This post will show how you can add a third party app to Azure AD that supports SAML, and then create a conditional access policy so that only compliant devices can access the third party cloud resource.
In my example I have signed up for a GoToMeeting trial. I will add GoToMeeting app to Azure AD and configure the single sign-on options to use SAML, and then on the GoToMeeting side I will configure Azure AD to be the Identity Provider. Once this is set up, I will create a Conditional Access policy that will require devices to be compliant in order for them to access GoToMeeting. When logging in with a work account to GoToMeeting, GoToMeeting will then redirect me to sign in through Azure AD, and then the conditional access policy will kick in.
Always test conditional access with test users, and plan thoroughly for any changes in a Production environment. The information below is for testing purposes.
Single Sign-On SAML protocol
Single sign-on to applications in Azure Active Directory
Tutorial: Azure Active Directory integration with GoToMeeting
What is conditional access in Azure Active Directory?
Tutorial: Configure GoToMeeting for automatic user provisioning
In Azure Active Directory, go to Enterprise applications then click on New application.
Search for the application. Note that it says it supports SAML based sign-on for the Single Sign-On Mode. Click on Add.
Once the application has been added, I will give access to my test users by clicking on Users and groups, and then Add user.
Now I will configure SAML for the single sign-on mode. Click on Single-Sign-On on the left hand side, then select SAML.
In the Identifier (Entity ID) I have put in https://authentication.logmeininc.com/saml/sp and Reply URL (Assertion Consumer Service URL) https://authentication.logmeininc.com/saml/acs and Relay State
Now I am going to download the Federation Metadata XML and upload it to the GoToMeeting site.
When logging in with my admin account in https://organization.logmeininc.com/ on the Identity provider section, I have selected to Upload SAML metadata file. This will contain all the Azure AD information and then configure Azure AD as the identity provider.
Now with a user I will login to https://www.gotomeeting.com/meeting/sign-in and select My Company ID so it can redirect me to my identity provider (Azure AD)
As expected, it has redirected me to Azure AD. I can confirm that the the SAML single sign-on mode has been configured successfully.
Next I will add the conditional access policy.
For the Cloud apps, you can see that GoToMeeting now appears because we added it earlier. I will select this as the Cloud app.
I will configure it to apply to all device platforms.
I have configured it to apply to Browser, and mobile apps etc.
In this test example, I have configured it to require only Intune enrolled compliant devices to access GoToMeeting.
Now lets login to https://www.gotomeeting.com/meeting/sign-in with the My Company ID
It will redirect us to Azure AD as we configured Azure AD as the identity provider earlier (and the domain used in my UPN was also added and confirmed in GoToMeeting)
Now because my device is not enrolled into Intune, I am blocked from accessing the GoToMeeting cloud resource as expected.
I have installed the GoToMeeting app on an Android phone, and it is the same expected user experience.
On an Intune enrolled compliant device I can login fine as expected (or you can launch the app from myapps.microsoft.com