Introduction
This document describes how to set up an Intune environment, integrate it with a Beyond Identity tenant, create an authentication policy based on the device being “Registered” or “Not Registered” and test the authentication policy using a computer running Windows. In a customer environment, the Intune environment would already be in place, so you can skip Step1 and go directly to Step 2.
Requirements
The Beyond Identity integration supports Windows, macOS, iOS, and Android devices. Note: For mobile devices, the Beyond Identity authenticator must be configured and pushed via Intune in order to leverage the integration. See Step 5 for mobile configuration.
Step 1: Set up Intune environment
Step 1a: Subscribe to Intune
- Go to https://admin.microsoft.com
- Login using the Global Administrator account
- Purchase Intune Licenses for users
- Assign licenses to users
Step 1b: Register device to Intune
- Register your computer to Azure AD (Azure AD Registration)
- Go to your Windows computer
- Search Settings
- Click on Manage your account
- Click on Access work or school
- Login using your username and password
- Check if your device is registered
- Go to https://endpoint.microsoft.com
- Login using the Global Administrator account
- Click on Devices
- Click on All Devices
- Make sure that the computer is listed there and shows up as Managed by Intune
Alternatively, you can register using AAD joining or Hybrid AAD joining your computer.
Step 2: Update or Create App Registration in Azure Active Directory
- Go to https://portal.azure.com
- Login using the Global Administrator account
- Navigate to Azure Active Directory
- Select the App registrations tab
- Update existing app registration or create a new app registration.
- If you have integrated Beyond Identity with Azure SSO
- Click on “Beyond Identity User Console”
- If you have not integrated Beyond Identity with Azure SSO.
- Click the New registration button
- Type a name for the app registration “Beyond Identity Integration”.
- Click the Register button
- If you have integrated Beyond Identity with Azure SSO
- Copy the Application (client) ID to a notepad
- Copy the Directory (tenant) ID to a notepad
- Select the API permissions tab
- Click the Add a permission button
- Select the Microsoft Graph option
- Select the Application permissions option
- Select the following permissions:
DeviceManagementManagedDevices
User
- Select the Delegated permissions option
- Select the following permissions:
Openid permissions
- Click the Add permissions button
- Click the Grant admin consent for … button
- Navigate to the Certificates & secrets tab
- Click the New client secret button
- Type in description ‘Beyond Identity Policy Engine’
- Note the expiration time (update your SOP manual and add a reminder to create a new secret after the expiration date)
- Copy the secret value to the notepad. (This value will not be available after you exit this page.)
- If you created a separate application registration for the integration, you can skip this.
If you used the Beyond Identity User Console application for the integration, ensure that the application is enabled in Azure.
Navigate to Azure Directory → Enterprise Applications → Beyond Identity User Console → Properties and verify that the Enabled for users to sign-in is set to Yes.
Step 3: Configure Intune Integration in Beyond Identity
- Login to Beyond Identity Admin Console
- Go to Integrations > Endpoint Management > Microsoft Intune
- Click Install next to Microsoft Intune
- Enter the following information obtained from the Azure Admin Portal.
- Azure Tenant ID:
- Client ID:
- Client Secret:
- Click “Save Changes”
Step 4: Configure and Test MDM Authentication Policy
- Create a new user group “Require Intune on Windows”
- Create a policy
- Check if the transaction type is Authentication
- Check if the user is a member of “Require Intune on Windows” group
- Check if the device Platform is running Windows
- Check if Intune is reporting that the device is Registered
- Click Deny authentication
- Add a test user to the group “Require Intune on Windows”
- Try authenticating with the test user's credentials from a Windows computer that is managed with Intune. If authentication is denied, then the policy works as expected.
- Now change the policy to check if Intune is reporting that the device is “Not Registered”
- Try authenticating again with the test user's credentials from the same Windows computer that is managed with Intune. If authentication is successful, then the policy works as expected.
Step 5: Configure and Push iOS and Android Apps
In order for Beyond Identity to query managed status for Android and iOS devices, the “Beyond Identity Platform Authenticator” app needs to be pushed from Intune. Please note this is a mandatory step. If you do not push the Beyond Identity App through MDM then Beyond Identity will not be able to apply policies for the managed state.
- In the Intune Admin center, navigate to Apps->App configuration policies and add an App configuration policy. Select “Managed devices”:
- Select the appropriate platform (iOS/Android) and the Beyond Identity App as the associated App.
- In the next step, select configuration designer and enter the following app config> Note: configuration keys are case sensitive.
Comments
0 comments
Please sign in to leave a comment.