Cloudflare Docs
Cloudflare-One
Cloudflare Docs
Cloudflare Zero Trust
Search icon (depiction of a magnifying glass)
GitHub icon
Visit Cloudflare Zero Trust on GitHub
Set theme to dark (⇧+D)

Microsoft Endpoint Manager

Cloudflare Zero Trust can integrate with Microsoft Endpoint Manager and Intune to require that users connect to certain applications from managed devices. Our service-to-service posture check identifies devices based on their serial numbers.

​​ Prerequisites

Device posture with Microsoft Endpoint Manager requires:

  • An Intune license
  • Microsoft Endpoint Manager managing the device
  • Cloudflare WARP client deployed on the device

​​ Obtain Microsoft Graph settings

The following values are required:

  • Client secret
  • Application (client) ID
  • Direct (tenant) ID

To retrieve those values:

  1. Log in to your Microsoft Dashboard.
  2. Go to App Registrations and click New Registrations.
  3. Copy the Application (client) ID value to a safe place. This will be your Client ID.
  4. Copy the Directory (tenant) ID value to a safe place. This will be your Customer ID.
  5. Go to Certificates & Secrets and click New client secret.
  6. Fill in a description and how long the secret should be valid.
  7. After completing the form, immediately copy the resulting secret. This will be your Client Secret.
  8. Go to API Permissions and click Add permission.
  9. Select Application permissions.
  10. Search for DeviceManagementManagedDevices and select the Read permission.

​​ Set up Intune on the Zero Trust dashboard

  1. Go to Settings > Devices > Device posture providers and click Add new.
  2. Select Intune.
  3. Give your provider a name. This name will be used throughout the dashboard to reference this connection.
  4. Enter the Client ID, Client Secret and Customer ID as you noted down above.
  5. Select a polling frequency for how often Cloudflare Zero Trust should query Microsoft Graph API for information.
  6. Click Save.
  7. Click Test Provider to ensure the values have been entered correctly.

​​ Additional Resources

The Microsoft Endpoint Manager device posture check relies on information from the Microsoft Graph API. Refer to Microsoft’s ComplianceState and List managedDevices documentation for a list of properties returned by the API.

To learn more about how to control ComplianceState, refer to Microsoft’s compliance policies guide.