Microsoft Intune node

Lets you integrate with Microsoft Intune using Microsoft Graph APIs. Microsoft Intune lets you control features and settings on Android, Android Enterprise, iOS/iPadOS, macOS, and Windows 10/11 devices in your organization.

The Microsoft Intune node checks the device details and determines its compliance status. You can enable Microsoft Intune node to save device information to shared state for subsequent use by other nodes in the journey.

For more information about Microsoft Intune, refer to the Microsoft Intune documentation.

Prerequisites

You must set up Microsoft Intune before using it in your Identity Cloud environment. Follow the Get started with your Microsoft Intune deployment document to set up and use a production version of Microsoft Intune.

Microsoft Intune requires a Microsoft Graph API app to be registered. Follow the register apps to use the Microsoft Graph API steps to complete the registration process.

To effectively use the Identity Cloud Microsoft Intune node, set these Microsoft Intune and Graph API permissions:

API / Permissions name Type Description

API / Permissions name	Type	Description
Microsoft Intune
`get_data_warehouse`	Delegated	Get data warehouse information from Microsoft Intune
`get_device_compliance`	Application	Get device state and compliance information from Microsoft Intune
`pfx_cert_provider`	Application	PFX certificate management
`scep_challenge_provider`	Application	SCEP challenge validation
`send_data_usage`	Application	Exchange device telecom and Wi-Fi data usage information with Microsoft Intune
`update_device_attributes`	Application	Send device attributes to Microsoft Intune
`update_device_health`	Application	Send device threat information to Microsoft Intune
Microsoft Graph API
`DeviceManagementManagedDevices.Read.All`	Delegated	Read Microsoft Intune devices
`User.Read`	Delegated	Sign in and read user profile

Microsoft Intune

get_data_warehouse

Delegated

Get data warehouse information from Microsoft Intune

get_device_compliance

Application

Get device state and compliance information from Microsoft Intune

pfx_cert_provider

Application

PFX certificate management

scep_challenge_provider

Application

SCEP challenge validation

send_data_usage

Application

Exchange device telecom and Wi-Fi data usage information with Microsoft Intune

update_device_attributes

Application

Send device attributes to Microsoft Intune

update_device_health

Application

Send device threat information to Microsoft Intune

Microsoft Graph API

DeviceManagementManagedDevices.Read.All

Delegated

Read Microsoft Intune devices

User.Read

Delegated

To use the Microsoft Intune node, ensure that TLS handshake is completed before the request accesses Intune node on Identity Cloud. During the TLS handshake process, the device ID is obtained from the client certificate and set in the request header or the shared state. You could use ForgeRock Identity Gateway to complete the TLS handshake.

The DeviceID in SharedState toggle is used to determine where to look for the device ID value. If the DeviceID in SharedState toggle is enabled, the device ID is available in the shared state, and if it’s disabled, the device ID is in the header.

Configuration

An example journey using the Microsoft Intune node:

Properties

Property Usage

Property	Usage
DeviceID Attribute Name	Value of the `SSL_Client_S_DN` from the client certificate presented at the TLS termination gateway. The format should be: `CN=f47d8e59-b60e-48a5-adc1-622cb2244zzz`.
DeviceID in SharedState	A boolean property. If enabled, the device ID is expected to be in shared state. This property is disabled by default to indicate that the device ID is located in the header.
Tenant ID	Tenant’s global unique identifier (GUID) in Azure Active Directory (AD).
Application (client) ID	The application ID or client ID is a value the Microsoft identity platform assigns to your application when you register it in Azure AD.
Client Secret	Sometimes called an application password, a client secret is a string value your app can use in place of a certificate to identify itself.
Azure Admin User Name	The administrative username in Azure.
Azure Admin User Password	The administrative password in Azure.
Save Device Properties to SharedState	If enabled, the device info are saved to the shared state with `INTUNE_` prepended to the key name. Null and empty string values are not placed into shared state. Refer to the Properties table in Microsoft Intune documentation for the managed device properties.
Save installed apps to SharedState	If enabled, the apps installed on the Mobile Device are extracted and saved to the Shared State with the key name - `INTUNE_INSTALLED_APPS`.

DeviceID Attribute Name

Value of the SSL_Client_S_DN from the client certificate presented at the TLS termination gateway. The format should be: CN=f47d8e59-b60e-48a5-adc1-622cb2244zzz.

DeviceID in SharedState

A boolean property. If enabled, the device ID is expected to be in shared state. This property is disabled by default to indicate that the device ID is located in the header.

Tenant ID

Tenant’s global unique identifier (GUID) in Azure Active Directory (AD).

Application (client) ID

The application ID or client ID is a value the Microsoft identity platform assigns to your application when you register it in Azure AD.

Client Secret

Sometimes called an application password, a client secret is a string value your app can use in place of a certificate to identify itself.

Azure Admin User Name

The administrative username in Azure.

Azure Admin User Password

The administrative password in Azure.

Save Device Properties to SharedState

If enabled, the device info are saved to the shared state with INTUNE_ prepended to the key name. Null and empty string values are not placed into shared state.

Refer to the Properties table in Microsoft Intune documentation for the managed device properties.

Save installed apps to SharedState

If enabled, the apps installed on the Mobile Device are extracted and saved to the Shared State with the key name - INTUNE_INSTALLED_APPS.

Outcomes

Compliant: The device is compliant.
Not Compliant: The device does not comply with the policy.
In Grace Period: The device is not-compliant, but it’s in the grace period defined by the administrator.
Config Manager: The device is managed by Config Manager
Conflict: Multiple settings are applied to the same device and Intune can’t sort out the conflict. An administrator should review.
No Id: No device ID is found in the header or shared state.
Status Unknown: The device is offline or failed to communicate with Intune or Azure AD.
Error: An error occurred within the node. Related stacktrace and message are placed in the shared state.

For more information, refer to the Microsoft Graph API documentation on Compliance State.