Microsoft Apps Support

Android apps from Microsoft share the authenticated user token and user identity between Microsoft apps installed on a device.

For example, when a user opens the Microsoft Teams app and authenticates to it, the user wouldn't need to authenticate again when opening another Microsoft app on the device, because the Teams app shares the authentication token with other Microsoft apps.

Token sharing is handled by the Microsoft Authenticator app. The authenticator app takes part in the authentication process to regular Microsoft apps, is capable of storing the authentication ticket, and shares it with other Microsoft apps.

Requirements

Imprivata MDA supports the following methods of Microsoft apps configuration for automatic app login and logout.

  • MSAL (Authenticator in Shared Device Mode) configuration. MSAL bases its functionality on the Microsoft Authenticator app. With MSAL, Microsoft apps delegate password authentication to Microsoft Authenticator which requires an Imprivata Enterprise Access Management (OneSign) profile to proxy the password to the Authenticator app.

    Microsoft apps that are integrated with MSAL handle logouts with MSAL capabilities and don't require Imprivata Enterprise Access Management profile-based logouts like Clear data or Force stop.

  • No Auth Brokers configuration. The Imprivata MDA Mobile App profile handles credentials proxying and app logout.

The method you choose depends on a number of factors, including:

  • Whether the Microsoft apps you want to deploy supports the MSAL APIs. Currently, only Microsoft Teams and PowerApps support the MSAL APIs.

  • Deploying a number of Microsoft apps or adding additional apps at a later date to a working configuration. When the various apps are deployed to a single device, and then at a later date, you deploy additional apps, the new apps must be properly configured. You may need to edit the profile to add specific logout actions for the particular app.

Limitations

Consider the following limitations:

  • Microsoft Intune MDM doesn't support the "No Auth Brokers" configuration, because the Microsoft Authenticator app is installed on enrolled devices by default.

    The only supported configuration is MSAL, which requires the corporate-owned dedicated device type of enrollment.

  • Using the Company Portal authentication broker app is not supported.

  • MSAL signin is supported only for Microsoft Entra ID or Active Directory users that have shared credentials with the domain.

Supported Configurations

Authentication Brokers Configurations

Authentication Brokers configuration Login Logout
No Auth Brokers Accessibility / Autofill profile for Imprivata MDA managed app Clear all data on managed app profile
Microsoft Authenticator in Shared Device Mode (MSAL)

Autofill profile for Microsoft Authenticator

 Logout handled with MSAL, do nothing for logout on managed app profile
Microsoft Authenticator in personal mode   Not supported

Supported Configurations for Apps

App name Package name Configurations
    No Auth Brokers

MSAL (Authenticator in Shared Device Mode)

 Notes
Microsoft Teams com.microsoft.teams yes yes  
Microsoft Outlook com.microsoft.office.outlook yes no Outlook is not integrated with MSAL which requires the ClearAllData logout method
Microsoft Office com.microsoft.office.officehubrow yes no Office is not integrated with MSAL which requires the ClearAllData logout method
PowerApps com.microsoft.msapps no yes PowerApps is integrated with MSAL; login for the app is completely handled with Authenticator profile, logout handled with MSAL
Other Microsoft apps n/a yes no  
IMPORTANT:

If you intend to install a number of Microsoft apps to devices, all of the installed apps must have proper logout methods configured, because if a single app isn't logged out during user switch, any other apps will not be logged out either.

Examples

The following table details some example combinations of Microsoft apps and their support:

  No Auth Brokers MSAL (Authenticator)
Apps Profiles Notes Profiles Notes
Microsoft Teams

  • Microsoft Teams with ClearAllData for logout

  

  • Microsoft Authenticator with "Do nothing" for logout

  • Microsoft Teams with "Do nothing" for logout

  • Microsoft Teams profile handles username proxying, password proxying is handled with Authenticator profile.

  • Microsoft Teams app logout is handled solely with MSAL logout.

Microsoft Teams

Microsoft Outlook

  • Microsoft Teams with ClearAllData for logout

  • Outlook with ClearAllData for logout

  

  • Microsoft Authenticator with "Do nothing" for logout

  • Microsoft Teams with "Do nothing" for logout

  • Outlook with ClearAllData for logout

 Outlook is not integrated with MSAL; this is why Outlook needs ClearAllData for logout.

Microsoft Teams

Microsoft Outlook

PowerApps

 Not supported The app list is not supported because PowerApps doesn't support No Auth Brokers configuration

  • Microsoft Authenticator with "Do nothing" for logout

  • Microsoft Teams with "Do nothing" for logout

  • Outlook with ClearAllData for logout

 PowerApps is integrated with MSAL; login for the app is completely handled with Authenticator profile, logout handled with MSAL

Microsoft Teams

Microsoft Outlook

AnotherApp1

AnotherApp2

  • Microsoft Teams with ClearAllData for logout

  • Outlook with ClearAllData for logout

  • AnotherApp1 with ClearAllData for logout

  • AnotherApp2 with ClearAllData for logout

  

  • Microsoft Authenticator with "Do nothing" for logout

  • Microsoft Teams with "Do nothing" for logout

  • Outlook with ClearAllData for logout

  • AnotherApp1 with ClearAllData for logout

  • AnotherApp2 with ClearAllData for logout

  

Deploy Mobile App Profiles

To handle password authentication, deploy the mobile app profiles for Microsoft Authenticator and Intune Managed Home Screen (MHS). For more information, also see Enable Imprivata MDA and Deploy Profiles.

Verify that you have imported the most current mobile app profiles available from the Imprivata Customer Experience Center.

  1. Log in to the Imprivata Customer Experience Center, click Product Downloads, then select OneSign.

  2. On the OneSign Downloads page, select Imprivata Mobile Device Access from the list.

  3. In the Downloads section, click MDA Application Profiles (all versions). The application profiles download to your computer.

  4. Extract the profiles to a location that is accessible to the Imprivata Admin Console.

    A single XML file (MDA_AppProfiles_<date>.xml) includes all of the supported profiles.

  5. In the Imprivata Admin Console, open the Applications menu, and click Single sign–on application profiles.

  6. Click Add App Profile > Import from file.

  7. Browse to the XML file, and import it.

To deploy the app profiles:

  1. In the Imprivata Admin Console, select the app profiles for Microsoft Authenticator and Intune Managed Home Screen, and click Deploy.

  2. Go to the Deployment section, and select Deploy This Application?.

  3. (Optional) To deploy the application to a subset of users, deselect Deploy to All Users and Groups?, and specify the membership.

  4. (Optional) If the app is sharing credentials, go to the Credentials section, select This application shares credentials?, and do one of the following:

    1. To use the Imprivata domain credentials, select with the domain only, and select the required domain username format.

    2. To share credentials with a desktop application, select with other applications, and select the credential store that is configured with the other application.

  5. Click Save.

    NOTE:

    For more information about either option, see Credential Sharing.

Set up AppConfig Setting in Your MDM

NOTE:

This feature is configured via the AppConfig using an MDM. See the Imprivata MDA AppConfig Reference for supported MDM AppConfig keys.

To configure the ability for Imprivata MDA to automatically sign the user into Microsoft apps when using shared device mode, add the following key to AppConfig in your MDM:

  • The AppConfig Configuration Key field for this feature is "ConfigFlags".

  • The AppConfig Value Type for this feature is "String".

  • The AppConfig Value is msalSdmOn.

To configure the ability for Imprivata MDA to automatically sign the user out of Microsoft apps when using shared device mode, add the following key to AppConfig in your MDM:

  • The AppConfig Configuration Key field for this feature is "ConfigFlags".

  • The AppConfig Value Type for this feature is "String".

  • The AppConfig Value is followMsalGlobalSignout.

Deploy Microsoft Authenticator in Shared Device Mode

To deploy Microsoft Authenticator in shared device mode:

  1. In Google Play store, install Microsoft Authenticator.

  2. Open the app and skip all of the blue first user experience screens.

  3. Click the top menu and select Settings.

  4. In the Work or school accounts section, click Register your device with your organization.

  5. Type the username of the Microsoft Entra ID Device Administrator account.

  6. Type the password for the user and click Sign in.

  7. After the device registration process completes, the Authenticator screen displays a message on shared device mode.