Microsoft Endpoint Manager
Cloudflare Zero Trust can integrate with Microsoft to require that users connect to certain applications from managed devices. This service-to-service posture check uses the WARP client to read endpoint data from Microsoft. Devices are identified by their serial numbers.
Prerequisites
Device posture with Microsoft Endpoint Manager requires:
- An Intune license
- Microsoft Endpoint Manager is managing the device.
-
Cloudflare WARP client is deployed on the device. For a list of supported modes and operating systems, refer to Service providers.
1. Obtain Microsoft Graph settings
The following values are required:
- Client secret
- Application (client) ID
- Direct (tenant) ID
To retrieve those values:
- Log in to your Microsoft Dashboard.
- Go to App Registrations and select New Registrations.
- Copy the
Application (client) ID
value to a safe place. This will be your Client ID. - Copy the
Directory (tenant) ID
value to a safe place. This will be your Customer ID. - Go to Certificates & Secrets and select New client secret.
- Fill in a description and how long the secret should be valid.
- After completing the form, immediately copy the resulting secret. This will be your Client Secret.
- Go to API Permissions and select Add permission.
- Select Microsoft Graph.
- Select Application permissions.
- Add
DeviceManagementManagedDevices.Read.All
. - If the permission status shows Not granted, select Grant admin consent.
2. Add Intune as a service provider
- In Zero Trust ↗, go to Settings > WARP Client.
- Scroll down to Third-party service provider integrations and select Add new.
- Select Microsoft Endpoint Manager.
- Enter any name for the provider. This name will be used throughout the dashboard to reference this connection.
- Enter the Client ID, Client secret and Customer ID as you noted down above.
- Select a Polling frequency for how often Cloudflare Zero Trust should query Microsoft Graph API for information.
- Select Save.
You will see the new provider listed under Settings > WARP Client > Third-party service provider integrations. To ensure the values have been entered correctly, select Test.
3. Configure the posture check
- In Zero Trust ↗, go to Settings > WARP Client > Service provider checks.
- Select Add new.
- Select the Microsoft Endpoint Manager provider.
- Enter any name for the posture check.
- Configure the attributes required for the device to pass the posture check.
- Select Save.
- To test, go to Logs > Posture and verify that the service provider posture check is returning the expected results.
You can now use this posture check in a device posture policy.
Device posture attributes
The Microsoft Endpoint Manager device posture check relies on information from the Microsoft Graph API. Refer to Microsoft’s ComplianceState ↗ and List managedDevices ↗ documentation for a list of properties returned by the API.
To learn more about how to control ComplianceState, refer to Microsoft’s compliance policies guide ↗.