Integrate with Microsoft Intune

In this topic, you will learn how to set up the integration between Portnox™ Cloud and Microsoft Intune.

Integrate with Intune

In this section, you will set up the integration between Portnox™ Cloud and Microsoft Intune.

Important: To integrate Portnox Cloud with Microsoft Intune, you must first integrate it with Entra ID. Both integrations must use the same directory.
  1. In the Cloud portal top menu, click on the Settings option.

  2. In the Cloud portal left-hand side menu, click on the Integration Services > MS INTUNE INTEGRATION SERVICE option.

  3. Enable Microsoft Intune integration
    1. Under the MS Intune integration service heading and description, click on the Edit link.

    2. Click on the Disabled/Enabled switch to put it in the Enabled position.

    3. Click on the Save button.
  4. Check if the Entra ID field is automatically populated with the tenant ID from your Entra ID integration.

    If the Entra ID field is not populated, perform the following steps:

    1. Open the Azure Portal in a new browser tab.
    2. In the Search resources, services, and docs field, start typing entra id. When the Microsoft Entra ID tile is visible below, click on this tile.

    3. In the Overview section, click on the  ⧉  icon next to the Tenant ID field to copy the Tenant ID value to the clipboard.

    4. Close the Azure Portal browser tab.
    5. Go back to the Portnox Cloud browser tab and paste the Tenant ID into the Entra ID field.

  5. Grant Portnox Cloud permissions to deploy enterprise applications in your Azure tenant.
    1. Click on the Sign in with Entra ID Account button.

      Your browser will display a Microsoft prompt to select an account.

    2. Click on the admin account for your Azure tenant.

      Your browser may display a Microsoft prompt asking you to confirm the required permissions.

    3. Click on the Accept button to confirm permissions that the Portnox Cloud enterprise application will have to your Microsoft Entra ID data.
  6. Grant the Portnox Cloud enterprise application permissions to read Microsoft Intune data.
    1. Click on the Grant permissions button.

      Important: If the selected Azure account does not have administrative privileges, you may be unable to integrate or asked to contact your administrator.

      Your browser may display a Microsoft prompt asking you to confirm the required permissions.

    2. Click on the Accept button to confirm permissions that the Portnox Cloud enterprise application will have to your Microsoft Intune data.
  7. Grant the Portnox Cloud enterprise application permissions for SCEP validation.
    1. Click on the Grant permissions button.

      Important: If the selected Azure account does not have administrative privileges, you may be unable to integrate or asked to contact your administrator.

      Your browser will display a Microsoft prompt asking you to confirm the required permissions.

    2. Click on the Accept button to confirm permissions that the Portnox Cloud enterprise application will have for SCEP validation.

Result: Your Intune integration is now active.

You can see Intune-related information for specific devices on the Devices screen by selecting an Intune-managed device from the list and scrolling the right-hand side pane.

Automatically create Intune configuration policies

In this section, you will automatically create Intune configuration policies, which will let you skip manual onboarding.

Important: The Intune configuration API provided by Microsoft is still in Beta stage, and so you still need to perform some manual steps after automatically creating policies. See the next section on information how to perform these steps.
Important: To create SCEP policies in Intune, you need to turn on the Portnox Cloud SCEP services. For information on how to do this, see the following section: Turn on the Portnox Cloud SCEP services.
Note: If you would rather create configuration policies manually, see the following topics:
  1. Click on the Create configuration(s) button in the Intune configuration section, which is located at the end of the MS Intune integration service section.

  2. In the Add Intune configuration window, select the Platform(s) and Configuration type(s) to create:

    1. If you selected Wireless network access, enter the Wireless name (SSID) to include in the configurations.
    2. If you selected the Windows platform and Wired network access or Wireless network access configuration types, select the Authentication mode (User, Computer, or User and Computer).
    3. If instead of the default option: Use the same configuration for all selected platforms, you chose the option: Each Platform will have its own unique configuration, you can then choose different configuration types for each platform (including different SSIDs and authentication modes).

  3. Click on the Create configuration(s) button.

    You will be asked to authenticate with Intune, and then Portnox Cloud will automatically create the configurations.

    The configurations will have the following names:

    Configuration type Configuration name
    RADIUS root certificate platform_name Radius Trusted Root
    Organization (Tenant) root certificate platform_name tenant_name Trusted Root
    Wireless network access platform_name WiFi
    Wired network access platform_name Wired
    SCEP - User platform_name Scep User
    SCEP - Device platform_name Scep Machine

    You can see the configurations in Intune by going to: Devices > Manage devices > Configuration.

Manually link configurations in Intune

In this section, you will manually link the automatically created configurations in Intune.

Perform the steps in this section only if you created configurations automatically according to the instructions in the previous section.

Important: The Intune API can create all configurations, but it cannot create links between policies. You must perform this step or otherwise the configurations will not work.
  1. Link the SCEP policies to the tenant root certificate policies.
    Perform the following steps in each policy named platform_name Scep User and platform_name Scep Machine.
    1. Click on the policy name.
    2. Scroll all the way down to the Configuration settings section and click on the Edit link.

    3. In the Root Certificate section, click on the + Root Certificate link.

    4. In the Root Certificate pane, click on the platform_name tenant_name Trusted Root row, and then click on the OK button.

    5. Click on the Review + save button and then on the Save button.
  2. Link the network policies to the RADIUS root certificate policies and SCEP policies.
    Perform the following steps in each policy named platform_name WiFi and platform_name Wired.
    1. Click on the policy name.
    2. Scroll all the way down to the Configuration settings section and click on the Edit link.

    3. In the Root certificates for server validation section, click on the + Select one or more certificate profiles link.

    4. In the Root certificates for server validation pane, activate the checkbox in the platform_name Radius Trusted Root row, and then click on the OK button.

    5. In the Client Authentication section, in the Authentication method field, select the SCEP certificate option and then click on the + Select a certificate profile link.

    6. In the Client certificate for client authentication pane, click on the relevant row depending on whether you want to authenticate users or devices, and then click on the OK button.

    7. Click on the Review + save button and then on the Save button.

Result: Your policies are now correctly linked together. The SCEP policies reference the tenant root certificate policies, and the network policies reference the RADIUS root certificate policies and the SCEP policies.