-
Notifications
You must be signed in to change notification settings - Fork 332
Steps to create config for MAM (Conditional access)
SameerK-MSFT edited this page Feb 14, 2022
·
22 revisions
There can be a scenario with a client App and a backend enterprise app. The user of the client app wants to access certain scopes defined in the backend enterprise app. The scope is accessible only when certain app protection policy and access conditions are met.
This article describes steps to create the required configuration for the above scenario.
- Create a test user (e.g. XamTestuser@XamTester.onmicrosoft.com)
- In the user - Licenses -> Click on assignments
- Select the following
- Enterprise Mobility + SEcurity ES
- Intune
- Microsoft 365 Business standard
Note: The policies do not apply to the guest user
- Create a test group (e.g. MAM_Test_Users) Note the name of the group. This will need to be assigned at later stages.
- Add the user to the test group
- In the Enterpise Applications section:
- Create New Application
- Click Create your own application
- Select "Register an application to integrate with Azure AD (App you're developing)" option
- After Create, it will take you to Register An Application screen. (Pain - Navigate to another screen).
- Select Multitenant and click Register.
- This will take you to the screen in #1
- Navigate to Enterprise Applications
- Select The application that you created
- Assign user group created earlier
- Click on Conditional Access
- Click New policy. Here are the options to select
- Users workload identities -> Select the group that was created earlier
- Cloud Apps or actions -> This would have the Enterprise app that was created
- Conditions. Select multiple options as follows
- Device Platforms - Yes and iOS + Android
- Client Apps -> Yes and select all the options
- Grant -> Select "Require app protection policy"
- At the bottom of the screen in Enable Policy select On
- Create
- Navigate to App Registrations (Note: NOT Enterprise. Pain to do at two places)
- Select the app you created.
- Click on "Add and Application ID URI"
- Click on Add a scope (e.g. Hello.World)
- It will generate a guid and App ID Uri and ask you to create a scope
- Note the URI of the scope. This is needed in the client application
- Click on API Permissions section
- Grant Admin consent
You are done with setting up the Enterprise App and Conditional Acces policy
- In App registration, create a new App - Choose Multi-tenant option
- Add platform URI for iOS and Android
- In API Permissions
- Add permissions for the scope created in the Entreprise App
- Click on Add a Permission
- Choose My APIs
- Select the one that was added in the Enterprise App (i.e. Hello.World)
- Select "Grant admin consent for
" (Even if Admin Consent required column shows no)
- Add permissions for the scope created in the Entreprise App
You are done with setting up the Client App
- Build a skeleton app.
- Make sure that the iOS has Xamarin.Intune.MAM.SDK.iOS packaged with it.
- To set up the app protection policy, you need to build the client App with the corresponding clientID
- For iOS, the .ipa file should be built
In Intune Portal:
- Click on Apps -> iOS Apps section
- Select Add
- Select App Type as Line of Business App
- Select the .ipa file that was built
- You may need to add some data in th App information to go the next screen i.e. Assignments
- In the Assignments screen under Available for enrolled devices
- Select Add all users
- In the Assignments screen under Available with or without enrollment
- Select Add Group
- Select the group that was created for testing
- Select Create -> This will create the Client App
Congratulations, you created App in the Intune
In Intune Portal:
- Click on Apps -> App Protection policies -> Create Policy iOS/MacOS
- After the Basic screen, it will lead to the Apps screen
- Data Protection screen -> You can select the options you want, I selected the following options.
- Send org data to other apps = Policy managed apps
- Save copies of org data = block
- Left other options to defualt and clicked next -> leads to Access requirements screen
- Access requirements screen -> Kept the defaults
- Conditional Launch -> Kept the defaults
- Assignments -> Included groups -> Add the group you created
Your creates App protection policy
- Home
- Why use MSAL.NET
- Is MSAL.NET right for me
- Scenarios
- Register your app with AAD
- Client applications
- Acquiring tokens
- MSAL samples
- Known Issues
- AcquireTokenInteractive
- WAM - the Windows broker
- .NET Core
- Xamarin Docs
- UWP
- Custom Browser
- Applying an AAD B2C policy
- Integrated Windows Authentication for domain or AAD joined machines
- Username / Password
- Device Code Flow for devices without a Web browser
- ADFS support
- Acquiring a token for the app
- Acquiring a token on behalf of a user in Web APIs
- Acquiring a token by authorization code in Web Apps
- High Availability
- Token cache serialization
- Logging
- Exceptions in MSAL
- Provide your own Httpclient and proxy
- Extensibility Points
- Clearing the cache
- Client Credentials Multi-Tenant guidance
- Performance perspectives
- Differences between ADAL.NET and MSAL.NET Apps
- PowerShell support
- Testing apps that use MSAL
- Experimental Features
- Proof of Possession (PoP) tokens
- Using in Azure functions
- Extract info from WWW-Authenticate headers
- SPA Authorization Code