Use no-code integration to integrate the Microsoft Intune policies and the Microsoft Authentication Library into your mobile app. You can optionally configure an additional sub-step to add a secure microtunnel to the app.

Prerequisites

Microsoft Intune subscription  

An account with Application administrator privileges to register apps in the Azure Active Directory admin center

App registered in Microsoft with API permissions (as described below)

StageApp Enhancement


Before using this step

Adding the Intune App SDK with the Microsoft Authentication Library to your apps allows the Microsoft identity platform to provide authentication and authorization services for your app and its users. To do this, you need to have done these steps once for each mobile app on your Azure Active Directory tenant: 

Register the mobile app on the Microsoft portal

  1. Using an account with Application administrator privileges, log into the Azure Active Directory admin center:

    https://aad.portal.azure.com/#blade/Microsoft_AAD_IAM/ActiveDirectoryMenuBlade/RegisteredApps 
  2. Search for an existing app or, to create a new registration, follow these steps:
    1. Click + New registration.
    2. On the "Register an application" screen, enter a name.
    3. Under "Supported account types," select "Accounts in this organizational directory only."

      Note: This is the setting for single-tenant registrations. If you are offering the app to many organizations as a service provider (such as an ISV), see Setting up multi-tenant Intune enrollment for MSAL users.
    4. Click Register.

Configure API permissions for the mobile app

  1. On the screen for your app registration, copy these values from the Essentials section and save them to use on the Blue Cedar Platform for configuration:
    • Application (client) ID
    • Directory (tenant) ID
  2. On the same application screen, click API permissions, and add the following permissions:
    • Microsoft Graph API:
      • Directory.Read.All
      • Device.Read.All
    • Microsoft Mobile Application Management
      • DeviceManagementManagedApps.ReadWrite
    • Intune API:
      • get_data_warehouse

Using this step in a workflow

On the Blue Cedar Platform, in the workflow builder for your app:

  • Add the App Enhancement stage
  • Add the Microsoft Intune step to the workflow.

You must also customize the Azure AD Application ID and your Tenant Name. The Intune service give you app protection and a single sign-on (SSO) experience that authenticates to cloud or on-premises Active Directory (AD). 

Click on the options gear next to Intune in the workflow outline. Configure the Azure AD Authentication options:

Option

Details

Azure AD Application ID

Required. The app’s Azure AD application ID, specific to that app. This can be retrieved from the app properties in the Azure AD admin center. 

Example: af325ed9-7761-5ae0-ac36-ea5b62359ad4

Tenant Name

Required. A base URI for the Azure AD authority that the app uses to authenticate.

Default: https://login.microsoftonline.com/tenant-name

For example: https://login.microsoftonline.com/intuneacme.onmicrosoft.com 

Use Microsoft Authenticator App

Enable to use Microsoft Authenticator, which is a separate external authentication broker app.

Redirecting authentication flows to an authentication broker allows apps that do not have the same signer to use the MSAL cache in the authentication broker to achieve Single Sign-On (SSO), for example between Microsoft apps and third-party apps. Using an authentication broker also allows Multi-Factor Authentication (MFA) flows to be used.

Azure AD Cache Identifier Override

Optional, iOS only. The platform-specific identifier used to control where Azure AD cache information is stored to allow sharing between apps.

Note: This is an advanced option to customize token sharing between specific apps. Most scenarios for sharing tokens are better satisfied by using the Microsoft Authenticator app.

On iOS, this is used as a Shared Keychain ID. Note that apps must have the same signer (Team ID) to share Azure AD cache information directly.

This option is unavailable if Use Microsoft Authenticator App is enabled.

Rule-Based Authentication

Add URLs to this list to use OAuth authentication for app requests to those URLs. For example, if the app requests a URL within the bluecedar.com domain and https://*.bluecedar.com/* is on the list, the OAuth token obtained when the app was initially authenticated is passed to that URL for authentication.

If the app requests a URL that isn't on this list, there is no effect—the app attempts to connect to the URL as usual.

Format: You can use hostnames or IP addresses, as long as each entry starts with http:// or https://. Standard wildcard/glob matching applies.

Adding connectivity

Optionally, you can add an in-app VPN to Intune-enabled apps. This service lets you designate an IKEv2 gateway with options for proxy servers and private certificates. To configure this secure microtunnel connectivity option, see the sub-step:

Related topics

Microsoft Intune-integrated apps can be managed with the Microsoft Endpoint Manager. Once an app has been integrated with Microsoft, you can push the app manually or automatically to the Microsoft Endpoint Manager for distribution. Enable and configure the Microsoft Endpoint Manager distribution extension to access this service.