Sync VMware Workspace ONE managed device compliance state to Azure AD
VMware Workspace ONE has many great conditional access conditions that may be applied in conditional access rules. One of them is using the Workspace ONE managed device compliance status. But there are also a lot of organizations that are using Azure AD (AAD) conditional access rules, where they also want to use device compliancy as a condition in their rules. Now, you may think that applying device compliancy from Intune managed devices is the only possible way of applying device compliancy in AAD conditional access rules, but that’s not true. You can also use device compliance status from third parties, like VMware, in AAD conditional access rules. This short blog post explains how it’s done.
Before: Device compliance status in Azure AD
I have a device (WS1TESTDEV01) enrolled in Workspace ONE with Autopilot.
As you can see in the picture above, WS1TESTDEV01 is marked as not compliant.
What we want to achieve is that Workspace ONE syncs every device’s compliancy state to Azure AD.
Configure device compliance sync in Workspace ONE
Requirements
As part of the device enrollment process, it is required to have the device being enrolled in Azure AD. This can be with or without making use of Autopilot. You also require a Microsoft Intune license. Read this for all the prerequisites.
Workspace ONE Configuration
As far as I’ve seen, the following steps can only be configured on the root organizational group (OG) level. Therefore, in Workspace ONE UEM, select the root OG and click Groups & Settings.
Click All Settings.
Click Enterprise Integration.
Click Directory Services.
Scroll down to the Azure Active Directory section and click Enable for Use compliance data in Azure conditional access policies.
Select Enabled for Use compliance data in Azure conditional access policies for Windows and/or Use compliance data in Azure conditional access policies for iOS, Android, and macOS.
Click Save.
If you receive a message Enable Failed, like below, click the Opt In button and go through the process that follows. After that repeat the steps above.
If all goes well, you should see a message for a successful sync.
After: Device compliance status in Azure AD
Since the device compliancy state from Workspace ONE is now synced to Azure AD, you can see that our device (WS1DEVTEST01) is now marked as compliant in Azure AD.
Syncing the device compliancy state from Workspace ONE to Azure AD now gives you the ability to use the Workspace ONE device compliancy state in Azure AD conditional access rules.
Android / iOS / macOS
If you want to use the Workspace ONE device compliancy state for Android, iOS and macOS devices in Azure AD, please make sure to add VMware Workspace ONE mobile compliance as a compliance partner in Intune.
Go to the Intune management portal and click Tenant administration.
Click Connectors and tokens.
Click Partner compliance management.
Click Add compliance partner.
Select VMware Workspace ONE mobile compliance as the Compliance partner and select a platform.
Continue with the assignment and creation steps and repeat the same steps for every platform that you want to enable.
