Microsoft Intune node
Lets you integrate with Microsoft Intune using Microsoft Graph APIs. Microsoft Intune lets you control features and settings on Android, Android Enterprise, iOS/iPadOS, macOS, and Windows 10/11 devices in your organization.
The Microsoft Intune node checks the device details and determines its compliance status. You can enable Microsoft Intune node to save device information to shared state for subsequent use by other nodes in the journey.
For more information about Microsoft Intune, refer to the Microsoft Intune documentation.
Prerequisites
You must set up Microsoft Intune before using it in your Identity Cloud environment. Follow the Get started with your Microsoft Intune deployment document to set up and use a production version of Microsoft Intune.
Microsoft Intune requires a Microsoft Graph API app to be registered. Follow the register apps to use the Microsoft Graph API steps to complete the registration process.
In order to use the Microsoft Intune node, the TLS handshake must be completed before the request accesses Identity Cloud. During the TLS handshake process, the device ID is obtained from the client certificate and set in the request header or the shared state. You could use ForgeRock Identity Gateway to complete the TLS handshake.
The DeviceID in SharedState toggle is used to determine where to look for the device ID value. If the DeviceID in SharedState toggle is enabled, the device ID is available in the shared state, and if it’s disabled, the device ID is in the header.
Configuration
An example journey using the Microsoft Intune node:

Properties
Property | Usage |
---|---|
DeviceID Attribute Name |
Value of the |
DeviceID in SharedState |
A boolean property. If enabled, the device ID is expected to be in shared state. This property is disabled by default to indicate that the device ID is located in the header. |
Tenant ID |
Tenant’s global unique identifier (GUID) in Azure Active Directory (AD). |
Application (client) ID |
The application ID or client ID is a value the Microsoft identity platform assigns to your application when you register it in Azure AD. |
Client Secret |
Sometimes called an application password, a client secret is a string value your app can use in place of a certificate to identify itself. |
Azure Admin User Name |
The administrative username in Azure. |
Azure Admin User Password |
The administrative password in Azure. |
Save Device Properties to SharedState |
If enabled, the device info are saved to the shared state with Refer to the Properties table in Microsoft Intune documentation for the managed device properties. |
Save installed apps to SharedState |
If enabled, the apps installed on the Mobile Device are extracted and saved to the Shared State with the key name - |
Outcomes
Compliant
-
The device is compliant.
Not Compliant
-
The device does not comply with the policy.
In Grace Period
-
The device is not-compliant, but it’s in the grace period defined by the administrator.
Config Manager
-
The device is managed by Config Manager
Conflict
-
Multiple settings are applied to the same device and Intune can’t sort out the conflict. An administrator should review.
No Id
-
No device ID is found in the header or shared state.
Status Unknown
-
The device is offline or failed to communicate with Intune or Azure AD.
Error
-
An error occurred within the node. Related stacktrace and message are placed in the shared state.
For more information, refer to the Microsoft Graph API documentation on Compliance State.