector documentation in VMware Docs.

A screenshot of a computer

Description automatically generated

Figure 12: Intelligence Custom Connector

Add a connector and add the required details for authorization with the Microsoft Graph API. Use the following table as guidance.

Base URL

https://graph.microsoft.com

Auth Type

OAuth2 Authentication

Client ID

Application ID

Client Authentication Location

Send client credentials in body

Grant Type

Client Credentials

OAuth2 Token URL

https://login.microsoftonline.com/AzureTenantID/oauth2/v2.0/token

Client Secret

Client Secret

Scope

https://graph.microsoft.com/.default

A screenshot of a computer

Description automatically generated

Figure 13: Intelligence Custom Connector Authorization

Now we have the connector, but we must specify which Microsoft Graph API calls to perform. Intelligence custom connectors use Postman (a RestAPI testing tool) exports called collections as blueprints for the calls. The collection we want to use has calls to set the isCompliant and isManaged flag as well as a call to revoke the current user sessions.

A screenshot of a computer

Description automatically generated

Figure 14: Postman Azure Integration collection

Again, on GitHub, I saved a Postman collection export with the API calls to set the device compliance state and revoke the user session.

A screenshot of a computer

Description automatically generated

Figure 15: GitHub Postman Azure Integration collection

That collection can be imported under Import Actions in the custom connector and, with that, we have set up custom actions to use inside Freestyle workflows.

A screenshot of a computer

Description automatically generated

Figure 16: Intelligence Custom Connector Import Action

The next step is to build the automation under Workspace > Freestyle in Intelligence. For more information, see Intelligence Freestyle Orchestrator documentation in VMware Docs.

A screenshot of a computer

Description automatically generated

Figure 17: Intelligence Freestyle Workflow Add

We build a flow for Workspace ONE UEM device data and the automation should trigger automatically based on the trigger rules we apply.

In our case, we want to check on all Windows devices that are enrolled and for which we get sensor values of “YES” for domain joined and azure ad joined, and where the compliance state is “compliant”.

A screenshot of a computer

Description automatically generated

Figure 18: Intelligence Freestyle Workflow Trigger rules

The following table provides an overview of what Azure AD join scenario can be identified by which sensor value and which sensor will give you the correct device ID. You must build the trigger accordingly to target the right device type.

Sensor value /   Scenario

Azure AD Joined

Hybrid AAD joined

Workplace Joined/Registered

win_azureadjoined

YES

NO

Not used

win_domainjoined

YES

YES

Not used

win_workplacejoined

Not used

Not used

YES (User specific)

win_azuread_deviceid

Device GUID

Device GUID

Not used

win_workplacedeviceid

Not Used

Not Used

Device GUID (User specific)

To build out the actions, we first send out a notification to let the user on the device know that, for compliant devices, the user will have access to Office 365 or other Azure AD federated resources.

A screenshot of a computer

Description automatically generated

Figure 19: Intelligence Freestyle Workflow action notification

Next, we add the action for the Microsoft Graph API call which targets the right device by using the sensor data we received as a parameter in the call. You can add the variable with the + sign. Make sure the rest of the path_variable looks like the default value.

A screenshot of a chat

Description automatically generated

Figure 20: Intelligence Freestyle Workflow action Graph API call

Check how many devices are potentially affected then save the workflow and run once to apply the current state to Azure AD.

Follow the same steps to add a flow for non-compliant devices and change the trigger to target non-compliant or devices that are just unenrolled.

A screenshot of a computer

Description automatically generated

Figure 21: Intelligence Freestyle Workflow Non-Compliant trigger rules

Again, we inform the user that, because of compliance violations, the device cannot access Office 365 resources. Add actions to revoke the user sessions and set the device to noncompliant in Azure AD.

A screenshot of a computer

Description automatically generated

Figure 22: Intelligence Freestyle Workflow Non-Compliant actions notification and session revocation

A screenshot of a computer

Description automatically generated

Figure 23: Intelligence Freestyle Workflow Non-Compliant actions compliance false

You can already see a change in Azure AD > All Devices; devices that already reported back the sensor data are now set to the respective compliance state from UEM.

A screenshot of a computer

Description automatically generated

Figure 24: Azure AD All Devices compliant set

In the audit data, you should see that the state was updated by our enterprise app created for the integration. In the details, you can see the fields that got updated on the device object, isManaged and isCompliant.

Similarly, you can see the update for non-compliant devices where the iscompliant state was set to false.

A screenshot of a computer

Description automatically generated

Figure 25: Azure AD All Devices audit logs

Now, we can go into the Azure Conditional Access policies and apply a rule for all Windows devices and users that require compliant devices. This setup is covered in previous articles and videos: Setting up Azure Conditional Access rules.

A screenshot of a computer

Description automatically generated

Figure 26: Azure AD Conditional Access policy

This concludes the setup of the integration. The accompanying video, Custom API Zero Trust Integration with Azure AD, shows the different components in action and follows through with the workflow. This demo also depicts the end-user experience including messages they can expect to see on their device.

Summary and Additional Resources

This extension of our series on Workspace ONE compliance integrations into Azure AD and Office 365, provides a solid overview of how to leverage automation orchestrators, like Workspace ONE Intelligence Freestyle with exposed APIs such as Microsoft Graph, to build a custom integration using the device state or other data to, in our case, enhance the security of your end-user solutions.

We welcome your feedback—comment on other integrations you would like us to work on or solutions you have already implemented.

Additional Resources

For more information about Zero Trust, you can explore the following resources:

Changelog

The following updates were made to this guide:

Date

Description of Changes

2023/10/13

  • Guide was published.

About the Author

This document was written by:

  • Sascha Warno, Staff Architect Identity & Security Solutions, EUC Technical Marketing, VMware

Feedback

Your feedback is valuable.

To comment on this paper, contact VMware End-User-Computing Technical Marketing at euc_tech_content_feedback@vmware.com.


Associated Content

home-carousel-icon From the action bar MORE button.

Filter Tags

Workspace ONE Workspace ONE Intelligence Workspace ONE UEM Document Operational Tutorial Intermediate Win10 and Windows Desktop Public Sector Zero Trust