Skip to main content
Matrix42 Self-Service Help Center

Entra ID Integration VI: Conditional Access

Overview

The Microsoft Compliance Partnership is a comprehensive program designed to help organizations meet their compliance requirements in today’s rapidly evolving regulatory environment. This partnership provides businesses with the tools, frameworks, and expert support needed to navigate complex compliance challenges. In this article, we will explore the key features of the Microsoft Compliance Partnership and highlight its benefits, including enhanced security, risk management, and regulatory alignment for businesses of all sizes.

Requirements

  • Microsoft Azure Active Directory, Microsoft Intune (to set Matrix42 GmbH as the third-party compliance partner), and Microsoft Entra ID - Premium 1 or higher. Compatible Microsoft license plans:
    • Microsoft 365 E3, E5, F1, or F3 licenses
    • Enterprise Mobility + Security E3 (EMS E3), or E5 (EMS E5)
  • Microsoft Authenticator must be installed on end-user devices, both iOS and Android.

Intune and Entra ID Preparation

Collect Tenant ID

  • Login to portal.azure.com
  • Select Microsoft Entra ID
  • In the overview section, locate your Tenant ID
  • Note down the Tenant ID as you will need this ID later on. 

Create your Conditional Access Test Group

  • Navigate to Groups 
  • Press new group
  • Enter as Group Name e.g. Silverback Conditional Access
  • Enter a Group Description (optional) 
  • Select Members and add several of your test user
  • Press Create
  • Wait until the group creation is finished

Add Matrix42 as Compliance Partner

  • Open endpoint.microsoft.com 
  • Login with your administrative credentials
  • Navigate to Tenant Administration
  • Select Connectors and Tokens
  • Locate the section Cross Platform section
  • Select Partner compliance management 
  • Press + Add compliance partner
  • Select Matrix42 GmbH as Compliance Partner
  • Select your first desired platform 
  • Press Next
  • Press Add groups
  • Select your previously generated Conditional Access Group 

desired target user group. If desired this can be a group you define (ex: An organization Department that dynamically updates in Azure AD, a static group of testers you manually add to a user group, or a specific user). This can also be assigned to All Users so that any member of this Azure AD tenant could preform the registration and have their device become compliant.

  • Press Next
  • Press Create
  • Locate now your previously selected platform and review the Pending activation Partner Status
  • To add additional platforms, select again + Add compliance Partner and repeat the previously made steps
  • Keep the Partner compliance management browser tab open.

Create a device-based Conditional Access policy

  • Open a new Browser Tab, enter again endpoint.microsoft.com and sign-in if required
  • Navigate to Endpoint Security
  • Select Conditional Access
  • Press + Create new Policy
  • Enter a Name, e.g. Conditional Access Policy
  • Select Users, select users and groups and add your recently created Conditional Access Group
  • Select Target Resources, select All Cloud apps and switch the tab to exclude and Select as excluded cloud apps Microsoft Cloud App Security
  • Under Access controls, select grant and enable Require device to be marked as compliant and press select 
  • Under Enable Policy, select On
  • Press Create 
  • Wait until the process is finished

Check Conditional Access policy

  • Open on any devices portal.office.com
  • Try to login with a user that is part of your recently created Conditional Access Group 
Not signed in Microsoft Edge on Windows Chrome on Windows
clipboard_e101da609e24071a80a3967ea6ee78728.png clipboard_e53caeb685bfacf6852901c8ee0e2024d.png
Safari on macOS   
 
  • Now try to login with a user that is not part of the Conditional Access group 
  • You should be able to login without any additional security requests. 

Silverback Integration

Enable Conditional Access

  • Open a new browser tab
  • Login to your Silverback Management Console
  • Navigate to Admin
  • Select Microsoft Entra ID
  • Locate the Conditional Access section and press enabled
  • Enter your Tenant ID
  • Press Save

Integrate Conditional Access Application

  • Press Setup
  • Login with your administrative Microsoft Entra ID credentials
  • Accept the requested permissions 
    • Sign in and read user profile
    • Read all applications
    • Read Microsoft Intune device configuration and policies
    • Read and write Microsoft Intune device configuration and policies
    • Read and write Microsoft Intune devices
    • Read Microsoft Intune configuration
    • Read and write Microsoft Intune configuration
    • Read directory data
    • Read all group memberships
    • Read and write all users' full profiles
    • Send device attributes to Microsoft Intune
    • Manage partner compliance policies with Microsoft Intune.
  • Wait until the configuration is successfully and press OK

Review Application Permissions (optional)

  • Navigate back to the Microsoft Azure Portal
  • Starting from the Microsoft Entra ID, navigate to Enterprise applications
  • Locate and press the Conditional Access application to open the details page
  • Select Security and Permissions to review the granted permissions 

Tenant Onboarding

Tenant provisioning

  • A new Tab Conditional Access will appear 
  • Select Conditional Access
  • In the Partner Compliance Management section, press Provision
  • Now navigate back to Microsoft Intune and review the Partner compliance management status, it should be switched to Active
  • Go back to the Silverback Management Console
  • Press Refresh and wait until the data will be updated
  • You should see now something like this

clipboard_e96845cee43b1caffa1d3844e327b21b0.png

Tenant re-provisioning

  • For testing purposes, you can press the Deprovision button 
  • Navigate back to Microsoft Intune and review the Partner compliance management status, it should be switched to Terminated
  • Go back to the Silverback Management Console and press refresh
  • You should see now something like this

clipboard_ef62e6893213d05d6eb0d65ad1e443437.png

  • Press again Provision and review in Microsoft Intune the Active Partner State 
  • Press Refresh to synchronize again the the Compliance Management Data with Silverback

Send Tenant Heartbeat

  • Navigate back to Microsoft Intune and review the Last Successful Sync timestamp next to your Active Partner Status
  • From the Silverback Console, press now the Heartbeat Button
  • In Microsoft Intune you should see now an updated Last Successful Sync date

Create Compliance Policy

Once the tenant is provisioned, the partner will need to create a partner compliance policy and assign it Entra ID user group(s) for which they are providing compliance data for. Note that this is a back-end object not visible in the Microsoft Intune admin center or Azure portal. Only one partner compliance policy should be created per platform (iOS, Android, macOS) per tenant.

Create Policy

  • Navigate back to the Silverback Management console
  • In the Partner Compliance Policy section, press new Policy
  • Select your desired platform
  • Enter a display name, e.g. Silverback macOS Compliance Policy
  • Enter a description
  • Press Save
  • Confirm with OK
  • Press OK to close the information

Assign Groups

  • Now press the edit button at your created Partner Compliance Policy
  • Press the + Button
  • Enter the name of your target group, e.g. Silverback Conditional Access
  • Select your group 
  • Press OK
  • Press Save
  • Confirm with OK
  • Press OK

Sync and Match Devices

  • In the devices section, enter your Matching Criteria System Variable
    • e.g. {UserName} or {UserEmail}

 

Troubleshooting

clipboard_e648a019a2cffc0fb932a2267222c733f.png

 

  • Was this article helpful?