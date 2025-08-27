Version: 19.x (unreleased)

On this page

Microsoft Intune Integration Report an issue with this page

The Device Trust Microsoft Intune integration lets you automatically sync your managed devices from Intune into Teleport. This guide explains how to set up the integration.

The Teleport Intune integration periodically reads your managed device inventory from Microsoft Intune and syncs it to Teleport. It performs both incremental (called "partial") and full syncs, as well as removals from Teleport if a device is removed from Intune.

Syncing devices from Intune is an inventory management step, equivalent to automatically running the corresponding tctl devices add commands.

See the Device Trust guide for fundamental Device Trust concepts and behavior.

note The Microsoft Intune integration is available exclusively as a hosted plugin through the Teleport Web UI. Running it as a standalone service is not currently supported.

A running Teleport Enterprise cluster. If you want to get started with Teleport, sign up for a free trial or set up a demo environment.

The tctl and tsh clients. Installing tctl and tsh clients Determine the version of your Teleport cluster. The tctl and tsh clients must be at most one major version behind your Teleport cluster version. Send a GET request to the Proxy Service at /v1/webapi/find and use a JSON query tool to obtain your cluster version. Replace teleport.example.com:443 with the web address of your Teleport Proxy Service: TELEPORT_DOMAIN= teleport.example.com:443 TELEPORT_VERSION="$(curl -s https://$TELEPORT_DOMAIN/v1/webapi/find | jq -r '.server_version')" Follow the instructions for your platform to install tctl and tsh clients: Mac Windows - Powershell Linux Download the signed macOS .pkg installer for Teleport, which includes the tctl and tsh clients: curl -O https://cdn.teleport.dev/teleport-${TELEPORT_VERSION?}.pkg In Finder double-click the pkg file to begin installation. danger Using Homebrew to install Teleport is not supported. The Teleport package in Homebrew is not maintained by Teleport and we can't guarantee its reliability or security. curl.exe -O https://cdn.teleport.dev/teleport-v${TELEPORT_VERSION?}-windows-amd64-bin.zip All of the Teleport binaries in Linux installations include the tctl and tsh clients. For more options (including RPM/DEB packages and downloads for i386/ARM/ARM64) see our installation page. curl -O https://cdn.teleport.dev/teleport-v${TELEPORT_VERSION?}-linux-amd64-bin.tar.gz tar -xzf teleport-v${TELEPORT_VERSION?}-linux-amd64-bin.tar.gz cd teleport sudo ./install



Access to Microsoft Entra ID with Global Administrator or Application Administrator permissions.

An active Microsoft Intune subscription with managed devices.

Create and configure an application in Microsoft Entra ID that Teleport will use to access your Intune data:

Sign in to the Microsoft Entra admin center with an account that has Global Administrator or Application Administrator permissions. Navigate to Entra ID > App registrations and select New registration. Configure the application: Name: enter a descriptive name (e.g., "Teleport Intune Integration").

Supported account types: select "Accounts in this organizational directory only".

Redirect URI: leave this blank and click "Register". Once created, copy the Application (client) ID from the Overview page. You'll need this when configuring the integration in Teleport.

In case of problems with the above instructions, follow the official docs for registering an application.

Grant the application permission to read Intune managed devices:

In your registered application, navigate to API permissions > Add a permission. Select Microsoft Graph > Application permissions. Search for and add the DeviceManagementManagedDevices.Read.All permission. Click "Grant admin consent" for your organization and confirm.

In case of problems with the above instructions, follow the official docs for granting application permission.

note The consent must be granted by a Global Administrator or Privileged Role Administrator. Failure to grant this permission will result in an error from the Graph API.

To create a client secret:

In your registered application, navigate to Certificates & secrets > Client secrets. Click New client secret. Add a description and select an expiration period (we recommend setting a reminder to rotate the secret before it expires). Click "Add" and copy the Value (not the Secret ID).

In case of problems with the above instructions, follow the official docs for adding a client secret.

Follow the official docs to find your tenant identifier (e.g., contoso.onmicrosoft.com or the tenant GUID). In the Web UI, navigate to Add New > Integration and select "Microsoft Intune". Fill in the required information: Primary domain or Microsoft Entra tenant ID: enter your tenant identifier.

Application (client) ID: Paste the Application ID you copied in Step 1.

Client secret value: Paste the client secret value you copied in Step 2. Click "Connect Microsoft Intune" to complete the setup.

The integration will begin syncing devices from your Intune inventory within two minutes. Depending on the size of your inventory, the initial sync may take a few minutes to complete.

The Intune integration uses the following fixed schedule that starts when the integration is installed, updated, or when the Auth Service is restarted:

Full sync: every 24 hours – fetches all devices from Intune, reconciles the complete inventory and removes missing devices.

Partial sync: every 6 hours between full syncs – fetches only devices that have been modified in Intune since the last sync.

The integration tracks the last sync time from Intune to fetch only changed devices during partial syncs.

For a device to be synced, it must have a serial number, its device registration state must be set to "registered" and its operating system must be either macOS, Windows, or Linux.

When syncing inventory, the Intune integration claims ownership of all synced devices. This can be verified by inspecting a device's source field:

kind: device metadata: name: 20ec6373-9e8e-46e0-8f1c-47ad6b06a768 spec: asset_tag: mydevice os_type: macos source: name: intune origin: intune update_time: "2023-06-21T19:44:40.40601Z" version: v1

During full syncs, devices that are no longer present in Intune or have mismatched properties (different serial number or OS type for the same Intune device ID) will be automatically removed from Teleport's inventory.

note Only devices synced by Intune are subject to automatic deletion. Devices added manually via tctl devices add or synced from other sources won't be deleted by the Intune integration.

For immediate removal of unwanted devices, first lock the device in Teleport, then remove it from Intune:

tctl devices lock --asset-tag=SERIAL_NUMBER --message='reason for locking' Created a lock with name "a2f1491c-4a3e-4daf-9c83-2fe931668076".

Manual removal via tctl devices rm is possible, but note that if the device is still in the Intune inventory, it'll be recreated during the next sync.

After configuration, you can monitor the integration status in the Web UI. Navigate to Zero Trust Access > Integrations. If the integration status indicates an error, check the Auth Service logs for errors from the Intune integration.

You can also verify synced devices using the command line:

tctl devices ls Asset Tag OS Source Enroll Status Owner Device ID ------------ ------- ------ ------------- ----- ------------------------------------ CXXXXXXXXX17 macOS Intune not enrolled 20ec6373-9e8e-46e0-8f1c-47ad6b06a768 CXXXXXXXXX2T macOS Intune not enrolled 79755778-7cbe-4e2c-83ec-7eaa3d4d7e36 CXXXXXXXXX3T Windows Intune not enrolled 665e59d5-393a-4894-841d-edad06329717 CXXXXXXXXX4T macOS Intune not enrolled dd032e90-bfb0-47d5-bce5-e57545f6788f CXXXXXXXXX5T Windows Intune not enrolled bf189863-a94a-40dc-9013-d96f8dada2f1 (...)

Automatically enroll synced devices on user login with auto-enrollment.