Creating application API for WorkZone Mobile app clients

For Single Sign-on experience using the WorkZone Mobile app, you need to setup a separate application registration, and then use the Client ID of this application registration in the Intune application configuration policy.

For detailed explanation, see Microsoft article Configure an app to access a web API - Microsoft identity platform.

Register the application API

See Microsoft article on how to register an app or a web API for the detailed steps.

  1. Log in to the Microsoft Azure portal.
  2. Click App registrations. It must be in the same tenant as your WorkZone web application proxy is created.
  3. Click New registration.
  4. Specify the following settings:
    • Name: Enter a name of your WorkZone Mobile app API. For example: WorkZoneMobileAppAPI.
    • Supported account type: Accounts in this organizational directory only (Single tenant)
    • Redirect URI: Leave empty. You will add it later.
  5. Click Register.

Add a redirect URI

See Microsoft quickguide on adding a redirect URI for the detailed steps.

  1. Click App registrations, and select the WorkZone Mobile application you have created in the previous step.
  2. Under Manage, click Authentication > Add a platform.
  3. Add the needed platforms and specify the following settings:
    1. Platform: Web.
      • Redirect URIs: enter the redirect URI in the following format "https://[your workzone-url]/oauth2/signin-oidc". For example: https://test.workzone-rd.dk/oauth2/signin-oidc.
    2. Platform: iOS/macOS.
      • Bundle ID: Enter dk.kmd.workzone.intune. The Redirect URI will be generated automatically.
    3. Android platform is currently not supported.

Add API permissions

See Microsoft quickguide on how to add API permissions for the detailed steps.

  1. Under Manage, select API permissions > Add a permission.
  2. On the Microsoft APIs tab, click Microsoft Graph > Delegated permissions.
  3. Select the following permissions:
    • Directory.AccessAsUser.All
    • Directory.Read.All
    • Group.Read.All
    • User.Read
    • User.Read.All
    • User.ReadBasic.All
      • Tip: You can also quickly find the needed permission by typing its title into the Select permissions search bar.
      Note: Make sure to grant admins consent for the permissions, where required.
  4. Click Add permissions.
  5. On the APIs my organization uses tab, find and select your WorkZone web proxy app.
  6. Click Delegated permissions.
  7. Select user.impersonation permission, and click Add permissions.

Configure tokens

  1. Under Manage, select Token configurations > Add optional claim.
  2. Specify the following settings:
    • Token type: ID.
    • Claim: upn.
    3. Note: If prompted, enable the Turn on the Microsoft Graph profile permission (it might be required for claims to appear in the token).
  3. Click Add.