Workspace ONE UEM Conditional Access Update with UEM 23.10
Since 2020 Workspace ONE UEM supports Conditional Access with Microsoft Azure AD (now Entra ID) . While last year VMware expanded support for Google BeyondCorp Conditional Access, I was still missing a nice GUI to see if a Device is registered or not and also a API that gets back the Registration was not there to easy identify Devices that are not registered. Now, in 2023 there is a improvement on this, VMware is providing the Device ID on the Device Details Page, Add the Registration Status to the Security Section and provides a API that shows the IDs and the Registered Environments , User and Device IDs with the respective Compliance Partner Integration.
While VMware supports even both integrations on a single Device, so you see also the Registration status for both Partnerships, in this sample I used separate Environments for this.
UEM GUI for Azure
When a Device is registered successful it shows as “Azure Active Directory Registration” with the green flag. Also the Azure Device ID is shown in the Device Info.
This is not limited to Android , iOS or macOS , Vmware also displays the Device ID and Status for Azure AD joined Windows Devices.
For devices that are not yet registered in Azure AD the Device ID is empty and it looks like this:
UEM GUI for Beyond Corp
When a Device is registered successful it shows as “Google BeyondCorp Registration” with the green flag. Also the Azure Device ID is shown in the Device Info.
UEM API
While the GUI in good for Helpdesk most automations may require a nice API and the good thing is this is there with 23.10 UEM as well. the API is using a “GET” to “https://{{API}}/API/mdm/devices/{{Device-UUID}}/conditional-access-device-registration-information” and you will see the Registration IDs and the partner type.
here a sample of the API Call:
I have posted the API in GitHub , so feel free to use that sample:
https://github.com/EUCPatrick/UEM-API-/blob/main/Conditional%20Access%20API.postman_collection.json
So make sure you have the API imported in Postman and have the Variables defined for API, Device-UUID, Auth & Tenant in the environments section to use the Postman Collection successful.
Closing Comments
Even this is just a minor enhancement it will help the Helpdesk to directly see if devices are registered or not and also obtain the Device ID to lookup logs for example in Azure / Entra ID.
Many thanks to Eric Stillman for helping getting this feature out to our Customers and many thanks Jeremy Pinchon for helping on the BeyondCorp testing during Beta.
vExpert, blogger and VMware champion. Worked 10 years as a VMware & Microsoft consultant for a partner before joining VMware in 2017.
Peter Mohr
Nice article Patrick! Will you be able to create smart groups based on Azure registration status?
This would be fantastic! I guess that Intelligence can tag devices (if it can see the Entra ID DeviceId) but nicer if this was built-in for smart groups directly
Patrick Zoeller
Hi Peter,
Happy new year.
This is today (Dec 2023) not possible to create Smart groups based on Entra IDs. I would recommend to describe the use-case and open a Feature Request on AHA (https://kb.vmware.com/s/article/2960048) .
Feel free to post the ID here or via Slack/Mail for visibility.
Patrick Zoeller
Hi Peter,
as of today (Feb 2024) in UEM 23.10.0.4 or newer you will have the Device ID in Intelligence and can run Reports and also Automations based on this .
best regards
Patrick