question

LouieAndyTIS-1555 avatar image
0 Votes"
LouieAndyTIS-1555 asked Crystal-MSFT commented

how to redirect user to sign into Company portal app in IOS device when user clicks Outlook

I am using the enrollment profile Setup Assistant with modern authentication. It works but the user has to manually open up the Company Portal app and sign in to make the device compliant. With this enrollment policy it doesn't force the user to sign in to company portal. I want to make it where if the user clicks on the Outlook app, Company portal opens up first and force the user to sign in then it opens the Outlook app.
I am looking at App based Conditional access. I am at the part of Cloud apps or action and in select the app. Do I select Office 365 Exchange?
In the Conditions in Device Platform I selected IOS and Client apps I selected Browser and Mobile apps and Desktop
What do I select for Access Control and Sessions

mem-intune-device-configurationsmem-intune-enrollment
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

Crystal-MSFT avatar image
0 Votes"
Crystal-MSFT answered Crystal-MSFT edited

@LouieAndyTIS-1555, Thanks for the reply. For app-based Conditional Access, it will redirect to broken app. For iOS it is Microsoft Authenticator. Here is a link for the reference:
https://docs.microsoft.com/en-us/mem/intune/protect/app-based-conditional-access-intune

If we want to try, for the cloud app for email access, I think it can be "office 365" or "Exchange Online".
https://docs.microsoft.com/en-us/azure/active-directory/conditional-access/concept-conditional-access-cloud-apps
For the Grant field, we can configure "Require approved client app" and "Require app protection policy".
https://docs.microsoft.com/en-us/azure/active-directory/conditional-access/concept-conditional-access-grant

Thanks for the understanding and have a nice day!


If the answer is helpful, please click "Accept Answer" and kindly upvote it. If you have extra questions about this answer, please click "Comment".
Note: Please follow the steps in our documentation to enable e-mail notifications if you want to receive the related email notification for this thread.


5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

LouieAndyTIS-1555 avatar image
0 Votes"
LouieAndyTIS-1555 answered Crystal-MSFT commented

Hello based on this article here it says
https://techcommunity.microsoft.com/t5/intune-customer-success/setup-assistant-with-modern-authentication-for-ade-intune-public/ba-p/2279061

Company Portal Redirection
A new improvement we’ve made to our onboarding experience helps guide users to complete that second Azure AD authentication by automatically redirecting to the iOS/iPadOS Company Portal when the user attempts to access corporate data.


If users open any managed iOS/iPadOS applications that are protected by Conditional Access and they haven't completed the additional Azure AD sign in to the iOS/iPadOS Company Portal, they will be redirected to the Company Portal from those other apps as part of this new change. This way, users are guided to complete that last step before they can access resources protected by Conditional Access.
But the article doesn't give me the instructions how to do this?

· 2
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

@LouieAndyTIS-1555. Thanks for letting me know this. I will modify my previous reply.

In the blog, it mentioned that open any managed iOS/iPadOS applications that are protected by Conditional Access. It will do redirection. Here we can configure as below:
Assignment: choose the user group we want to test.
Cloud app select "office 365". which include exchange online.
Conditions, we can set device platform as iOS Client apps as "Modern authentication clients" .
Access control: choose grant and select "Require approved client app" and "Require app protection policy",
https://docs.microsoft.com/en-us/mem/intune/protect/app-based-conditional-access-intune-create

we can configure this to test if can make the redirection. Hope it can help.



0 Votes 0 ·

@LouieAndyTIS-1555. Hope things are going well. If there's any update, feel free to let us know.

0 Votes 0 ·
LouieAndyTIS-1555 avatar image
0 Votes"
LouieAndyTIS-1555 answered Crystal-MSFT commented

Hello I created the Conditional Access Policy
for the Cloud app I choose Office 365.
For Conditions I choose in Device Platform I choose IOS. But in the section Client apps in Conditions what do I choose for Modern authentication clients the only choices I have are Browser, Mobile apps and Desktop clients, another section Legacy authentication clients-which is exchange ActiveSync clients, other clients.
146606-screen-shot-2021-11-04-at-110643-am.png



As a test I clicked on Mobile apps in the Modern authetication clients section and open up Outlook, it didn't direct my to company portal to sign in it redirected me to download the authenicator app from Microsoft. Since this is a managed device in I thought I wouldn't the Microsoft Authenicator app.


· 1
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

@LouieAndyTIS-1555. For the managed device, is it a device which is already enrolled?

0 Votes 0 ·
LouieAndyTIS-1555 avatar image
0 Votes"
LouieAndyTIS-1555 answered Crystal-MSFT commented

yes for my testing this is a ADE device that I factory wiped and enrolled it using Enrollment profile Setup assistant with Modern authenication, this is a managed device. I didn't make any App protection policy just FYI.

· 1
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

@LouieAndyTIS-1555, For the authentication method: Setup Assistant with modern authentication, users are required to authenticate with their Azure AD credentials twice during the enrollment, For the company portal redirection, it occurs during the enrollment when user open a managed application protected by Conditional access before the second Azure AD authentication. Could you confirm if we open the managed app before the second authentication?

Meanwhile, could you let us know if we only select "required approved client app" under Access control?

0 Votes 0 ·
LouieAndyTIS-1555 avatar image
0 Votes"
LouieAndyTIS-1555 answered Crystal-MSFT commented

Hello I opened up the Outlook app, and this Outlook is a managed application. I already have a conditional access including in this screen shot that blocks the user from using the Native Apple E-mail account and forces the user to open up Outlook. I clicked on Outlook and it doesn't do the redirection. During the Setup Assistant I did login to with my test e-mail account to authenicate, but after that when I click on Outlook it doesn't do the re-direction.147449-out2.jpg147340-out1.jpg



out2.jpg (145.3 KiB)
out1.jpg (91.7 KiB)
· 1
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

@LouieAndyTIS-1555,, Thanks for the detailed description. From your description, it seems the redirection is still not happen before the second Azure AD authentication. Here i have done more research. After researching, I find in the following article it mentioned to configure "Require device to be marked as compliant" . Maybe we can try to set it in Conditional access to see if the redirection can happen:

147546-image.png
https://techcommunity.microsoft.com/t5/intune-customer-success/move-to-setup-assistant-with-modern-authentication-for-automated/ba-p/2556536


0 Votes 0 ·
image.png (30.4 KiB)
LouieAndyTIS-1555 avatar image
0 Votes"
LouieAndyTIS-1555 answered Crystal-MSFT commented

147715-screen-shot-2021-11-09-at-122725-am.png




In the Grant you want me to check the box require the device to be compliant and then as another test factory wipe the device and enroll again.


· 1
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

@LouieAndyTIS-1555,, Thanks for the reply. If this is a test device, we can unenroll it and add the box in grant, then enroll again to test. If this is not a test device, maybe we can find another not enrolled device to test.

0 Votes 0 ·