Thanks for the addition information about UAP. I will check it out.
Each device in Intune also has a primary user assigned. I need additional information of group-memberships from the primary user and not that user, who registered the device and synct by Clearpass Extension.
Original Message:
Sent: Sep 10, 2021 05:43 AM
From: Kestutis Virsilas
Subject: Clearpass Intune - User attributes
Hi, Andreas,
Thanks for your reply,
As Tim mentioned, User attributes in Intune Extension is for user who the device is assigned, so it is irrelevant to use it for user authorization..
I know, that Azure AD User group information "memberOf" can be called from MS graph API using "GET https://graph.microsoft.com/v1.0/users/{id}/memberOf" after OAuth2 authentication. As I understand and can see from Guest Application logs, ClearPass Guest Social login use OAuth and get User group membership this way.
I found this post of Danny about ClearPass Universal Authentication Proxy Extension: https://community.arubanetworks.com/community-home/digestviewer/viewthread?MID=18935
Maybe it could be adapted for OAuth communication with Azure AD. And then use the extension as HTTP Auth source like it is done with Intune.
Unfortunately, I haven't found much information according cppm UAP Extension.
Regards
------------------------------
Kestutis Virsilas
Original Message:
Sent: Sep 10, 2021 02:22 AM
From: Andreas Odermatt
Subject: Clearpass Intune - User attributes
Hi Kestutis
I had last year the chance to talk with Danny Jump. There are other very big companies requesting exactly the same feature.
I don't know the current status but I also hope, we can have access to AAD Users and Groups information soon.
Best regards,
Andreas
------------------------------
Andreas Odermatt
Original Message:
Sent: Sep 09, 2021 07:12 AM
From: Tim C
Subject: Clearpass Intune - User attributes
That is the user who the device is assigned to and is not relevant to the active session.
Original Message:
Sent: 9/9/2021 6:17:00 AM
From: kestutis@whitebit.lt
Subject: RE: Clearpass Intune - User attributes
Hi Tim,
Thanks for your reply,
I do understand that MS Intune is for device identity.
But according to Aruba ClearPass Intune integration guide (V5), we have to grant "User.Read" (Sing in and read user profile) permission in Azure Microsoft Graph API, that is used for Intune Extension. And indeed, when Intune extension creates Endpoint there is information about curent User in the Endpoint Attributes:
------------------------------
Kestutis Virsilas
kestutis@whitebit.lt
Original Message:
Sent: Sep 08, 2021 10:03 AM
From: Tim C
Subject: Clearpass Intune - User attributes
There is no user context for a device. Intune is for device identity only.
------------------------------
Tim C
Original Message:
Sent: Sep 08, 2021 02:44 AM
From: Kestutis Virsilas
Subject: Clearpass Intune - User attributes
Hello, Danny,
Are there any updates, according this topic?
Currently we are looking for basically same functionality – to get additional User attributes with Intune Extension to enforce different user access rights.
With Intune Extension we have some User attributes. One of it is "Intune User ID", it would be useful to also get User "Groups" or "Department" for the same "Intune User ID".
Thanks!
------------------------------
kestutis@whitebit.lt
Original Message:
Sent: Oct 30, 2020 03:39 PM
From: Danny Jump
Subject: Clearpass Intune - User attributes
Hey Andreas,
I've looked into this today and we can add this as an optional switch in the extension config, it makes a lot of sense to be able to tie the device to some abstracted group for access rights.
But, I'd like to grab a zoom meeting with you to ensure I understand what you want exactly, I'm in California, currently CET +8 {guessing CET from your name if you don't mind}, but after this weekend I'm back to CET +9.....
You can email me direct jump@hpe.com and we can set up a convenient time to talk.
Cheers
------------------------------
Danny Jump
ClearPass Policy Manager - Product Manager
Original Message:
Sent: Oct 30, 2020 10:05 AM
From: Victor Fabian
Subject: Clearpass Intune - User attributes
Based on the latest Intune integration guide (page 34), it is not possible:
https://support.hpe.com/hpesc/public/docDisplay?docId=a00106086en_us
------------------------------
Victor Fabian
Original Message:
Sent: Oct 30, 2020 09:51 AM
From: Andreas Odermatt
Subject: Clearpass Intune - User attributes
Hi
Does anyone knows, if its possible to extend the Intune Extension V5, to get for example the "department" attribute of the assigned user in addition to the information already available (Display Name, ID etc)
Thanks.
------------------------------
Andreas Odermatt
------------------------------