Skip to main content
Skip table of contents

App Enhancement - Microsoft Intune


Use the Microsoft service to protect data by adding Intune policies and the Microsoft Authentication Library to a mobile app without writing code.  You can optionally configure an additional Blue Cedar Connect for standards-based IKEv2 gateways  to add in-app VPN functionality to the app.

Prerequisites

Microsoft Intune subscription  

An account with Application administrator privileges to register apps in the Azure Active Directory admin center

App registered in Microsoft with API permissions (as described below)

Enable the No-Code Microsoft Intune extension

StageApp Enhancement


Before using this step

Adding the Intune App SDK with the Microsoft Authentication Library to your apps allows the Microsoft identity platform to provide authentication and authorization services for your app and its users. To do this, you need to have done these steps once for each mobile app on your Azure Active Directory tenant: 

Register the mobile app on the Microsoft portal

  1. Using an account with Application administrator privileges, log into the Azure Active Directory admin center:

    https://aad.portal.azure.com/#blade/Microsoft_AAD_IAM/ActiveDirectoryMenuBlade/RegisteredApps 
  2. Search for an existing app or, to create a new registration, follow these steps:
    1. Click + New registration.
    2. On the "Register an application" screen, enter a name.
    3. Under "Supported account types," select "Accounts in this organizational directory only."

      Note: This is the setting for single-tenant registrations. If you are offering the app to many organizations as a service provider (such as an ISV), see Setting up multi-tenant Intune enrollment for MSAL users.
    4. Click Register.

Configure API permissions for the mobile app

  1. On the screen for your app registration, copy these values from the Essentials section and save them to use on the Blue Cedar Platform for configuration:
    • Application (client) ID
    • Directory (tenant) ID
  2. On the same application screen, click API permissions, and add the following permissions:
    • Microsoft Graph API:
      • Directory.Read.All
      • Device.Read.All
    • Microsoft Mobile Application Management
      • DeviceManagementManagedApps.ReadWrite
    • Intune API:
      • get_data_warehouse

Using this step in a workflow

Authentication

On the Blue Cedar Platform, in the workflow builder for your app:

  • Add the App Enhancement stage
  • Add the Microsoft Intune step to the workflow.

You must also customize the Azure AD Application ID and your Tenant Name. The Intune service gives you app protection and a single sign-on (SSO) experience that authenticates to cloud or on-premises Active Directory (AD). 

Click on the options gear next to Intune in the workflow outline. Configure the Azure AD Authentication options:

Configuration

Option

Details

Azure AD Application ID

Required. The app’s Azure AD application ID, specific to that app. This can be retrieved from the app properties in the Azure AD admin center. 

Example: af325ed9-7761-5ae0-ac36-ea5b62359ad4

Tenants

Required.

  • Single Tenant: A base URL for the Azure AD authority that the app uses to authenticate.
    Default: https://login.microsoftonline.com/tenant-name
    For example: https://login.microsoftonline.com/intuneacme.onmicrosoft.com 
  • Multi-Tenant: If you want to enable multi-tenant for your app, refer to Setting up multi-tenant Intune enrollment for MSAL users
Use Microsoft Authenticator App

Enable to use Microsoft Authenticator, which is a separate external authentication broker app.

Redirecting authentication flows to an authentication broker allows apps that do not have the same signer to use the MSAL cache in the authentication broker to achieve Single Sign-On (SSO), for example between Microsoft apps and third-party apps. Using an authentication broker also allows Multi-Factor Authentication (MFA) flows to be used.

Azure AD Cache Identifier Override

Optional, iOS only. The platform-specific identifier used to control where Azure AD cache information is stored to allow sharing between apps.

Note: This is an advanced option to customize token sharing between specific apps. Most scenarios for sharing tokens are better satisfied by using the Microsoft Authenticator app.

On iOS, this is used as a Shared Keychain ID. Note that apps must have the same signer (Team ID) to share Azure AD cache information directly.

This option is unavailable if Use Microsoft Authenticator App is enabled.

Rule-Based Authentication

Add URLs to this list to use OAuth authentication for app requests to those URLs. For example, if the app requests a URL within the bluecedar.com domain and https://*.bluecedar.com/* is on the list, the OAuth token obtained when the app was initially authenticated is passed to that URL for authentication.

If the app requests a URL that isn't on this list, there is no effect—the app attempts to connect to the URL as usual.

Format: You can use hostnames or IP addresses, as long as each entry starts with http:// or https://. Standard wildcard/glob matching applies.

Secure Connectivity

Optionally, you can add an in-app VPN to Intune-enabled apps. This service lets you designate an IKEv2 gateway with options for proxy servers and private certificates. To configure this with the Blue Cedar Connect step connectivity option for a gateway, see the step:

Related topics

Microsoft Intune-integrated apps can be managed with the Microsoft Endpoint Manager. Once an app has been integrated with Microsoft, you can push the app manually or automatically to the Microsoft Endpoint Manager for distribution. Enable and configure the Microsoft Endpoint Manager distribution extension to access this service.

JavaScript errors detected

Please note, these errors can depend on your browser setup.

If this problem persists, please contact our support.

Contact Support Close