Microsoft Endpoint Manager
Cloudflare Zero Trust can integrate with Microsoft to require that users connect to certain applications from managed devices. This service-to-service posture check uses the WARP client to read endpoint data from Microsoft. Devices are identified by their serial numbers.
Device posture with Microsoft Endpoint Manager requires:
- An Intune license
- Microsoft Endpoint Manager is managing the device.
-
Cloudflare WARP client is deployed on the device. For a list of supported modes and operating systems, refer to Service providers.
The following values are required:
- Client secret
- Application (client) ID
- Direct (tenant) ID
To retrieve those values:
- Log in to your Microsoft Dashboard.
- Go to App Registrations and select New Registrations.
- Copy the
Application (client) ID
value to a safe place. This will be your Client ID. - Copy the
Directory (tenant) ID
value to a safe place. This will be your Customer ID. - Go to Certificates & Secrets and select New client secret.
- Fill in a description and how long the secret should be valid.
- After completing the form, immediately copy the resulting secret. This will be your Client Secret.
- Go to API Permissions and select Add permission.
- Select Microsoft Graph.
- Select Application permissions.
- Add
DeviceManagementManagedDevices.Read.All
. - If the permission status shows Not granted, select Grant admin consent.
- Go to Settings > WARP Client.
- Scroll down to Device posture providers and select Add new.
- Select Microsoft Endpoint Manager.
- Give your provider a name. This name will be used throughout the dashboard to reference this connection.
- Enter the Client ID, Client secret and Customer ID as you noted down above.
- Select a Polling frequency for how often Cloudflare Zero Trust should query Microsoft Graph API for information.
- Select Save.
You will see the new provider listed under Settings > WARP Client > Device posture providers. To ensure the values have been entered correctly, select Test.
- In Zero Trust ↗, go to Settings > WARP Client > Service provider checks.
- Select Add new.
- Select the Microsoft Endpoint Manager provider.
- Configure a device posture check and enter any name.
- Select Save.
Next, go to Logs > Posture and verify that the service provider posture check is returning the expected results.
The Microsoft Endpoint Manager device posture check relies on information from the Microsoft Graph API. Refer to Microsoft’s ComplianceState ↗ and List managedDevices ↗ documentation for a list of properties returned by the API.
To learn more about how to control ComplianceState, refer to Microsoft’s compliance policies guide ↗.