Workspace ONE and Azure AD: Part 2

Series Index

  1. Pre-Requisites and Anchor Applications
  2. Workspace ONE Unified App Catalog and Hub Services (you are here)
  3. Azure MFA for Workspace ONE Enrollment and Published Apps
  4. Device Platform: Windows 10 (coming soon)
  5. Device Platform: iOS and Android (coming soon)


Part 1 of this series opened with the business aspects of making investments in Workspace ONE and Microsoft 365, as well as how to integrate both platforms for adopting new use cases. Part 2 will cover how to create the unified app catalog, providing each of our personas with an “any app, any device, at any time” experience. This function is what enables the vast array of personas to consume a common set of resources from their preferred platform, all with dynamic forms of single sign-on to maintain a healthy security posture. It’s also one of the four key value adds from Workspace ONE Advanced.


Very quickly, let’s remind ourselves of the architecture we’re working from in this series:

To quote the excerpt from Part 1:

Take notice that the end users begin consuming various services and applications by first launching the Workspace ONE app catalog, regardless of the federated architecture. The value add from this flow is that our users can go to one location, the Unified App Catalog, to consume any application or resource across the landscape.

The How

Over the next few subsections, we’ll configure the necessities for exposing Azure AD entitlements to the Workspace ONE unified app catalog. These will be combined with the mobile equivalents, virtual apps provided by VMware Horizon, and Workspace ONE Hub Services People Search/Notifications functionality. Here’s a sneak peek of the experience using the web and mobile catalogs:

Intelligent Hub – Web
Intelligent Hub – iOS

Anchor Application

In Part 1, we created the Office365 with Provisioning application from the cloud app catalog. This app instantiates the trust with Azure AD as a service provider. Unfortunately, it only serves as a simple redirect to the Office 365 portal. Who wants to be redirected from a catalog to another catalog?! Also keep in mind that we entitled this application to ‘ALL USERS’ in Workspace ONE Access. This is because AuthZ is maintained in Azure AD, while all AuthN is fulfilled by Workspace ONE. You can limit the scope of this entitlement as needed, but be certain every resource in Azure AD is entitled to this special application in Workspace ONE.

Since redirecting from one catalog to another is the antithesis of what we’re trying to accomplish, let’s hide the anchor app in the catalog to avoid user confusion:

Navigate to your Office365 with Provisioning application in the Workspace ONE Access admin console, then select Edit -> Configuration -> Advanced Properties:

Scroll to the bottom of the configuration menu, and deselect ‘Show in User Portal’:

Press ‘Next’ twice, then ‘Save’. The result is a hidden anchor app that allows users to AuthN with Workspace ONE Access when consuming an Azure entitled resource.

Link Structure

With our anchor app in place, it’s time to create smart links representing Office 365 productivity and collaboration services, as well as all service providers federated with Azure AD as the IdP.

Let’s take a look at an example link, PowerPoint, and break down the components:
Core Subdomain –

Most things Office 365 and Azure AD start with this subdomain; ‘Login’ is the front door to Azure AD AuthN. Some service providers require SP-Init flows which impact this front door, but we’ll dig deeper into that a little later.

Requested Resource –

This hex encoded value is what tells Azure AD where the user wants to go; in this case, the web version of PowerPoint. This URI will drastically change from service to service, but can be grouped by WS-Fed or OAuth launch links.

Domain Hint –

The last component is the secret sauce called auto-acceleration. By default, Azure AD will initially perform home realm discovery at time of AuthN in order to direct the user to the correct single sign-on provider. In short, this is why you are asked for your email/UPN each time you launch The smart link configuration is simply hinting the domain as a component of the request so that the user isn’t required to identify themselves twice; Workspace ONE already knows who the user is.

Example Links

Below is a non-exhaustive list of links I have constructed over time, with the help of this tool. Microsoft is actively moving many of these services over to the OAuth AuthZ construct, so while the tool is helpful in getting started, it is incorrect in many cases. A few guiding principles:

  1. For Microsoft services, use the combination of WS-Fed/OAuth launch links below. Keep in mind, WS-Fed links will ultimately transition to OAuth – keep an eye on them for changes.
  2. For Azure federated service providers, use the MyApps launch link structure exampled below. This allows your identity team to manage the appropriate AuthN flow for the SP as a component of federation. More importantly, it ensures your links are always valid despite shifting federation
  3. Anything within {braces} below is an element that you will need to individualize to your environment
Documented Smart Links
Azure Admin Center:{}

Exchange Admin Center:{}

MS Excel:{}

MS OneDrive:{your_tenant_here}{}

Outlook Web Access:{}

MS PowerPoint:{}

MS SharePoint:{your_tenant_here}{}

MS Teams:{}

MS Word:{}

Office 365 Admin Center:{}

Power BI:{}

MyApps Service Provider Example:{}/signin/{Service}%20{Name}%20{Here}/{Application_Guid_Goes_Here}
Create Workspace ONE Access Smart Link

To demonstrate, let’s create an example smart link for Amazon Web Services management console that is federated with Azure AD.

Navigate to the Workspace ONE Access Web Apps under Catalog and select ‘New’:

Provide a name and icon for the application, then press ‘Next’:

Login to the Azure Admin Center and select the ‘Azure Active Directory’ blade form the left panel. Choose ‘Enterprise Applications’:

Select the ‘Amazon Web Services’ application that your identity team would have federated with Azure AD:

What we’re most interested in is the ‘User access URL’, which corresponds to the MyApps launch link that we will modify for auto-acceleration. Select the ‘Copy’ icon next to ‘User access URL’:

Back in Workspace ONE Access, choose ‘Web Application Link’ for the Authentication Type, and provide a ‘Target URL’ using the link copied from Azure, but with the Azure AD domain defined as the first sub-directory (see above reference for placement):

Select ‘Save and Assign’ after confirming the smart link application details:

Select which users and/or groups you would like for this application to be assigned to, then select ‘Save’. Remember, this assignment is not an entitlement to the underlying service provider, only an entitlement to an application within the Workspace ONE scope for catalog consumption:

Repeat this process for all of your enterprise applications, including and especially the Office 365 productivity and collaboration services.

Mobile and Virtual Apps

The power of the above, combined with virtual apps from VMware Horizon and mobile apps from Workspace ONE UEM, provides a dynamic, mobile-first experience for each of our personas using “any app, on any device, at any time”. More importantly, we’ve decoupled the user experience from the IT churn that comes with enterprise tooling lifecycles (think: the commission and decommission of enterprise tools). Swapping IdPs, migrating VDI environments, introducing new SaaS applications; all of these ordinary events can happen in amongst the normal course of business with near immediate end user adoption from a single data plane.

Workspace ONE Hub Services

In the spirit of curating a single data plane for your end users to consume all things ‘enterprise’, I thought it would be worth mentioning other areas of Workspace ONE Hub Services that drive adoption of the overall platform. People Search and the enhanced Notifications engine provide mission critical information to your personas from the Intelligent Hub. This is particularly useful for our road warriors who are leveraging mobile devices to perform business transactions with your customers in real-time.

The configuration of these two items is slightly out of scope for this post, but I will link to the well-crafted documentation that defines the steps to activate these within your Workspace ONE Access tenant.


We’ve all been there: opening a mail client to query GAL for hierarchy or find our manager’s mobile number. The challenge with this is that mail clients aren’t designed to be HR systems; insert Workspace ONE Hub Services: People. What started as a separate app, People Search, has been collapsed into all versions of the Workspace ONE Intelligent Hub. The People tab in the unified app catalog is a great way to find colleagues within your organization, view the hierarchy of your team structure, or locate important contact information for anyone within the directory. This is an obvious reinforcement to Workspace ONE Intelligent Hub serving as the ‘all things enterprise’ point of consumption.


Workspace ONE Hub Services Notifications is a fairly recent enhancement to the platform, and boy is it powerful. I’ve already seen customers leverage this functionality for use cases such as emergency alerting, outage information, DevOps workflows, enterprise wide polling/voting, actionable reminders (benefits elections), so on and so on. If you can imagine putting content in a notification, actionable or otherwise, there’s a very slim chance it won’t fit into a use case for this function in Hub Services. The magic behind the engine is that because Workspace ONE Access and UEM are so tightly aligned, you can dynamically choose if the notification should target a device and/or user population. Regardless of scope, Intelligent Hub is the delivery mechanism.

Generating a custom notification:

Receiving and viewing notification on iPad:

The Outcome: Part 2

With this configuration, we have enabled a common, consistent and platform agnostic point of consumption for all of our use cases defined in Part 1. Moreover, with the Hub Services unified app catalog referencing our enterprise entitlements in Azure AD, we have disconnected the end user experience from the IT administration of federated identity. Our users can go to one location, the Workspace ONE unified app catalog, to consume any application or resource across the landscape.

In Part 3, we’ll dive deep on securing this unified experience by defining managed vs. known credentials, integrating Azure MFA with Workspace ONE, and defining the use cases where MFA enforcement is appropriate.

Tags: , , , , ,