This post is also available in 繁體中文.
Today, we are very excited to announce our new integration with Microsoft Endpoint Manager (Intune). This integration combines the power of Cloudflare’s expansive network and Zero Trust suite, with Endpoint Manager. Via our existing Intune integration, joint customers can check if a device management profile such as Intune is running on the device or not and grant access accordingly.
With this expanded integration, joint customers can identify, investigate, and remediate threats faster. The integration also includes the latest information from Microsoft Graph API which provides many added, real-time device posture assessments and enables organizations to verify users' device posture before granting access to internal or external applications.
"In today’s work-from-anywhere business culture, the risk of compromise has substantially increased as employees and their devices are continuously surrounded by a hostile threat environment outside the traditional castle-and-moat model. By expanding our integration with Cloudflare, we are making it easier for joint customers to strengthen their Zero Trust security posture across all endpoints and their entire corporate network."
– Dave Randall, Sr Program Manager, Microsoft Endpoint Manager
Before we get deep into how the integration works, let’s first recap Cloudflare’s Zero Trust Services.
Cloudflare Access and Gateway
Cloudflare Access determines if a user should be allowed access to an application or not. It uses our global network to check every request or connection for identity, device posture, location, multifactor method, and many more attributes to do so. Access also logs every request and connection — providing administrators with high-visibility. The upshot of all of this: it enables customers to deprecate their legacy VPNs.
Cloudflare Gateway protects users as they connect to the rest of the Internet. Instead of backhauling traffic to a centralized location, users connect to a nearby Cloudflare data center where we apply one or more layers of security, filtering, and logging, before accelerating their traffic to its final destination.
Zero Trust integration with Microsoft Endpoint Manager
Cloudflare’s customers can now build Access and Gateway policies based on the device being managed by Endpoint Manager (Intune) with a compliance policy defined. In conjunction with our Zero Trust client, we are able to leverage the enhanced telemetry that Endpoint Manager (Intune) provides surrounding a user’s device.
Microsoft’s Graph API delivers continuous real-time security posture assessments such as Compliance State across all endpoints in an organization regardless of the location, network or user. Those key additional device posture data enable enforcement of conditional policies based on device health and compliance checks to mitigate risks. These policies are evaluated each time a connection request is made, making the conditional access adaptive to the evolving condition of the device.
With this integration, organizations can build on top of their existing Cloudflare Access and Gateway policies ensuring that a ‘Compliance State’ has been met before a user is granted access. Because these policies work across our entire Zero Trust platform, organizations can use these to build powerful rules invoking Browser Isolation, tenant control, antivirus or any part of their Cloudflare deployment.
How the integration works
Customers using our Zero Trust suite can add Microsoft Intune as a device posture provider in the Cloudflare Zero Trust dashboard under Settings → Devices → Device Posture Providers. The details required from the Microsoft Endpoint Manager admin center to set up policies on Cloudflare dashboard include: ClientID, Client Secret, and Customer ID.
After creating the Microsoft Endpoint Manager Posture Provider, customers can create specific device posture checks requiring users’ devices to meet certain criteria such as device ‘Compliance State’.
These rules can now be used to create conditional Access and Gateway policies to allow or deny access to applications, networks, or sites. Administrators can choose to block or isolate users or user groups with malicious or insecure devices.
What comes next?
In the coming months, we will be further strengthening our integrations with the Microsoft Graph API by allowing customers to correlate many other fields in the Graph API to enhance our joint customers’ security policies.
If you’re using Cloudflare Zero Trust products today and are interested in using this integration with Microsoft Intune, please visit our documentation to learn about how you can enable it. If you want to learn more or have additional questions, please fill out the form or get in touch with your Cloudflare CSM or AE, and we'll be happy to help you.