Cloudflare Docs
Cloudflare Zero Trust
Edit this page on GitHub
Set theme to dark (⇧+D)

Microsoft Endpoint Manager

Cloudflare Zero Trust can integrate with Microsoft to require that users connect to certain applications from managed devices. This service-to-service posture check uses the WARP client to read endpoint data from Microsoft. Devices are identified by their serial numbers.

​​ Prerequisites

Device posture with Microsoft Endpoint Manager requires:

  • An Intune license
  • Microsoft Endpoint Manager is managing the device.
  • Cloudflare WARP client is deployed on the device. For a list of supported modes and operating systems, refer to Service providers.

​​ 1. Obtain Microsoft Graph settings

The following values are required:

  • Client secret
  • Application (client) ID
  • Direct (tenant) ID

To retrieve those values:

  1. Log in to your Microsoft Dashboard.
  2. Go to App Registrations and select New Registrations.
  3. Copy the Application (client) ID value to a safe place. This will be your Client ID.
  4. Copy the Directory (tenant) ID value to a safe place. This will be your Customer ID.
  5. Go to Certificates & Secrets and select New client secret.
  6. Fill in a description and how long the secret should be valid.
  7. After completing the form, immediately copy the resulting secret. This will be your Client Secret.
  8. Go to API Permissions and select Add permission.
  9. Select Microsoft Graph.
  10. Select Application permissions.
  11. Add DeviceManagementManagedDevices.Read.All.
  12. If the permission status shows Not granted, select Grant admin consent.

​​ 2. Add Intune as a service provider

  1. Go to Settings > WARP Client.
  2. Scroll down to Device posture providers and select Add new.
  3. Select Microsoft Endpoint Manager.
  4. Give your provider a name. This name will be used throughout the dashboard to reference this connection.
  5. Enter the Client ID, Client secret and Customer ID as you noted down above.
  6. Select a Polling frequency for how often Cloudflare Zero Trust should query Microsoft Graph API for information.
  7. Select Save.
You will see the new provider listed under Settings > WARP Client > Device posture providers. To ensure the values have been entered correctly, select Test.

​​ 3. Configure the posture check

  1. In Zero Trust, go to Settings > WARP Client > Service provider checks.
  2. Select Add new.
  3. Select the Microsoft Endpoint Manager provider.
  4. Configure a device posture check and enter any name.
  5. Select Save.

Next, go to Logs > Posture and verify that the service provider posture check is returning the expected results.

​​ Device posture attributes

The Microsoft Endpoint Manager device posture check relies on information from the Microsoft Graph API. Refer to Microsoft’s ComplianceState and List managedDevices documentation for a list of properties returned by the API.

To learn more about how to control ComplianceState, refer to Microsoft’s compliance policies guide.