Microsoft Entra ID Token Revocation for Apple devices using a Custom Connector in Workspace ONE Intelligence

On Apple iOS/iPadOS the Microsoft 365 mobile apps that are configured to use modern authentication store an authentication token on the Apple device in the group keychain. The benefit of this approach is that there only needs to be one token per device that is shared among the various Microsoft apps. The problem with this approach is that the token persists on the device when the Microsoft app is removed. For single-use devices this is usually not a problem, but in scenarios where multiple-users will be using the same device this is catastrophic. The result of this is that End User A logs into the Microsoft app and the token is downloaded, then End User A logs out and hands the device to End User B. Now End User B logs in and launches the Microsoft app and instead of being prompted to authentication, End User B is automatically logged in as End User A and now has access to End User A’s data. This blog details how to set up a custom connector in Workspace ONE Intelligence to trigger the token revocation command on the device to ensure that the 2nd user is not able to access the 1st User’s token

Create an Enterprise Application in Microsoft Entra ID

The steps to create the required enterprise application in Microsoft Entra ID are documented with photos on the Omnissa Techzone page here:
https://techzone.omnissa.com/resource/compliance-integration-ms-office-365-using-intelligence-and-graph-apis#set-up-azure-ad-enterprise-app
You will complete Step 3 from the Techzone page. I have updated Step 3 from the Techzone page below in case you are using the new Microsoft EntraID portal which re-organizes several of the configuration menus.

  1. Login to https://entra.microsoft.com
  2. Navigate to Identity > Applications > Enterprise Applications
  3. Choose New Application
  4. Choose Create Your own application
    • Name the Application “Workspace ONE Intelligence EntraID Token Revocation”
    • What are you looking to do with your application?
      Leave this at the default value of “Integrate any other application you don’t find in the gallery (Non-Gallery)”
  5. The Application Overview page will be loaded.
    Copy the Application ID GUID to your favorite text editor for use later on in this process.
  6. Navigate to Security > Permissions
  7. In the Permissions section look for the sentence that reads “To configure requested permissions for apps you own, use the app registration.” and click on the Blue hyperlink “Application registration”
    • Choose “Add a permission”
    • On the Request API Permissions page it defaults to the Microsoft API’s and Microsoft Graph should be at the top of the list. Select Microsoft Graph
    • Select Application Permissions
    • Assign the permission “User.ReadWrite.All” by using the permission search feature. As you begin typing in “User.read” the list will filter to display the 3 User permissions.
      Select User.ReadWrite.All and choose Add Permission
    • Click “Grant admin consent for X” where X = the name of your EntraID tenant
  8. Close the Enterprise Application properties page by clicking the X in the top-right corner.
  9. From the Entra Admin Center Menu navigate to Identity > Applications > App Registrations
  10. The App registration page defaults to the “Owned Applications” tab. Click on the tab labeled “All Applications” which should now display the “Workspace ONE Intelligence EntraID Token Revocation” app. Select the app from this list.
  11. Navigate to Manage > Certificates & Secrets and if not already selected click on the “Client Secrets” tab
  12. Choose New Client Secret
  13. Provide a Description and set the expiration for a period that aligns with your Information Security Best Practices then select Add at the bottom
  14. The page will refresh showing a column named Value and a Secret ID. Copy the VALUE to your favorite text editor for user later on.
  15. Close the Clients & Secrets properties page by clicking the X in the top-right corner.

Import the Workspace ONE Intelligence Custom Connector

Like the previous step, I recommend using the same Omnissa TechZone article to configure the Custom Connector in Workspace ONE Intelligence. This is documented in Step 4 Set Up Freestyle Automation https://techzone.omnissa.com/resource/compliance-integration-ms-office-365-using-intelligence-and-graph-apis#set-up-freestyle-automation. When you are walking through the TechZone article complete the Step 4 configuration steps until you arrive at “Figure 16: Intelligence Custom Connector Import Action.” Stop there and come back to this blog as the next steps in the Techzone article will send you down a path of building an entirely different workflow than you need for the purpose of this use case.

Important Notes

The token revocation targets the end user via UPN, it does not target a specific device or a specific Microsoft app. The result is that EVERY DEVICE and EVERY MICROSOFT APP will get the token removed if this command is triggered. Microsoft has not provide a method to pick and choose which app or which device the token is removed from.

The second complication is that for shared device scenarios Workspace ONE UEM and Workspace ONE Intelligence do not store the previous logged in user. Targeting the correct user for token revocation requires some creative configuration which I will detail in an upcoming blog.

Leave a Reply

Your email address will not be published. Required fields are marked *