Microsoft Intune Integration
The Device Trust Microsoft Intune integration lets you automatically sync your managed devices from Intune into Teleport. This guide explains how to set up the integration.
How it works
The Teleport Intune integration periodically reads your managed device inventory from Microsoft Intune and syncs it to Teleport. It performs both incremental (called "partial") and full syncs, as well as removals from Teleport if a device is removed from Intune.
Syncing devices from Intune is an inventory management step, equivalent to
automatically running the corresponding tctl devices add
commands.
See the Device Trust guide for fundamental Device Trust concepts and behavior.
The Microsoft Intune integration is available exclusively as a hosted plugin through the Teleport Web UI. Running it as a standalone service is not currently supported.
Prerequisites
-
A running Teleport Enterprise cluster. If you want to get started with Teleport, sign up for a free trial or set up a demo environment.
-
The
tctl
andtsh
clients.Installing
tctl
andtsh
clients-
Determine the version of your Teleport cluster. The
tctl
andtsh
clients must be at most one major version behind your Teleport cluster version. Send a GET request to the Proxy Service at/v1/webapi/find
and use a JSON query tool to obtain your cluster version. Replace teleport.example.com:443 with the web address of your Teleport Proxy Service:TELEPORT_DOMAIN=teleport.example.com:443TELEPORT_VERSION="$(curl -s https://$TELEPORT_DOMAIN/v1/webapi/find | jq -r '.server_version')" -
Follow the instructions for your platform to install
tctl
andtsh
clients:- Mac
- Windows - Powershell
- Linux
Download the signed macOS .pkg installer for Teleport, which includes the
tctl
andtsh
clients:curl -O https://cdn.teleport.dev/teleport-${TELEPORT_VERSION?}.pkgIn Finder double-click the
pkg
file to begin installation.dangerUsing Homebrew to install Teleport is not supported. The Teleport package in Homebrew is not maintained by Teleport and we can't guarantee its reliability or security.
curl.exe -O https://cdn.teleport.dev/teleport-v${TELEPORT_VERSION?}-windows-amd64-bin.zipUnzip the archive and move the `tctl` and `tsh` clients to your %PATH%
NOTE: Do not place the `tctl` and `tsh` clients in the System32 directory, as this can cause issues when using WinSCP.
Use %SystemRoot% (C:\Windows) or %USERPROFILE% (C:\Users\<username>) instead.
All of the Teleport binaries in Linux installations include the
tctl
andtsh
clients. For more options (including RPM/DEB packages and downloads for i386/ARM/ARM64) see our installation page.curl -O https://cdn.teleport.dev/teleport-v${TELEPORT_VERSION?}-linux-amd64-bin.tar.gztar -xzf teleport-v${TELEPORT_VERSION?}-linux-amd64-bin.tar.gzcd teleportsudo ./installTeleport binaries have been copied to /usr/local/bin
-
-
To enroll a macOS device, you need:
- A signed and notarized
tsh
binary. Download the macOS tsh installer.
- A signed and notarized
-
To enroll a Windows device, you need:
- A device with TPM 2.0.
- A user with administrator privileges. This is only required during enrollment.
- The
tsh
client. Download the Windows tsh installer.
-
To enroll a Linux device, you need:
-
A device with TPM 2.0.
-
A user with permissions to use the /dev/tpmrm0 device (typically done by assigning the
tss
group to the user). -
The
tsh
client. Install tsh for Linux.WSL users should use the Windows binary instead. Download the Windows tsh installer.
-
-
To authenticate a Web UI session you need Teleport Connect
-
Correct end-user IP propagation to your Teleport deployment: X-Forwarded-For header (L7 load balancer) or PROXY protocol (L4 load balancer)
- Access to Microsoft Entra ID with Global Administrator or Application Administrator permissions.
- An active Microsoft Intune subscription with managed devices.
Step 1/3. Register an application in Microsoft Entra ID
Create and configure an application in Microsoft Entra ID that Teleport will use to access your Intune data:
- Sign in to the Microsoft Entra admin center with an account that has Global Administrator or Application Administrator permissions.
- Navigate to Entra ID > App registrations and select New registration.
- Configure the application:
- Name: enter a descriptive name (e.g., "Teleport Intune Integration").
- Supported account types: select "Accounts in this organizational directory only".
- Redirect URI: leave this blank and click "Register".
- Once created, copy the Application (client) ID from the Overview page. You'll need this when configuring the integration in Teleport.
In case of problems with the above instructions, follow the official docs for registering an application.
Step 2/3. Configure API permissions and create client secret
Grant the application permission to read Intune managed devices:
- In your registered application, navigate to API permissions > Add a permission.
- Select Microsoft Graph > Application permissions.
- Search for and add the
DeviceManagementManagedDevices.Read.All
permission. - Click "Grant admin consent" for your organization and confirm.
In case of problems with the above instructions, follow the official docs for granting application permission.
The consent must be granted by a Global Administrator or Privileged Role Administrator. Failure to grant this permission will result in an error from the Graph API.
To create a client secret:
- In your registered application, navigate to Certificates & secrets > Client secrets.
- Click New client secret.
- Add a description and select an expiration period (we recommend setting a reminder to rotate the secret before it expires).
- Click "Add" and copy the Value (not the Secret ID).
In case of problems with the above instructions, follow the official docs for adding a client secret.
Step 3/3. Configure the Intune integration in Teleport
- Follow the official docs to find your tenant
identifier
(e.g.,
contoso.onmicrosoft.com
or the tenant GUID). - In the Web UI, navigate to Add New > Integration and select "Microsoft Intune".
- Fill in the required information:
- Primary domain or Microsoft Entra tenant ID: enter your tenant identifier.
- Application (client) ID: Paste the Application ID you copied in Step 1.
- Client secret value: Paste the client secret value you copied in Step 2.
- Click "Connect Microsoft Intune" to complete the setup.
The integration will begin syncing devices from your Intune inventory within two minutes. Depending on the size of your inventory, the initial sync may take a few minutes to complete.
How syncing works
Sync schedule
The Intune integration uses the following fixed schedule that starts when the integration is installed, updated, or when the Auth Service is restarted:
- Full sync: every 24 hours – fetches all devices from Intune, reconciles the complete inventory and removes missing devices.
- Partial sync: every 6 hours between full syncs – fetches only devices that have been modified in Intune since the last sync.
The integration tracks the last sync time from Intune to fetch only changed devices during partial syncs.
Device requirements
For a device to be synced, it must have a serial number, its device registration state must be set to "registered" and its operating system must be either macOS, Windows, or Linux.
Device ownership and removal
When syncing inventory, the Intune integration claims ownership of all synced devices.
This can be verified by inspecting a device's source
field:
# tctl get device/mydevice
kind: device
metadata:
name: 20ec6373-9e8e-46e0-8f1c-47ad6b06a768
spec:
asset_tag: mydevice
os_type: macos
# ...
source:
name: intune
origin: intune
update_time: "2023-06-21T19:44:40.40601Z"
version: v1
During full syncs, devices that are no longer present in Intune or have mismatched properties (different serial number or OS type for the same Intune device ID) will be automatically removed from Teleport's inventory.
Only devices synced by Intune are subject to automatic deletion. Devices added manually via tctl devices add
or synced from other sources won't be deleted by the Intune integration.
For immediate removal of unwanted devices, first lock the device in Teleport, then remove it from Intune:
tctl devices lock --asset-tag=SERIAL_NUMBER --message='reason for locking'Created a lock with name "a2f1491c-4a3e-4daf-9c83-2fe931668076".
Manual removal via tctl devices rm
is possible, but note that if the device is still in the Intune
inventory, it'll be recreated during the next sync.
Monitoring the integration
After configuration, you can monitor the integration status in the Web UI. Navigate to Zero Trust Access > Integrations. If the integration status indicates an error, check the Auth Service logs for errors from the Intune integration.
You can also verify synced devices using the command line:
tctl devices lsAsset Tag OS Source Enroll Status Owner Device ID------------ ------- ------ ------------- ----- ------------------------------------CXXXXXXXXX17 macOS Intune not enrolled 20ec6373-9e8e-46e0-8f1c-47ad6b06a768CXXXXXXXXX2T macOS Intune not enrolled 79755778-7cbe-4e2c-83ec-7eaa3d4d7e36CXXXXXXXXX3T Windows Intune not enrolled 665e59d5-393a-4894-841d-edad06329717CXXXXXXXXX4T macOS Intune not enrolled dd032e90-bfb0-47d5-bce5-e57545f6788fCXXXXXXXXX5T Windows Intune not enrolled bf189863-a94a-40dc-9013-d96f8dada2f1(...)
Next steps
Automatically enroll synced devices on user login with auto-enrollment.