Microsoft Apps Support

Android apps from Microsoft share the authenticated user token and user identity between Microsoft apps installed on a device.

For example, when a user opens the Microsoft Teams app and authenticates to it, the user wouldn't need to authenticate again when opening another Microsoft app on the device, because the Teams app shares the authentication token with other Microsoft apps.

Token sharing is handled by the Microsoft Authenticator app. The authenticator app takes part in the authentication process to regular Microsoft apps, is capable of storing the authentication ticket, and shares it with other Microsoft apps.

Requirements

Imprivata MDA supports the following methods of Microsoft apps configuration for automatic app login and logout.

MSAL (Authenticator in Shared Device Mode) configuration. MSAL bases its functionality on the Microsoft Authenticator app. With MSAL, Microsoft apps delegate password authentication to Microsoft Authenticator which requires an Imprivata Enterprise Access Management (OneSign) profile to proxy the password to the Authenticator app.

Microsoft apps that are integrated with MSAL handle logouts with MSAL capabilities and don't require Imprivata Enterprise Access Management profile-based logouts like Clear data or Force stop.
No Auth Brokers configuration. The Imprivata MDA Mobile App profile handles credentials proxying and app logout.

The method you choose depends on a number of factors, including:

Whether the Microsoft apps you want to deploy supports the MSAL APIs. Currently, only Microsoft Teams and PowerApps support the MSAL APIs.
Deploying a number of Microsoft apps or adding additional apps at a later date to a working configuration. When the various apps are deployed to a single device, and then at a later date, you deploy additional apps, the new apps must be properly configured. You may need to edit the profile to add specific logout actions for the particular app.

Limitations

Consider the following limitations:

Microsoft Intune MDM doesn't support the "No Auth Brokers" configuration, because the Microsoft Authenticator app is installed on enrolled devices by default.

The only supported configuration is MSAL, which requires the corporate-owned dedicated device type of enrollment.
Using the Company Portal authentication broker app is not supported.

Supported Configurations

Authentication Brokers Configurations

Authentication Brokers configuration	Login	Logout
No Auth Brokers	Accessibility / Autofill profile for Imprivata MDA managed app	Clear all data on managed app profile
Microsoft Authenticator in Shared Device Mode (MSAL)	Accessibility / Autofill profile for Microsoft Authenticator	Logout handled with MSAL, do nothing for logout on managed app profile
Microsoft Authenticator in personal mode		Not supported

Supported Configurations for Apps

App name	Package name	Configurations
		No Auth Brokers	MSAL (Authenticator in Shared Device Mode)	Notes
Microsoft Teams	com.microsoft.teams	yes	yes
Microsoft Outlook	com.microsoft.office.outlook	yes	no	Outlook is not integrated with MSAL which requires the ClearAllData logout method
Microsoft Office	com.microsoft.office.officehubrow	yes	no	Office is not integrated with MSAL which requires the ClearAllData logout method
PowerApps	com.microsoft.msapps	no	yes	PowerApps is integrated with MSAL; login for the app is completely handled with Authenticator profile, logout handled with MSAL
Other Microsoft apps	n/a	yes	no

IMPORTANT:

If you intend to install a number of Microsoft apps to devices, all of the installed apps must have proper logout methods configured, because if a single app isn't logged out during user switch, any other apps will not be logged out either.

Examples

The following table details some example combinations of Microsoft apps and their support:

	No Auth Brokers		MSAL (Authenticator)
Apps	Profiles	Notes	Profiles	Notes
Microsoft Teams	Microsoft Teams with ClearAllData for logout		Microsoft Authenticator with "Do nothing" for logout Microsoft Teams with "Do nothing" for logout	Microsoft Teams profile handles username proxying, password proxying is handled with Authenticator profile. Microsoft Teams app logout is handled solely with MSAL logout.
Microsoft Teams Microsoft Outlook	Microsoft Teams with ClearAllData for logout Outlook with ClearAllData for logout		Microsoft Authenticator with "Do nothing" for logout Microsoft Teams with "Do nothing" for logout Outlook with ClearAllData for logout	Outlook is not integrated with MSAL; this is why Outlook needs ClearAllData for logout.
Microsoft Teams Microsoft Outlook PowerApps	Not supported	The app list is not supported because PowerApps doesn't support No Auth Brokers configuration	Microsoft Authenticator with "Do nothing" for logout Microsoft Teams with "Do nothing" for logout Outlook with ClearAllData for logout	PowerApps is integrated with MSAL; login for the app is completely handled with Authenticator profile, logout handled with MSAL
Microsoft Teams Microsoft Outlook AnotherApp1 AnotherApp2	Microsoft Teams with ClearAllData for logout Outlook with ClearAllData for logout AnotherApp1 with ClearAllData for logout AnotherApp2 with ClearAllData for logout		Microsoft Authenticator with "Do nothing" for logout Microsoft Teams with "Do nothing" for logout Outlook with ClearAllData for logout AnotherApp1 with ClearAllData for logout AnotherApp2 with ClearAllData for logout

Deploy Microsoft Authenticator in Shared Device Mode

To deploy Microsoft Authenticator in shared device mode:

In Google Play store, install Microsoft Authenticator.
Open the app and skip all of the blue first user experience screens.
Click the top menu and select Settings.
In the Work or school accounts section, click Register your device with your organization.
Type the username of the Microsoft Entra ID Device Administrator account.
Type the password for the user and click Sign in.
After the device registration process completes, the Authenticator screen displays a message on shared device mode.