14 DAY FREE TRIAL

No Search Results

No Search Results

14 DAY FREE TRIAL
  1. Help Center
  2. Hexnode Integrations
  3. Microsoft Entra ID

Category filter

Set up Microsoft Entra Conditional Access integration in Hexnode

Jump To

Conditional Access is a security policy that organizations use to manage how employees and other users access its resources based on specific conditions. It acts as a gatekeeper, controlling access to Microsoft resources and other enterprise resources that have been registered or integrated with Microsoft Entra ID. The policy not only determines who can access these resources but also defines the conditions under which they can access them. In other words, the policy enforces “if-then” rules for resource access. For example, if a user attempts to access a cloud app, they must meet specific criteria configured by the organization via the Conditional Access policy before the access is granted. The criteria can vary such like requiring multi-factor authentication (MFA), signing in from a trusted location, or accessing from a compliant device.

By integrating Conditional Access with Hexnode, IT admins can enforce access policies based on device compliance from Hexnode. These steps guide you through the required integrations and configurations to effectively manage access to resources based on predefined conditions. Let’s simplify your security setup while giving you complete control over who gets access to what.

Note:


Hexnode supports Conditional Access for Android, iOS, and macOS 11+ devices.

Pre-requisites:

Setting up Conditional Access policy with Hexnode UEM

Follow the steps below to set up a Conditional Access policy with Hexnode UEM. These steps guide you through the required integrations and configurations to effectively manage access to organizational data based on predefined conditions.

Step 1: Set up Hexnode UEM as a compliance partner in Microsoft Intune.

Step 2: Create a Conditional Access policy in Microsoft Entra ID portal.

Step 3: Integrate Microsoft Entra ID with the Hexnode UEM portal.

Step 4: Set up Conditional Access in the Hexnode UEM portal.

Step 5: How to register devices with Microsoft Entra ID

Step 1: Set up Hexnode UEM as a compliance partner in Microsoft Intune

Setting up Hexnode UEM as a compliance partner in Microsoft Intune enables organizations to enforce Conditional Access policies by verifying device compliance before granting access to corporate resources.

To set up Hexnode UEM as a compliance partner in Microsoft Intune, follow the steps outlined below.

  1. Login to the Microsoft
    Intune admin center    .
    Go to Tenant administration tab
  2. Navigate to Tenant administration > Connectors and tokens.
    Navigate to Connectors and tokens tab
  3. In the Partner compliance management section, click + Add compliance
    partner    .
    Add Hexnode as a new compliance partner
  4. Select Hexnode UEM from the drop-down as the Compliance Partner and select the
    desired platform (iOS, Android or macOS). Click Next.
    Add Hexnode UEM as compliance partner and the desired platform
  5. In the Assignments section, determine which users or user groups will be impacted by the
    compliance partner program:
    1. Under the Included groups, you can either select Add all
      users       or specify particular user groups by clicking Add groups
      .
    2. Under the Excluded groups, select groups that should not be affected,
      such as those containing the organization’s administrators or executives.

    Include or exclude users or user groups affected by the compliance partner

  6. Once you have configured the included and excluded groups, click Next.
  7. In the Review + create section, confirm the compliance partner settings and click
    Create.
    Review the details of setting up Hexnode UEM as compliance partner
  8. After creation, the compliance partner will appear in the Partner compliance management page,
    categorized based on the chosen platform.
  9. The partner status will update to Active once Microsoft Entra ID integration is completed in your Hexnode UEM
    portal.Hexnode UEM as a compliance partner with the chosen platforms

Microsoft Entra ID allows only one compliance partner per platform (operating system). That is, you will have to assign Hexnode UEM as the compliance partner for each platform individually.

Step 2: Create a Conditional Access policy in Microsoft Entra ID portal

To create a Conditional Access Policy in the Microsoft Entra portal that grants access to the organization’s resources for specific users or user groups, follow the steps outlined below.

Create a new policy

  1. Login to the Microsoft Entra ID portal.
  2. Navigate to Protection > Conditional Access in the left pane.
    Set up Conditional Access in Entra admin center
  3. Under the Policies section, click + New policy. Create a new policy to set up Conditional Access policy
  4. Provide a name for the Conditional Access policy.
    Name the Conditional Access policy

Define assignments

Users

Select the users or groups to include or exclude from the policy. You can target all users, specific groups, directory roles, or external guest users.
Add the users to include or exclude from Conditional Access policy

Target resources

Choose the resources affected by the policy, such as cloud applications, user actions (e.g., sign-in attempts), or authentication contexts.
Add the resources to be included in Conditional Access policy

Note:


Search for Hexnode in the resource list, you’ll get a list of Hexnode services such as the Hexnode enrollment page, the Hexnode login page, or similar services, add all of them to the Excluded list. This prevents disruptions to Hexnode services and ensures your workflows remain unaffected.
Exclude applications related to Hexnode in Conditional Access policy

Network

The network includes IP addresses, geographical locations, and Global Secure Access-compliant networks, all of which influence Conditional Access policy decisions. Administrators can define specific locations and designate some as trusted, such as the organization’s primary network sites. For detailed explanation, refer to the Network condition configuration documentation.

Setup location or network in Conditional Access policy

Conditions

In the section, you can further refine the policy based on various conditions according to your requirements, such as:

  1. Device platforms: Include or exclude device platforms such as macOS, Android, and iOS. Based on the platforms selected in the compliance partner setup, IT admins can include or exclude specific platforms for Conditional Access policies.
    Note:


    While Microsoft Entra ID supports Android, iOS, Windows, macOS, and Linux, Hexnode currently provides compliance data for Android, iOS, and macOS only.

    Specify the platform that needs to be included in the Conditional Access policy

  2. Client apps: Client apps refer to the software/platform a user uses to access a Microsoft cloud app. Select this option if you want to apply the policy to specific client apps (For instance, accessing Microsoft Office 365 through a browser or mobile application).
    Specify the client apps that Conditional Access policy will be applied
  3. Filter for devices: Apply the Conditional Access policy only to devices that meet specific criteria, such as device compliance status, device model, operating system, or ownership type. These criteria can be defined using supported operators and properties in device filters, such as compliance status, operating system version, and device manufacturer, among others.
    Configure the devices for which the Conditional Access policy to be applied
  4. Authentication flows: Authentication flows are the steps a user or device follows to prove their identity before gaining access to a resource. In simpler terms this could include entering a password, using a fingerprint, or approving a sign-in request on a phone. You can choose which of the steps (or flows) are allowed for authentication in your policy.
    Configure how organizations use authentication flow

Access Controls

The access controls section of the Conditional Access policy determines how the policy is applied.

Grant

This section allows you to configure whether access to resources should be permitted or denied based on the specified conditions.

  1. Block access: Selecting this option denies access to organizational resources when the policy conditions are met.
  2. Grant access: Administrators can set conditions that users must meet to gain access. They can choose to enforce one or more of the following controls.
    • Require multifactor authentication – Ensures users must complete an additional authentication step before gaining access.
    • Require authentication strength – Administrators can define the required authentication strength for accessing a resource by configuring a Conditional Access policy with this option. They can select from three predefined authentication levels which are Multifactor Authentication (MFA) strength, Passwordless MFA strength, and Phishing-resistant MFA strength.
    • Require device to be marked as compliant – Grants access only if the device meets the compliance policies defined by Hexnode.
    • Require Microsoft Entra hybrid joined device – With this option organizations can incorporate device identity into their Conditional Access policy by requiring devices to be Microsoft Entra hybrid joined.
    • Require app protection policy – Ensures that access is granted only if an Intune app protection policy is applied to the client app. The device must be registered in Microsoft Entra ID and have a broker app like Microsoft Authenticator (iOS) or Company Portal (Android) to enforce the policy.

    Specify the criteria in the Conditional Access policy that must be met to grant access to resources

  3. For multiple controls: Administrators can configure Conditional Access policies to enforce multiple grant controls using the following options,
    • Require all the selected controls – Access is granted only if all specified conditions (e.g., MFA, device compliance, Terms of Use) are met.
    • Require one of the selected controls – Access is granted if at least one of the specified conditions is met.
Session

Note:


The settings in this section are optional and can be configured based on organizational requirements. The options in the section operate independently of MDM and will continue to be effective even if devices are disenrolled, provided the user remains included in the Conditional Access policy.


Administrators can make use of session controls to enable limited experiences within specific cloud applications. The available controls include:

Use app enforced restrictions: Organizations can use this control to require Microsoft Entra ID to pass device compliance information received from Hexnode to cloud applications. Based on the information, cloud apps can determine whether a device is compliant and adjust the user’s session accordingly. Fully managed and compliant devices receive unrestricted access, while disenrolled or non-compliant devices may have restricted access. This feature is supported only by certain cloud apps, which are Office 365, Exchange Online, and SharePoint Online.

Use Conditional Access App Control: Conditional Access App Control allows real-time monitoring and management of user app access and sessions based on defined policies. Available options are:

  • Monitor only (Preview): Risky users whose behaviors or login patterns trigger security alerts, such as unusual sign-ins are monitored when they sign into apps, and their actions are logged from within the session.
  • Block downloads (Preview): Prevents the download of sensitive documents.
  • Use custom policy: Select this option to configure custom policies for Conditional Access App Control. These policies must be set up in the security portal of the Cloud app.

Sign-in frequency: Defines the interval before users are prompted to sign in again when accessing a resource. Administrators can specify a time (in hours or days) or require reauthentication for every access attempt.

Persistent browser session: Enables users to stay signed in to their cloud application (resource) even after they close and reopen their browser. Persistent browser session works correctly only when All resources is selected under the Target resources condition.

Customize continuous access evaluation: Allows access tokens to be revoked in real time based on critical events and policy evaluations instead of waiting for token expiration. Sub-options include:

  • Disable: Functions correctly when “All resources” is selected under “Target resources” without any additional conditions. When selected “All resources”, it disables Continuous Access Evaluation (CAE) for all resources, with no additional conditions or filters applied. This means that access tokens will not be evaluated or revoked in real time, and users will continue to have access to the resources until their tokens naturally expire.
  • Strictly enforce location policies (Preview): Denies access when the client’s IP address is not permitted under the “Network” condition.

Disable resilience defaults: During an outage, Microsoft Entra ID extends access to existing sessions while enforcing Conditional Access policies. If resilience defaults are disabled, access is denied once existing sessions expire.

Use Global Secure Access security profile: Applies security policy profiles to resources targeted by Global Secure Access. This option is limited to Global Secure Access resources.

Configure session control in the Conditional Access policy to enable limited experience within a cloud app

Once all necessary conditions are configured, follow the steps below:

  1. Switch Enable policy to On to activate the policy.
  2. Verify the configurations to ensure everything is set up correctly.
  3. Click Create to save and implement the Conditional Access policy.

Set up the Conditional Access policy

Step 3: Integrate Microsoft Entra ID with the Hexnode UEM portal

To integrate Microsoft Entra ID with Hexnode, follow these steps:

  1. Login to your Hexnode UEM portal.
  2. Navigate to Admin > Integrations.
  3. Select the Microsoft Entra ID tile from the available integrations.
  4. A window will appear prompting you to enter your organization’s Microsoft Entra custom domain/Directory (Tenant) ID.
  5. Enter the domain details and click Configure.
  6. You will be prompted to sign in with your Microsoft Entra ID credentials.
  7. After signing in, a pop-up will ask for permission to the Hexnode Azure Directory Services app. Check the box and click Accept.
  8. You will be redirected back to the Hexnode UEM portal, where the integration with Microsoft Entra ID will be completed. You can configure settings related to enrollment and sync scheduling directly from the pop-up. For detailed instructions, refer to the Microsoft Entra ID integration document.
  9. Click Next to complete the integration.
  10. Once the integration is complete, you can either click Next to configure Conditional Access within the same pop-up (optional) or skip and proceed to Step 4 to set up Conditional Access through its own integration tile.

Step 4: Set up Conditional Access in the Hexnode UEM portal

To configure Conditional Access in your Hexnode UEM portal after integrating Microsoft Entra ID, follow these steps:

  1. Log in to your Hexnode UEM portal.
  2. Navigate to Admin > Integrations.
  3. Select the Microsoft Entra Conditional Access tile from the available integrations.
  4. A window will appear prompting you to enter your organization’s Microsoft Entra custom domain/Directory (Tenant) ID.
  5. Choose the configured Microsoft Entra ID domain from the dropdown and click Next.
  6. Click Configure.
  7. You will be prompted to sign in with your Microsoft Entra ID credentials.
  8. After signing in, a pop-up will ask for permission to the Hexnode Compliance Connector app. Check the box and click Accept.
  9. You will be redirected back to the Hexnode UEM portal where Conditional Access will be successfully set up.
  10. The platforms and user/user group assignments configured in the Conditional Access policy can be viewed from the same Conditional Access configuration tile. If the assignments are not loaded, a sync option will be available to sync them.
  11. Click Next to optionally configure Windows Autopilot (details available in the Windows Autopilot integration document).

When Microsoft Entra ID is set up in Hexnode UEM

If Microsoft Entra ID is already configured in the Hexnode UEM portal, you can configure Conditional Access by following these steps:

  1. Navigate to Admin > Microsoft Entra ID.
  2. Click on the configured Microsoft Entra ID tile.
  3. Select the Conditional Access section and click on Configure.
  4. You will be asked to sign with your Microsoft Entra ID credentials.
  5. Upon signing in, a pop-up requesting permission for the Hexnode Compliance Connector app.
  6. Check the box and click Accept.
  7. You will be redirected back to the Hexnode UEM portal, where the Conditional Access will be set up successfully. The platforms and user/user group assignments configured in the Conditional Access policy can be viewed in this section.

Revoking Conditional Access for Microsoft Entra ID in Hexnode UEM

To revoke the Conditional Access integration for the Microsoft Entra ID domain configured in your Hexnode UEM portal, follow these steps:

  1. Navigate to Admin > Microsoft Entra ID.
  2. Click on the configured Microsoft Entra ID tile.
  3. Select the Conditional Access section and click Configure.
  4. Click on Actions and choose Revoke Conditional Access.
  5. Click Yes and enter your technician password.

Revoke Conditional Access integration with Microsoft Entra ID domain

The Conditional Access integration will be successfully revoked from the portal.

You can export the Conditional Access assignment details, including the list of users assigned to the Conditional Access policy and the number of devices registered to each user in Microsoft Entra ID. The report can be exported in CSV or PDF format and emailed to technicians.

Note:


Revoking Conditional Access compliance sharing in the Hexnode UEM portal does not impact the Conditional Access policy created in Microsoft Entra ID.

Step 5: How to register devices with Microsoft Entra ID

To ensure access to all resources while maintaining compliance, devices enrolled in Hexnode UEM should be registered with Microsoft Entra ID. This registration process guarantees that only authorized and secure devices can access company resources, enabling the enforcement of strict Conditional Access policies. For more information, refer to the help documentation on registering devices with Microsoft Entra ID for Conditional Access.

What happens at the device end?

Once the device is enrolled, the user will be prompted to register it the device with Microsoft Entra ID. After the device is successfully registered with Entra ID and meets the compliance criteria, the user can access organizational resources without interruption.

Need more help?
Raise a Ticket Raise a Ticket
Ask Community Ask Community
Chat With us Chat With us
  • Hexnode Integrations