This guide will walk you through setting up a Microsoft Intune MDM integration.
Contents
- Benefits of integrating Intune with Beyond Identity
- Requirements
- Step 1: Update or Create App Registration in Azure Active Directory
- Step 2: Configure Intune Integration in Beyond Identity
- Step 3: Configure and Test MDM Authentication Policy
- Step 4: Configure and Push iOS and Android Apps
- Frequently Asked Questions
Benefits of integrating Intune with Beyond Identity
- Ensure devices are found within Intune - Prevent unmanaged devices from accessing sensitive resources by leveraging Intune within Beyond Identity. Administrators are empowered to create policies that ensure that devices are managed before gaining access to resources.
- Ensure specific controls are configured correctly - It's not enough to simply know that a device exists in the Intune device directory, it's just as important to ensure that the device is functional and configured correctly. This integration surfaces information regarding device operational status and provisioned policies, allowing granular access control policies to be created that analyze devices.
Requirements
License requirements
This integration provides support for Intune under the following plan versions:
- Microsoft Intune Plan 1
- Microsoft Intune Plan 2
- Microsoft Intune Plan 3
These plans are included with subscriptions to Microsoft 365 E3, E5, F1, and F3, Enterprise Mobility + Security E3 and E5, and Business Premium plans, including versions of these suites that do not include Microsoft Teams.
Authentication Requirements
The Intune integration uses the OAuth 2.0 Client Credentials Grant Type, and therefore uses a Client ID and Client Secret for authentication. The associated credentials must be configured with the following OAuth scopes:
- DeviceManagementConfiguration.Read.All
- DeviceManagementManagedDevices.Read.All
- User.Read.All
- Device.Read.All
- Directory.Read.All
- get_device_compliance
These roles are necessary to collect information on devices and users in Intune.
OS support on Beyond Identity
The Beyond Identity integration supports Windows, macOS, iOS, and Android devices.
Important: For mobile devices, the Beyond Identity authenticator must be configured and pushed via Intune in order to leverage the integration. For more information, see Step 4: Configure and Push iOS and Android Apps.
Step 1: Update or Create App Registration in Azure Active Directory
- Log into https://portal.azure.com using the Global Administrator account.
- Navigate to the Azure Active Directory.
- Select the App registrations tab.
- Update existing app registration or create a new app registration.
- If you have integrated Beyond Identity with Azure SSO:
- Click the Beyond Identity User Console.
- If you have not integrated Beyond Identity with Azure SSO:
- Click New registration.
- Type a name for the app registration, such as “Beyond Identity Integration”.
- Click Register.
- If you have integrated Beyond Identity with Azure SSO:
- Copy the Application (client) ID and Directory (tenant) ID. These will be needed in a later section when you configure Beyond Identity.
- Select the API permissions tab.
- Click Add a permission.
- Select the Microsoft Graph option.
- Select the Application permissions option and set the following permissions:
DeviceManagementManagedDevices
User
- Select the Delegated permissions option and set the following permissions:
Openid permissions
- Click Add permissions.
- Click Grant admin consent for.
- Navigate to the Certificates & secrets tab.
- Click New client secret.
- Type "Beyond Identity Policy Engine" in the Description field.
Note the expiration time (update your SOP manual and add a reminder to create a new secret after the expiration date) - Copy the secret value.
Important: This value will not be available after you exit this page.
- If you created a separate application registration for the integration, you can skip this.
If you used the Beyond Identity User Console application for the integration, ensure that the application is enabled in Azure.
Navigate to Azure Directory > Enterprise Applications > Beyond Identity User Console > Properties and verify that the Enabled for users to sign-in is set to Yes.
Step 2: Configure Intune Integration in Beyond Identity
- Log into the Beyond Identity Admin console.
- Go to Integrations > Endpoint Management > Microsoft Intune.
- Click Install next to Microsoft Intune.
- Enter the following information obtained from the Azure Admin Portal.
- Azure Tenant ID
- Client ID
- Client Secret
- Click Save Changes.
Step 3: Configure and Test MDM Authentication Policy
- Create a new user group named Require Intune on Windows.
- Create a policy rule and set the following:
For more information, see https://support.beyondidentity.com/hc/en-us/articles/9678921702295-How-to-define-policies.
Option Value For any transaction Authentication If user is in user group > "Require Intune on Windows" If device platform is Windows If Integration is Intune > Registration > is > Registered Then Deny
- Click Add.
- Click Publish rule.
- Add a test user to the group Require Intune on Windows.
- Try authenticating with the test user's credentials from a Windows computer that is managed with Intune. If authentication is denied, then the policy works as expected.
- Now, change the policy to check if Intune is reporting that the device is "Not Registered" by setting: Integration is > Intune > Registration > is not > Registered.
- Click Add rule.
- Click Publish rule.
- Try authenticating again with the test user's credentials from the same Windows computer that is managed with Intune. If authentication is successful, then the policy works as expected.
Step 4: Configure and Push iOS and Android Apps
In order for Beyond Identity to query managed status for Android and iOS devices, the “Beyond Identity Platform Authenticator” app needs to be pushed from Intune. Please note this is a mandatory step. If you do not push the Beyond Identity App through MDM then Beyond Identity will not be able to apply policies for the managed state.
- Download the appropriate mobile platform from https://app.byndid.com/downloads.
- In the Intune Admin center, navigate to Apps >App configuration policies and add an App configuration policy.
- Select Managed devices.
- Select the appropriate platform (iOS/Android) and the Beyond Identity App as the associated App.
-
In the next step, select configuration designer and add the following configuration settings.
Note: Configuration keys are case sensitive.
Configuration key Value type Configuration value serialNumber String {{serialnumber}} intuneDeviceID String {{deviceid}}
Frequently Asked Questions
How are devices matched to the Intune device directory?
This integration leverages the Intune Managed Device ID. The Device ID is a unique string assigned to all devices in Intune. We **do not** use the serial number to match devices to records.
What rate limits apply to this integration?
The following rate limits apply to Microsoft Intune.
- 4000 requests per 20 second (per tenant for all apps)
- 2000 requests per 20 seconds (Limit per app per tenant)
Why aren't my mobile devices being found?
There are several reasons why a mobile device may fail to be found by Beyond Identity when it exists in the Microsoft Intune device directory.
Mobile devices require a **managed configuration** to be provided in order to map device information into the Beyond Identity Platform Authenticator. The managed configuration must be assigned to the correct user and device population within Intune.
Certain MDM enrollment types are incompatible with managed configurations. Ensure your accepted enrollment types fully support managed applications.
Comments
0 comments
Please sign in to leave a comment.