Setup platform support for Conditional Access with Relution

Overview

This setup guide explains how to connect Relution with Microsoft Entra/Intuneto support Conditional Access for Android Enterprise, iOS, macOS, and Windows. Please ensure that all requirements are fulfilled before proceeding.

During this setup you will complete the following steps:

  1. Create an Entra ID application to authenticate your server with Relution’s microservice.
  2. Give consent to the multi-tenant Relution app to report compliance states to your Entra ID.
  3. Add Relution as compliance partner in Intune
  4. Verify successful setup via synchronization and status checks.

Each step is crucial for the next one, so please go through them carefully one by one, and whenever prompted to verify something, ensure it reports back success.

Once Entra ID is configured and user synchronization is complete, you can now navigate to Conditional Access in the settings. Setting Overview

Support for Android Enterprise, iOS and macOS

Start the wizard to enable platform-specific support.

Setting Landingpage

Wizard (1): Create application

You may reuse the app from the Entra ID setup, but Relution recommends creating a separate app for clarity and security.

Create a new Entra ID application to authenticate with Relution’s backend. Contrary to the Entra ID setup, no MDM-specific app is needed — a basic App Registration is sufficient.

The link in the wizard will bring you to your Entra ID app registrations. After creating the app, proceed by entering the Application ID.

Wizard (2): Application IDs

Generate a Client Secret and enter both the Application ID and the Secret in the respective input fields in the wizard. Once verification succeeds, continue to the next step.

Wizard (3): Expose API

Due to Microsoft token validation limitations, you’ll need to expose a custom API scope. In theexpose an API section of your app, do the following:

In the Expose an API setting page of your Entra app, do the following:

  1. Click Add a scope.
  2. Fill in the necessary information.
    • Name the scope Relution.Auth
    • Have the consent on Admins only
    • For the display name and description we suggest: Used by Relution to identify Tenant Ownership.
  3. Click on Add scope.
  4. You should see the scope in Scopes defined by this API.

On the top of the Expose an API view in Entra, you should see an Application ID URI. This value should be selected in the scope type. It should contain the client id of the newly created app (step 1), or your domain if you reuse the one from the Entra ID setup. In case it’s neither of both, feel free to input your custom value.

Expose an API

You should now be able to successfully verify this step in the wizard.

Wizard (4): Add Compliance Partner

In Intune Partner Compliance Managment,add Relution as a compliance partner for every platform that you want to be synced.

Intune Compliance Partner Overview

Compliance Partner Link Step 1

Compliance Partner Link Step 2

Steps:

  1. Click Add compliance partner
  2. Select the platform you want to sync (you can repeat these steps for all platforms).
  3. Assign a group of users that should be synced. You can also select Add all users but ensure you retain access.
    • As of now, excluding groups won’t have any affect.
  4. After reviewing that everything was selected correctly, you can click on Create.
  5. You should see Relution with a status of 🔄 Pending activation for that platform. Status might differ if this is not your first setup.

This step will only work if at least one platform was linked in the previous step.

Now grant admin consent to our multi-tenant app Relution. This step is necessary so that Relution is allowed to actually manipulate compliance states of your Entra ID devices. A new tab will open (check for pop-up blockers). After successfully granting consent, you’ll see a confirmation page: Success! You can now close this tab. You can now close this extra tab and continue with the wizard.

Consent

Wizard (6): Synchronize

Lastly, synchronize the Entra ID groups. During this synchronization, Relution will ensure a correct setup and sync the groups you configured in the wizard during step 4.

In the Intune Partner Compliance Managment setting, Relution should now be shown as ✅ Active.

If you make changes to groups or platforms in Intune, remember to manually trigger a sync in Relution.

Support for Windows

To enable Windows device support, simply activate the following option:

Setting Landingpage

Windows devices should now sync their compliance status successfully.