Creating configuration for InTune Mobile App Management conditional access

Article
11/28/2023

Scenario

There is a scenario when a user of a client application wants to access resources protected by specific permissions (i.e., scopes) in a backend application. The resource is accessible only when certain app protection policies and access conditions are met. In such situation, an access token is issued only when the conditions are met.

This scenario includes a backend application, and an iOS and Android client applications. The setup for the two platforms is slightly different. This article describes the steps to correctly configure these applications for the above scenario to work. At the same time, the article avoids going into granular details. Read more in Intune Mobile App Management.

Setup application

Setup User and Group for testing

Sign in to Microsoft Entra ID.
Create a test user (e.g. XamTestuser@XamTester.onmicrosoft.com).
On the user profile page, go to Licenses.
Click on Assignments and select the following:
- Microsoft Entra ID P1 or P2 License
- Enterprise Mobility + Security
- Intune
- Microsoft 365 Business standard
Note

These policies do not apply to guest users.
Create a test group (e.g. MAM_Test_Users).

Note

Remember the name of the group. This will need to be assigned at later stages.
Add the new user to this group.

Setup Enterprise App and Conditional Access policy

In Microsoft Entra ID, go to Enterprise Applications section.
Click on New application.
Click Create your own application.
Select Register an application to integrate with Microsoft Entra ID (App you're developing) option.
After Create screen, it will take you to Register An Application screen.
Select Multitenant and click Register.
This will take you to the screen in #1.

Enable conditional access:

Navigate to Enterprise Applications.
Select the application that you created.
Assign the user group that was created earlier.
Click on Conditional Access.
Click New policy and select:
- In Users or workload identities, select the group that was created earlier.
- In Cloud Apps or actions, verify that this has the enterprise application that was created.
- In Conditions, select multiple options:
  - Device Platforms - select Yes and choose iOS + Android.
  - Client Apps - select Yes and select all the options.
- In Grant, select Require app protection policy.
- At the bottom of the screen in Enable Policy, select On.
Click Create.

Configure permissions (e.e. scopes):

Navigate to App registrations. (Note: This is not Enterprise applications.)
Select the app you created.
Click on "Add Application ID URI".
Click on Add a scope (e.g. Hello.World).
It will generate a Guid and Application ID Uri and ask you to create a scope.
Note the URI of the scope. This is needed in the client application.
Click on API Permissions section.
Click on Add a permission.
Select the permission created in the earlier stage and click Add Permission.
Click Add a permission again.
Select APIs my organization uses.
Select Microsoft Mobile Application Management - DeviceManagementManagedApps.ReadWrite.
Click Add permission.
Grant Admin consent.

Setup Client Apps

In Microsoft Entra ID, go to App registration.
Create a new app and choose multitenant option.
Add platform URI for iOS.
Add platform URI for Android.
Go to API Permissions.
Add permissions for the scope created in the backend application:
1. Click on Add a Permission.
2. Choose My APIs.
3. Select the scope that was added in the backend app (i.e. Hello.World).
4. Click Add a permission again
5. Select APIs my organization uses.
6. Select Microsoft Mobile Application Management - DeviceManagementManagedApps.ReadWrite.
7. Click Add permission.
8. Select Grant admin consent for your tenant (even if Admin consent required column shows No).

Setup in Intune

Build the iOS Client App

Build a skeleton app with the client ID from the Microsoft Entra ID.
Make sure that the iOS app references Xamarin.Intune.MAM.SDK.iOS package.
For iOS, the IPA file should be built.

Build the Android Client App

Build a skeleton app with the client ID from the Microsoft Entra ID.
Make sure that the Android app references Microsoft.Intune.MAM.Xamarin.Android package.
For Android, the APK file should be built.

Setup Apps in Intune

You will have to follow the same steps twice, once for the iOS app and again for the Android app with the differences as noted.

Go to In Intune Portal.
Create an app:
- For iOS, click on Apps > iOS Apps section.
- For Android, click on Apps -> Android Apps section.
Select Add.
Select App Type as Line-of-business app.
Upload the build file.
- For iOS, select the .ipa file that was built.
- For Android, select the .apk file that was built.
You may need to fill out some information in the App information, like Publisher name.
In the Assignments screen, under Available for enrolled devices:
- Select Add all users.
In the Assignments screen, under Available with or without enrollment:
- Select Add Group.
- Select the group that was created.
Select Create to complete the client application registration.

Setup App Protection Policy in Intune