Skip to content
  • There are no suggestions because the search field is empty.

Integrate Intune MDM with Identity Services Engine

Step-by-step guide to connecting Cisco ISE with Microsoft Intune for secure device compliance enforcement.

 

Prerequisites

Before starting, ensure you have:

  • Working knowledge of Cisco ISE MDM services.
  • Familiarity with Microsoft Azure Intune services.
  • Cisco ISE version 3.0 or later.
  • Access to Microsoft Azure portal with administrative rights cisco.com.

Why Integrate Intune with ISE?

  • Enhanced Security: ISE queries Intune for device compliance attributes before granting network access.
  • Granular Control: Apply Access Control Lists (ACLs) based on device compliance state.
  • Unified Management: Centralize endpoint compliance and access policies across your enterprise cisco.com.

Configuration Steps

1. Import Certificates from Intune to ISE

  1. Log in to the Azure portal.
  2. Open certificate details via the browser lock icon.
  3. Export the Root CA and intermediate certificates in BASE64 format.
  4. In ISE, go to Administration > System > Certificates > Trusted Certificates and import them cisco.com.

2. Register ISE as an Application in Azure

  1. Navigate to Azure Active Directory > App registrations.
  2. Create a new application named “ISE”.
  3. Assign required permissions:
    • Microsoft Graph: Read directory data, Intune device configuration.
    • Intune API: Get device compliance information.
    • Azure AD: Sign in and read user profile.
  4. Click Grant Permissions to apply changes cisco.com.

3. Import ISE Certificates into Azure

  1. Export ISE system certificates from all nodes.
  2. Convert them to BASE64 using PowerShell (legacy option) or upload directly in Azure.
  3. Update the Azure App Manifest with certificate details under keyCredentials.
  4. Upload the updated manifest back to Azure cisco.com.

4. Configure ISE with Azure Endpoints

In ISE, navigate to Administration > Network Resources > External MDM and add a new server:

  • Intune Auto Discovery URL
  • Azure AD Graph API Endpoint
  • OAuth 2.0 Token Endpoint
  • Client ID (from Azure App registration) cisco.com.

Troubleshooting

  • Connection to Server Failed: Ensure the full certificate chain (including graph.microsoft.com) is imported into ISE Trusted Store.
  • Failed to Acquire Auth Token: Verify correct ISE certificate chain in the Azure manifest and confirm permissions are granted in Azure.
  • SSL Errors: Import missing certificates and validate trust paths cisco.com.

Related Resources