This is an example of a user's journey with Microsoft Intune integration with Okta.
Before you can start setting up Microsoft Intune integration with Okta, we need to check the following:
Log in to your Okta account as an administrator (with administrator access).
Go to Security> Device Trust.
Click "Edit" on the applicable device type that you want to enable Device Trust for.
To configure and enable Device Trust for Android and/or Apple devices, we will need to configure these MDM Provider settings.
Click "Edit".
Copy "Secret Key value".
In a new browser tab, log in to your Microsoft Endpoint Manager account as an administrator (with administrator access). https://endpoint.microsoft.com/#home
Your Microsoft Intune settings will be managed within the Microsoft Endpoint Manager
We will be doing two key things:
In Microsoft Endpoint Manager Admin Console, go to Apps > App.
Under Apps> Apps.
Click +Add
Select "Managed Google Play app" from the drop down menu.
Once you have selected "Managed Google Play app", click "Select".
Search for "Okta Mobile", and click Approve and Approve.
You should then see it available for you in the Apps> Apps summary page.
We can now create an app configuration policy that will refer to our "Okta Mobile" app.
In Microsoft Endpoint Manager Admin Console, go to Apps > App configuration policies > Add > Managed devices.
Click "+ Add" and select "Managed devices".
Fill in your "Create app configuration policy" details and click Next.
Click Next.
You can now set your "Configuration Settings".Select "Use configuration designer" from the dropdown menu and click Next.
On the pop up that pops up on the right of your screen, tick each of the checkboxes and OK.
Then you will see options available for you to populate.
Please replace the text boxes "configuration value" with your Okta details.
If you prefer to "Enter JSON data" from the dropdown menu and click Next.
If you selected "Enter JSON data", then you will now be able to enter XML data.
For Android, you will use this xml format.
{
"kind": "androidenterprise#managedConfiguration",
"productId": "app:com.okta.android.mobile.oktamobile",
"managedProperty": [
{
"key": "siteName",
"valueString": https://yourdomain.okta.com
},
{
"key": "username",
"valueString": yourdomain
},
{
"key": "managementHint",
"valueString": secret-key-goes-here
}
]
}
For Apple, you will use this xml format.
<?xml version=“1.0” encoding=“UTF-8"?>
<!DOCTYPE plist PUBLIC “-//Apple//DTD PLIST 1.0//EN” http://www.apple.com/DTDs/PropertyList-1.0.dtd>
<plist version=“1.0">
<dict>
<key>Domain</key>
<string>https://yourdomain.okta.com</string>
<key>managementHint</key>
<string>“secret-key-goes-here”</string>
</dict>
</plist>
Under the "included groups" section, click on "Add all users" (or your preferred groups).
You will then be presented a "Review + create" page, review the details and then click on "Create".
Once you have saved your app configuration policy. You should get a summary page like this:
We can now start enrolling devices onto Microsoft Intune to test.
If you have not already, we will need to first configure Microsoft Intune with Android and/or Apple enrolment, as that will allow us to manage devices through their operating system platforms.
I have detailed this optional section at the end of this article which walks you through enrolment for Android, Apple and Windows 10 devices.
Assuming you have done configured Google and/or Apple to allow us to manage devices on their operating systems, then we can start enrolling a device to test with Microsoft Intune.
If you need help enrolling your device, I have also written a guide to share how you can enroll your devices into Microsoft Intune here.
Add users to Microsoft Intune to manage
If you have not already added users. You can add users to Microsoft Intune to manage.
You will notice in my environment that my users are stored in Azure Active Directory, as these are also my Microsoft Office 365 users. This may be the case for you as well, as that is perfect, as we can use one of those users as our test user to log into Microsoft Intune on our mobile device later on.
On your Android mobile device, open Google Play store.
Search for "Intune Company Portal" by Microsoft and install this on your Android phone device.
Click "Install".
Once installed, we can sign into our device. Click "Sign in".
We will be asked to sign in with our Microsoft credentials.
We will use one of our test users from our Microsoft Azure Active Directory here.
It will inform me to sign into my organisation's sign in page.
As I configured my Okta to be the Identity Provider for Microsoft Office 365 via WS-Federation Single Sign On (SSO) integration, it will prompt me for my Okta username and password. I will log in with the corresponding test user that I have in Okta and Microsoft Azure Active Directory.
After entering my username and password successfully, I may be prompted for multifactor authentication (MFA), based on the Sign On policy in Okta.
I will complete my multifactor authentication (MFA) step. In this example, I will press "Yes" on my Okta Verify mobile application.
(Optional) You will notice that if I click on the arrow, I have some multifactor authentication factor options to choose from if I preferred to use another multifactor form factor that I may have more accessible to me.
I will wait for Microsoft to connect and sign me in now.
I will be then asked to:
Click "Next".
It will then advise me that it is creating a "work profile" on my phone.
(Optional) It may ask me to "delete existing profile" if I ever had a work profile on my phone before, so click "Delete" if that is the case.
Once completed, I will be presented with the "Let's set up your work profile" screen. Click "Accept & Continue".
Wait for Google to set up your work profile. Then click "Next".
Company portal will then be updated so that Microsoft Intune will register your device.
Microsoft Intune will add your device to Company Portal.
Once your device successfully added to Company Portal, you will get a summary with your device listed.
After a while, your Android phone will be populated with Company Portal's applications.
So you can check your test user's Android phone device has access to the applications that we assigned to users via Microsoft Intune now.
In Okta Admin Console, choose an application to set an Application Sign On Policy (App Sign On policy).
The Application Sign On Policy will allow us to configure more granular access to your app, including looking at Users/ Groups and their Location. However, for our testing, we will focus on the 1) Client types and 2) Device Trust. That is:Let's create two "Application Sign On Policy" for our "Google Workspace" application, with each one with these goals:
In Okta Admin Console, go to Applications> Applications.
Scroll down and choose "Google Workspace" application (or your preferred application).
Click "Sign On" tab.
Scroll down and look for "Sign On Policy" section. This is where we will set our Application Sign On Policy (App Sign On policy).
Click on "Add Rule".
Let's create our first Application Sign On Policy rule. Then we can create our second Application Sign On Policy rule as well.
We will set a rule here that will do the following logic check.
"IF I am using a Device that is Not Trusted,
THEN check for MFA."
To do this, we can fill in our App Sign On Rule as follows:
We will set a rule here that will do the following logic check.
"IF I am using a Device that is Trusted,
THEN there is no need to check for MFA."
To do this, we can fill in our App Sign On Rule as follows:
Here's a summary of what we just set up for our Application Sign On Policies.
For easy reference, this is a summary of how the Application Sign On Policy is structured.
Application Sign On Policy
For Users/ Groups, check:
IF Conditions:
THEN take the following Action:
I will be testing on my mobile phone and on my Windows 10 computer.
1. Log into your Okta End User dashboard, that is https://yourdomain.okta.com
2. Sign in as our test user
3. Click on a "Google Workspace" application. This can be "Google Workspace Mail", "Google Workspace Calendar", "Google Workspace Keep".
4. Based on our App Sign On Policy, our test user should be allowed to progress to the next step (with no prompt for multifactor authentication (MFA).
5. Our test user should then be able to access our "Google Workspace" application.
1. Log into your Okta End User dashboard, that is https://yourdomain.okta.com
2. Sign in as our test user
3. Click on a "Google Workspace" application. This can be "Google Workspace Mail", "Google Workspace Calendar", "Google Workspace Keep".
4. Based on our App Sign On Policy, our test user should be prompted for Multifactor Authentication (MFA).
5. Our test user should then be able to access our "Google Workspace" application.
An additional way to check is by reviewing our Systems Log, so we can search the following phrase in our testing timeline to see the system logs.
Search for:
Authentication of device
Then it should give you the following System Log event outputs.
If you click on the "down arrow" on any of the System Log rows, you will be able to see more details about the event.
You will notice that my testing on my mobile device showed an "Authentication of user via MFA success" and Client > Device = Mobile.
This is expected, as I install Microsoft Intune Company Portal software on my mobile phone . So it could find any certificate that validates that my device is in a "trusted" device status state.
You will notice that my testing on my Windows 10 computer showed an "Authentication of device via certificate failure: NO_CERTIFICATE" and Client > Device = Computer.
This is expected, as I did not install any Microsoft Intune Company Portal software on my Windows 10 computer. So it cannot find any certificate that validates that my device is in a "trusted" device status state.
You're all set!
If you are not too sure if your Intune Device Certificate has been installed on your Windows 10 device, go to your Windows 10 computer, go to "Certificate Manager".
In Certificate Manager, go to Certificates> Intermediate Ceritfication Authorities> Certificates folder.
Then you should see "Microsoft Intune MDM Device CA" listed as a row there.
If you get the error:
"We couldn't auto-discover a management endpoint matching the username entered. Please check your username and try again. If you know the URL to your management endpoint, please enter it".
Solution:
Set your management endpoint/ MDM Server URL/ MDM discovery URL as the following - https://enrollment.manage.microsoft.com/enrollmentserver/discovery.svc
You will also find this detail under Windows> Windows enrolment > Automatic enrolment.
This device does not meets company compliance and security policies. You can access resources like company email with this device.
Solution:
Make sure that there Compliance policy set to the Windows device in Microsoft Endpoint Manager Intune.
That is, as Administrator, go to Microsoft Endpoint Manager> Devices> Windows> Compliance policies> Create Policy.
You will notice that I have set one up, so you can see "Windows 10/11 compliance policy" there. I selected the default settings and assigned to "All users".
On the end user's Windows 10 device, you can ask the user to:
This device meets company compliance and security policies. You can access resources like company email with this device.
Once it says that you "Can access company resources".
Then if you click on the "Apps" tab in the "Company Portal" application.
Then you will see the applications (apps) that have been assigned to you.
Here is an example below: