How to Integrate and Configure Microsoft MDM Intune/Defender

This Help topic describes the steps to integrate and configure the Intune Compliance Module with 802.1X EAP-TLS authentication with Microsoft Intune.

A common use case for this configuration is to apply different network authorizations to devices reported as non-compliant by Microsoft Intune.

This topic includes information and instructions on:

Solution Overview

  • The device connects to the network and authenticates through 802.1X EAP-TLS.

  • The Access Control Engine extracts Intune ID from the user/computer certificate.

  • ExtremeCloud IQ Site Engine periodically downloads the list of non-compliant devices from Microsoft and compares Intune IDs.

  • MAC addresses of all non-compliant devices are added to the defined end-system group.

  • MAC addresses of devices that are not reported as non-compliant are removed from the defined end-system group.

  • Change of the compliance status triggers a reauthentication and the network access authorization is updated based on NAC rules.

Requirements

These are the configuration requirements for the Intune Compliance Module.

  • The ExtremeCloud IQ Site Engine must have Internet access in order to retrieve compliance information from Microsoft.
  • The Intune ID must be part of 802.1X EAP-TLS authentication in Subject Alternative Name (SAN) URI attribute.
  • Create a unique Microsoft Entra ID application on the Microsoft Entra ID page (see instructions below).
  • The Intune Compliance Module must be enabled and configured (see instructions below).
  NOTE:

You must copy and paste some text values between applications during the registration and configuration.
Ensure you copy and save the required values when instructed, as some are unique secret values that cannot be viewed or received again.

Creating an Entra ID Application

When configuring the compliance check by Intune Compliance Module, you must first create an Entra ID application. This generates an Application ID and Application Secret that are required as part of the ExtremeCloud IQ Site Engine. Use the following steps to create and register an Entra ID application.

  1. Access the Microsoft Entra ID page with your Admin credentials at https://portal.azure.com or https://entra.microsoft.com.
  2. Select Manage Microsoft Entra ID > View.
  3. Select App registrations > New registration
    .
  4. Enter the following information into the required fields:
    • Name - Enter a name for the Entra ID registered application
    • Supported account types - Select Accounts in this organization directory only - (Single tenant)
  5. Select Register.

  6. Select Add a certificate or secret, OR you can navigate to Certificates & secrets in the left menu.
  7. Select New client secret.
  8. Enter the following information into the required fields:
    • Description - your description of the new credentials
    • Expires - define how long the client secret is valid, when the client secret expires the non-compliant list cannot be received.
      •  NOTE:

        The expiration of the client secret cannot be modified in Entra ID.
        The best practice is to create a new client secret before the existing one expires and update the value in ExtremeControl settings.

  9. Select Add.

  10. Copy the secret value to the clipboard. This is the only time the client secret is displayed. Save the secret value for your Client Secret.
  11. Select API permissions > Add a permission.
  12. Select Microsoft Graph > Delegated permissions
  13. Select the following delegated permissions:
    • In the DeviceManagementManagedDevices select:
      • DeviceManagementManagedDevices.Read.All

  14. Select Application permissions and add the following additional application permissions:

    • In the DeviceManagementManagedDevices select:

      • DeviceManagementManagedDevices.Read.All

  15. Select Add permissions.
  16. Select Grant admin consent for <your company domain>, and select Yes to confirm.

  17. Select Overview.
  18. Copy the displayed Application (client) ID value. Save this value for your Client ID.

  19. Select Endpoints.
  20. Copy the displayed OAuth 2.0 token endpoint (v2) value. Save this value for your Token Endpoint.

Intune Compliance Module Configuration

You must provide the values you saved during the creation and registration of the Entra ID application in the Administration > Options > Access Control > Intune Compliance Check.

Use the following steps to configure the Intune Compliance Check behavior:

  1. From ExtremeCloud IQ Site Engine, open Adminstration > Options.
  2. In the left-panel tree, navigate to Access Control > Intune Compliance Check.
  3. Enter the following information into the required fields:

    • Enable Compliance Check - select to check

    • Client ID - enter the value copied as "Application (client) ID"

    • Client Secret - enter the value copied as "Client Secret"

    • Token Endpoint - enter the value copied as "OAuth 2.0 token endpoint (v2)"

  4. Select Save.

End-System 802.1X Configuration

You must configure the end-system to use IEEE 802.1X authenticated network access. The following is an example using a Windows 11 client.

After you have configured the AAA rules, the User Groups configuration, and the Access Control Rule configuration using the steps above, you must configure 802.1X on the end-system:

  1. From Windows 11 search, type view network connections, then select Open.
  2. Right-click on the network connection you need to configure, and select Properties.
  3. Select the Authentication tab.
  4. Ensure Enable IEEE 802.1X authentication is checked.
  5. In the Choose a network authentication method, select Microsoft: Smart Card or other certificate (EAP TLS).
  6. Select Settings.
  7. In the Trusted Root Certification Authorities area, select the CA issued certificate for your Access Control Engines.

  8. Select OK, then select OK again.

Example of an End-System's Certificate

You must ensure that the Intune ID is part of the Subject Alternative Name URI in the certificate. Example of the industry standard format is: URL=ID:Microsoft Endpoint Manager:GUID:xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx.

Related Information

For information on related help topics: