Step 1
|
Log in to the Microsoft Azure portal, and navigate to Azure Active Directory.
|
Step 2
|
Choose .
|
Step 3
|
Click New registration.
|
Step 4
|
In the Register an application window that is displayed, enter a value in the Name field.
|
Step 5
|
In the Supported Account Types area, click the Accounts in this organizational directory only radio button.
|
Step 6
|
Click Register.
The Overview window of the newly registered application is displayed. With this window open, log in to the Cisco ISE administration portal.
|
Step 7
|
.
|
Step 8
|
From the list of certificates displayed, check either the Default self-signed server certificate check box or the check box that is adjacent to or any other certificate that you have configured for Admin usage.
|
Step 9
|
Click Export.
|
Step 10
|
In the dialog box that is displayed, click the Export Certificate Only radio button and click Export.
|
Step 11
|
Click View to see the details of this certificate. Scroll down the displayed Certificate Hierarchy dialog box to the Fingerprints area. (You have to refer to these values at a later step.)
|
Step 12
|
In the Microsoft Azure Active Directory portal, click Certificates & secrets in the left pane.
|
Step 13
|
Click Upload certificate and upload the certificate that you exported from Cisco ISE.
|
Step 14
|
After the certificate is uploaded, verify that the Thumbprint value that is displayed in the window matches the Fingerprint value in the Cisco ISE certificate (Step 11).
|
Step 15
|
Click Manifest in the left pane.
|
Step 16
|
In the content displayed, check the value of displayName. The value must match the common name that is mentioned in the Cisco ISE certificate.
|
Step 17
|
Click API permissions in the left pane.
|
Step 18
|
Click Add a permission and add the following permissions:
API / Permission Name
|
Type
|
Description
|
Intune
|
get_device_compliance
|
Application
|
Get device state and compliance information from Microsoft Intune.
|
Microsoft Graph
|
Application.Read.All
|
Application
|
Read all applications.
|
|
Step 19
|
Click Grant admin consent for <tenant name>.
|
Step 20
|
Make a note of the following details from the Overview window of the application:
-
Application (client) ID
-
Directory (tenant) ID
|
Step 21
|
Click Endpoints in the Overview window and make a note of the value in the Oauth 2.0 token endpoint (V2) field.
|
Step 22
|
Download the Microsoft Intune certificates from
https://www.digicert.com/kb/digicert-root-certificates.htm in the PEM (chain) format.
Microsoft releases new certificates periodically. If the integration fails with the error “Connection Failed to the MDM server:
There is a problem with the server Certificates or ISE trust store,” we recommend that you take a packet capture on the Cisco
ISE PAN to determine the exact certificates sent by the MDM server. When you know which certificates are in use, you can download
the certificates from the Microsoft PKI repository. Make sure to download the certificates required for trusted communication between Cisco ISE and Microsoft Intune.
|
Step 23
|
In the Cisco ISE administration portal, click the Menu icon () and choose .
|
Step 24
|
For each of the four certificates that you have downloaded, carry out the following steps:
-
Click Import.
-
Click Choose File and choose the corresponding downloaded certificate from your system.
-
Allow the certificate to be trusted for use by Infrastructure and Cisco Services. In the Usage area, check the Trust for authentication within ISE and Trust for authentication of Cisco Services check boxes.
-
Click Save.
|
Step 25
|
.
|
Step 26
|
Click Add.
|
Step 27
|
Enter a value in the Name field.
|
Step 28
|
From the Authentication Type drop-down list, choose OAuth – Client Credentials.
|
Step 29
|
The following fields require the information from the Microsoft Intune application in the Microsoft Azure Active Directory:
-
In the Auto Discovery URL field, enter https://graph.microsoft.com.
Note
|
The URL https://graph.windows.net<Directory (tenant) ID> was used when Microsoft Intune supported Azure AD Graph Applications. However, Microsoft Intune retired support for Azure AD Graph Applications on June 30, 2023. Upgrade to a Cisco ISE release that supports Microsoft Graph for successful integration.
The following are the Cisco ISE releases that support Microsoft Graph applications:
-
Cisco ISE Release 2.7 Patch 7 and later
-
Cisco ISE Release 3.0 Patch 5 and later
-
Cisco ISE Release 3.1 Patch 3 and later
-
Cisco ISE Release 3.2 and later releases
|
-
In the Client ID field, enter the Application (client) ID value from the Microsoft Intune application.
-
In the Token Issuing URL field, enter the Oauth 2.0 Token Endpoint (V2) value.
-
In the Token Audience field, enter https://api.manage.microsoft.com//.default if you use the following releases of Cisco ISE:
-
Cisco ISE Release 3.0 Patch 8 and later releases
-
Cisco ISE Release 3.1 Patch 8 and later releases
-
Cisco ISE Release 3.2 Patch 3 and later releases
-
Cisco ISE Release 3.3 and later releases
Note
|
In the listed Cisco ISE releases, when you create a new integration, the new token audience value is automatically filled
when you choose OAuth – Client Credentials in Step 31. If you upgrade to these releases with existing integrations, you must update the token audience field manually
to continue receiving updates from the integrated servers.
This is because Microsoft mandates that applications that use the Azure Active Directory Authentication Library (ADAL) for
authentication and authorization must migrate to the Microsoft Authentication Library (MSAL). For more information, see Migrate applications to the Microsoft Authentication Library (MSAL).
|
For other releases of Cisco ISE, enter https://api.manage.microsoft.com/.
|
Step 30
|
Enter the required values for the Polling Interval and Time Interval For Compliance Device ReAuth Query fields.
|
Step 31
|
Click Test Connection to ensure that Cisco ISE can connect to the Microsoft server.
|
Step 32
|
When the connection test is successful, choose Enabled from the Status drop-down list.
|
Step 33
|
Click Save.
|
Step 34
|
In the Cisco ISE administration portal, click the Menu icon () and choose . The Microsoft Intune server that is added must be displayed in the list of MDM Servers displayed.
|