Security

Since the changes to Microsoft's requirements for AD authentication with certificates, I have an issue which has gone from annoying to problematic.

Essentially, for many customers and what I want to do, I need to be able to access the "Intune Device ID" and the "AAD Device ID". The first is used in requests to the ClearPass extension, while the second is used to interrogate Entra ID to get various pieces of information, including group membership, user risk, "enabled" status, etc.

Currently, we can access the Intune ID in two ways:

• Put it in the certificate subject's CN field
• Retrieve it from the Endpoint Repository's "Intune Device ID" Attribute

We can access the AAD Device ID in two ways:

• Put it in the certificate subject's CN field
• Retrieve it from the Endpoint Repository's "Intune Azure AD Device Id" Attribute

The first can be problematic. For example, if your user certificate is also a WHfB certificate, and you want to do SSO to local AD, you need to put the user DN in there. There's also the problem that it doesn't fix the issue of getting both IDs.

The Endpoints Repository also requires that the MAC address gets correlated between your device and the Endpoints Repository. And this is becoming an issue with MAC address randomization becoming more prevalent. Mobile OS have been doing this for a long time, and MacOS 15 now does this also. Disabling it has security and privacy implications, not even taking into account the fact that Intune doesn't even support doing so easily for MacOS 15. There's also the issue that relying on a MAC address for anything at all in 2025 is problematic. I would prefer using the client certificate's properties to get the Intune Device Id and AAD Device Id.

As I mentioned, this came in part following Microsoft's changes to the AD certificate authentication requirements. We now need to put a tag:microsoft.com entry into the SAN certificates, as an URI field. We previously were putting the Intune Device Id in there. ClearPass now recommends putting in the Intune  Device Id and Azure AD Device Id in that field as well.

Well, that's great! I can access both field in the certificate.

Except that I cannot. I have found no documentation or method to access these fields and use them in an authorization method.

I have managed to get them from the "Endpoints Repository" authorization method instead, but I cannot use those fields in a different authorization method.

If I modify the "Endpoints Repository" source like this:

Authentication Filter Query: SELECT mac_address AS User_Password FROM tips_endpoints WHERE (mac_address = LOWER('%{Connection:Client-Mac-Address-NoDelim}') AND status = 'Known') OR (attributes->>'Intune ID' = '%{Authentication:Username}' AND attributes->>'Intune System Found' = 'true')

Intune Filter Query: select attributes->>'Intune Azure AD Device Id' as "IntuneAzureADDeviceId", attributes->>'Intune Device Name' as "IntuneDeviceName", attributes->>'Intune System Found' as "IntuneSystemFound", attributes->>'Intune ID' as "IntuneID" FROM tips_endpoints WHERE attributes->>'Intune ID' = '%{Authentication:Username}' AND attributes->>'Intune System Found' = 'true'

I can use the properties synced from Intune in my Role Mapping. But I cannot use them in my Intune or Entra ID authorization sources. If I try to add "%{Authorization:[Endpoints Repository]:IntuneAzureADDeviceId}" in a query, it appears to strip the first "[" and obviously does not succeed in querying the source.

So I have two questions:

Is there a way to access the "Intune Device Id" and the "AAD_Device_Id" fields in a certificate's SAN?

Is there a way to use attributes gleaned from one authorization method into a different authorization method?

The second method would be more convoluted, but I think I can work with that. The first would be ideal.

Are you using this document and the Intune extension?
https://arubanetworking.hpe.com/techdocs/NAC/clearpass/integrations/unified-endpoint-management/intune/

I'm still trying to get this work and am working with TAC plus my own troubleshooting. So far I've been told to disable Authorization Required on my EAP-TLS auth method to deal with the unknown MAC when it's first seen (onboard wired nic MAC, usb doc MAC, randomized MAC! etc)

I've seen a lot of confusing info on here and in previous documents - I wish there was a full validated design document that brings all the elements together. So many suggestions from different sources don't work in my experience, yet I think sometimes it's down to missing details. In some recent troubleshooting I realized that I should be using role conditions that reference the correct authentication source rather than generic "Endpoint". It was only after I read through every single post on here I could find that included Intune. 

I've finally managed to get entra-joined endpoints with SCEP cert with the Intune ID in a SAN ("deviceid:<guid>" - I'm using MS Cloud PKI and it's changing the case) and finally realised I had to match the rolemapping conditions with the same authentication, however it only works with the default Endpoint DB, adding as a 6th line. I simply cannot get it to work as a new Generic SQL auth source like so many people have mentioned - it keeps erroring with syntax error. This is what I have now as a basic test:

This SQL query added:
select attributes->>'Intune ID' as "Intune ID",attributes->>'Intune User Principal Name' as "Intune User Principal Name",attributes->>'Intune Model' as "Intune Model",attributes->>'Intune Jail Broken' as "Intune Jail Broken",attributes->>'Intune Operating System' as "Intune Operating System",attributes->>'Intune Managed Device Owner Type' as "Intune Managed Device Owner Type",attributes->>'Intune Management Agent' as "Intune Management Agent",attributes->>'Intune Azure AD Registered' as "Intune Azure AD Registered",attributes->>'Intune Compliance State' as "Intune Compliance State",attributes->>'Intune Device Name' as "Intune Device Name",attributes->>'Intune Azure AD Device Id' as "Intune Azure AD Device Id" FROM tips_endpoints WHERE attributes->>'Intune ID' = split_part(regexp_replace('%{Certificate:Subject-AltName-URI}','^.*deviceid:',''),',',1)

Since the changes to Microsoft's requirements for AD authentication with certificates, I have an issue which has gone from annoying to problematic.

Essentially, for many customers and what I want to do, I need to be able to access the "Intune Device ID" and the "AAD Device ID". The first is used in requests to the ClearPass extension, while the second is used to interrogate Entra ID to get various pieces of information, including group membership, user risk, "enabled" status, etc.

Currently, we can access the Intune ID in two ways:

• Put it in the certificate subject's CN field
• Retrieve it from the Endpoint Repository's "Intune Device ID" Attribute

We can access the AAD Device ID in two ways:

• Put it in the certificate subject's CN field
• Retrieve it from the Endpoint Repository's "Intune Azure AD Device Id" Attribute

The first can be problematic. For example, if your user certificate is also a WHfB certificate, and you want to do SSO to local AD, you need to put the user DN in there. There's also the problem that it doesn't fix the issue of getting both IDs.

The Endpoints Repository also requires that the MAC address gets correlated between your device and the Endpoints Repository. And this is becoming an issue with MAC address randomization becoming more prevalent. Mobile OS have been doing this for a long time, and MacOS 15 now does this also. Disabling it has security and privacy implications, not even taking into account the fact that Intune doesn't even support doing so easily for MacOS 15. There's also the issue that relying on a MAC address for anything at all in 2025 is problematic. I would prefer using the client certificate's properties to get the Intune Device Id and AAD Device Id.

As I mentioned, this came in part following Microsoft's changes to the AD certificate authentication requirements. We now need to put a tag:microsoft.com entry into the SAN certificates, as an URI field. We previously were putting the Intune Device Id in there. ClearPass now recommends putting in the Intune  Device Id and Azure AD Device Id in that field as well.

Well, that's great! I can access both field in the certificate.

Except that I cannot. I have found no documentation or method to access these fields and use them in an authorization method.

I have managed to get them from the "Endpoints Repository" authorization method instead, but I cannot use those fields in a different authorization method.

If I modify the "Endpoints Repository" source like this:

Authentication Filter Query: SELECT mac_address AS User_Password FROM tips_endpoints WHERE (mac_address = LOWER('%{Connection:Client-Mac-Address-NoDelim}') AND status = 'Known') OR (attributes->>'Intune ID' = '%{Authentication:Username}' AND attributes->>'Intune System Found' = 'true')

Intune Filter Query: select attributes->>'Intune Azure AD Device Id' as "IntuneAzureADDeviceId", attributes->>'Intune Device Name' as "IntuneDeviceName", attributes->>'Intune System Found' as "IntuneSystemFound", attributes->>'Intune ID' as "IntuneID" FROM tips_endpoints WHERE attributes->>'Intune ID' = '%{Authentication:Username}' AND attributes->>'Intune System Found' = 'true'

I can use the properties synced from Intune in my Role Mapping. But I cannot use them in my Intune or Entra ID authorization sources. If I try to add "%{Authorization:[Endpoints Repository]:IntuneAzureADDeviceId}" in a query, it appears to strip the first "[" and obviously does not succeed in querying the source.

So I have two questions:

Is there a way to access the "Intune Device Id" and the "AAD_Device_Id" fields in a certificate's SAN?

Is there a way to use attributes gleaned from one authorization method into a different authorization method?

The second method would be more convoluted, but I think I can work with that. The first would be ideal.

Since the changes to Microsoft's requirements for AD authentication with certificates, I have an issue which has gone from annoying to problematic.

Essentially, for many customers and what I want to do, I need to be able to access the "Intune Device ID" and the "AAD Device ID". The first is used in requests to the ClearPass extension, while the second is used to interrogate Entra ID to get various pieces of information, including group membership, user risk, "enabled" status, etc.

Currently, we can access the Intune ID in two ways:

• Put it in the certificate subject's CN field
• Retrieve it from the Endpoint Repository's "Intune Device ID" Attribute

We can access the AAD Device ID in two ways:

• Put it in the certificate subject's CN field
• Retrieve it from the Endpoint Repository's "Intune Azure AD Device Id" Attribute

The first can be problematic. For example, if your user certificate is also a WHfB certificate, and you want to do SSO to local AD, you need to put the user DN in there. There's also the problem that it doesn't fix the issue of getting both IDs.

The Endpoints Repository also requires that the MAC address gets correlated between your device and the Endpoints Repository. And this is becoming an issue with MAC address randomization becoming more prevalent. Mobile OS have been doing this for a long time, and MacOS 15 now does this also. Disabling it has security and privacy implications, not even taking into account the fact that Intune doesn't even support doing so easily for MacOS 15. There's also the issue that relying on a MAC address for anything at all in 2025 is problematic. I would prefer using the client certificate's properties to get the Intune Device Id and AAD Device Id.

As I mentioned, this came in part following Microsoft's changes to the AD certificate authentication requirements. We now need to put a tag:microsoft.com entry into the SAN certificates, as an URI field. We previously were putting the Intune Device Id in there. ClearPass now recommends putting in the Intune  Device Id and Azure AD Device Id in that field as well.

Well, that's great! I can access both field in the certificate.

Except that I cannot. I have found no documentation or method to access these fields and use them in an authorization method.

I have managed to get them from the "Endpoints Repository" authorization method instead, but I cannot use those fields in a different authorization method.

If I modify the "Endpoints Repository" source like this:

Authentication Filter Query: SELECT mac_address AS User_Password FROM tips_endpoints WHERE (mac_address = LOWER('%{Connection:Client-Mac-Address-NoDelim}') AND status = 'Known') OR (attributes->>'Intune ID' = '%{Authentication:Username}' AND attributes->>'Intune System Found' = 'true')

Intune Filter Query: select attributes->>'Intune Azure AD Device Id' as "IntuneAzureADDeviceId", attributes->>'Intune Device Name' as "IntuneDeviceName", attributes->>'Intune System Found' as "IntuneSystemFound", attributes->>'Intune ID' as "IntuneID" FROM tips_endpoints WHERE attributes->>'Intune ID' = '%{Authentication:Username}' AND attributes->>'Intune System Found' = 'true'

I can use the properties synced from Intune in my Role Mapping. But I cannot use them in my Intune or Entra ID authorization sources. If I try to add "%{Authorization:[Endpoints Repository]:IntuneAzureADDeviceId}" in a query, it appears to strip the first "[" and obviously does not succeed in querying the source.

So I have two questions:

Is there a way to access the "Intune Device Id" and the "AAD_Device_Id" fields in a certificate's SAN?

Is there a way to use attributes gleaned from one authorization method into a different authorization method?

The second method would be more convoluted, but I think I can work with that. The first would be ideal.

Hi,

We are using EntraID and Intune for authenticating users and devices and don't need this what you are trying to achieve. The SCEP certificate issued by Intune to users contains in the SAN field only the UserPrincipalName and AAD_Device_ID URIs. The CN field can be anything that MS or other apps require. During authorization ClearPass fetches user groups from EntraID and we can use them with the EntraID's auth source name:attribute format for role mapping. Also even though there is no Intune Device ID in the cert SAN URI, it will correctly fetch information from Intune using the AAD_Device_ID and we can use those during authorization but this time with the Intune auth source's name:attribute format. 

For device certificates we have added only the Intune DeviceID in the certificate SAN URI. 

Note that you must have Intune Extension 6.3.5 as minimum (we are using now 6.4)

Since the changes to Microsoft's requirements for AD authentication with certificates, I have an issue which has gone from annoying to problematic.

Essentially, for many customers and what I want to do, I need to be able to access the "Intune Device ID" and the "AAD Device ID". The first is used in requests to the ClearPass extension, while the second is used to interrogate Entra ID to get various pieces of information, including group membership, user risk, "enabled" status, etc.

Currently, we can access the Intune ID in two ways:

• Put it in the certificate subject's CN field
• Retrieve it from the Endpoint Repository's "Intune Device ID" Attribute

We can access the AAD Device ID in two ways:

• Put it in the certificate subject's CN field
• Retrieve it from the Endpoint Repository's "Intune Azure AD Device Id" Attribute

The first can be problematic. For example, if your user certificate is also a WHfB certificate, and you want to do SSO to local AD, you need to put the user DN in there. There's also the problem that it doesn't fix the issue of getting both IDs.

The Endpoints Repository also requires that the MAC address gets correlated between your device and the Endpoints Repository. And this is becoming an issue with MAC address randomization becoming more prevalent. Mobile OS have been doing this for a long time, and MacOS 15 now does this also. Disabling it has security and privacy implications, not even taking into account the fact that Intune doesn't even support doing so easily for MacOS 15. There's also the issue that relying on a MAC address for anything at all in 2025 is problematic. I would prefer using the client certificate's properties to get the Intune Device Id and AAD Device Id.

As I mentioned, this came in part following Microsoft's changes to the AD certificate authentication requirements. We now need to put a tag:microsoft.com entry into the SAN certificates, as an URI field. We previously were putting the Intune Device Id in there. ClearPass now recommends putting in the Intune  Device Id and Azure AD Device Id in that field as well.

Well, that's great! I can access both field in the certificate.

Except that I cannot. I have found no documentation or method to access these fields and use them in an authorization method.

I have managed to get them from the "Endpoints Repository" authorization method instead, but I cannot use those fields in a different authorization method.

If I modify the "Endpoints Repository" source like this:

Authentication Filter Query: SELECT mac_address AS User_Password FROM tips_endpoints WHERE (mac_address = LOWER('%{Connection:Client-Mac-Address-NoDelim}') AND status = 'Known') OR (attributes->>'Intune ID' = '%{Authentication:Username}' AND attributes->>'Intune System Found' = 'true')

Intune Filter Query: select attributes->>'Intune Azure AD Device Id' as "IntuneAzureADDeviceId", attributes->>'Intune Device Name' as "IntuneDeviceName", attributes->>'Intune System Found' as "IntuneSystemFound", attributes->>'Intune ID' as "IntuneID" FROM tips_endpoints WHERE attributes->>'Intune ID' = '%{Authentication:Username}' AND attributes->>'Intune System Found' = 'true'

I can use the properties synced from Intune in my Role Mapping. But I cannot use them in my Intune or Entra ID authorization sources. If I try to add "%{Authorization:[Endpoints Repository]:IntuneAzureADDeviceId}" in a query, it appears to strip the first "[" and obviously does not succeed in querying the source.

So I have two questions:

Is there a way to access the "Intune Device Id" and the "AAD_Device_Id" fields in a certificate's SAN?

Is there a way to use attributes gleaned from one authorization method into a different authorization method?

The second method would be more convoluted, but I think I can work with that. The first would be ideal.

I'm trying to authenticate a device, so no user and no UPN here.

"During authorization ClearPass fetches user groups from EntraID and we can use them with the EntraID's auth source name:attribute format for role mapping. "

I need more details. How? I can't get this to work with MAC address randomization enabled.

"Also even though there is no Intune Device ID in the cert SAN URI, it will correctly fetch information from Intune using the AAD_Device_ID and we can use those during authorization but this time with the Intune auth source's name:attribute format."

How is it doing this? Through the Endpoints Repository, it's using MAC address and not certificate fields. Unless you're doing something different.

Hi,

We are using EntraID and Intune for authenticating users and devices and don't need this what you are trying to achieve. The SCEP certificate issued by Intune to users contains in the SAN field only the UserPrincipalName and AAD_Device_ID URIs. The CN field can be anything that MS or other apps require. During authorization ClearPass fetches user groups from EntraID and we can use them with the EntraID's auth source name:attribute format for role mapping. Also even though there is no Intune Device ID in the cert SAN URI, it will correctly fetch information from Intune using the AAD_Device_ID and we can use those during authorization but this time with the Intune auth source's name:attribute format. 

For device certificates we have added only the Intune DeviceID in the certificate SAN URI. 

Note that you must have Intune Extension 6.3.5 as minimum (we are using now 6.4)

Since the changes to Microsoft's requirements for AD authentication with certificates, I have an issue which has gone from annoying to problematic.

Essentially, for many customers and what I want to do, I need to be able to access the "Intune Device ID" and the "AAD Device ID". The first is used in requests to the ClearPass extension, while the second is used to interrogate Entra ID to get various pieces of information, including group membership, user risk, "enabled" status, etc.

Currently, we can access the Intune ID in two ways:

• Put it in the certificate subject's CN field
• Retrieve it from the Endpoint Repository's "Intune Device ID" Attribute

We can access the AAD Device ID in two ways:

• Put it in the certificate subject's CN field
• Retrieve it from the Endpoint Repository's "Intune Azure AD Device Id" Attribute

The first can be problematic. For example, if your user certificate is also a WHfB certificate, and you want to do SSO to local AD, you need to put the user DN in there. There's also the problem that it doesn't fix the issue of getting both IDs.

The Endpoints Repository also requires that the MAC address gets correlated between your device and the Endpoints Repository. And this is becoming an issue with MAC address randomization becoming more prevalent. Mobile OS have been doing this for a long time, and MacOS 15 now does this also. Disabling it has security and privacy implications, not even taking into account the fact that Intune doesn't even support doing so easily for MacOS 15. There's also the issue that relying on a MAC address for anything at all in 2025 is problematic. I would prefer using the client certificate's properties to get the Intune Device Id and AAD Device Id.

As I mentioned, this came in part following Microsoft's changes to the AD certificate authentication requirements. We now need to put a tag:microsoft.com entry into the SAN certificates, as an URI field. We previously were putting the Intune Device Id in there. ClearPass now recommends putting in the Intune  Device Id and Azure AD Device Id in that field as well.

Well, that's great! I can access both field in the certificate.

Except that I cannot. I have found no documentation or method to access these fields and use them in an authorization method.

I have managed to get them from the "Endpoints Repository" authorization method instead, but I cannot use those fields in a different authorization method.

If I modify the "Endpoints Repository" source like this:

Authentication Filter Query: SELECT mac_address AS User_Password FROM tips_endpoints WHERE (mac_address = LOWER('%{Connection:Client-Mac-Address-NoDelim}') AND status = 'Known') OR (attributes->>'Intune ID' = '%{Authentication:Username}' AND attributes->>'Intune System Found' = 'true')

Intune Filter Query: select attributes->>'Intune Azure AD Device Id' as "IntuneAzureADDeviceId", attributes->>'Intune Device Name' as "IntuneDeviceName", attributes->>'Intune System Found' as "IntuneSystemFound", attributes->>'Intune ID' as "IntuneID" FROM tips_endpoints WHERE attributes->>'Intune ID' = '%{Authentication:Username}' AND attributes->>'Intune System Found' = 'true'

I can use the properties synced from Intune in my Role Mapping. But I cannot use them in my Intune or Entra ID authorization sources. If I try to add "%{Authorization:[Endpoints Repository]:IntuneAzureADDeviceId}" in a query, it appears to strip the first "[" and obviously does not succeed in querying the source.

So I have two questions:

Is there a way to access the "Intune Device Id" and the "AAD_Device_Id" fields in a certificate's SAN?

Is there a way to use attributes gleaned from one authorization method into a different authorization method?

The second method would be more convoluted, but I think I can work with that. The first would be ideal.

We are not using the Intune synced Endpoints repository because Intune extension does not sync Android phones from Intune. 

I have created an Intune realtime authentication source (the IP in base URL is the Intune extension's IP address).

In filters I have added some useful Intune attributes:

Here is the certificate profile we use for devices:

Note however that the CN field is irrelevant for ClearPass authentication, you can set that to anything you want.

Use Intune extension 6.3.5 or 6.4 and make sure the Azure application rights are correct! That is a crucial part! Here is our settings but we use it for EntraID too so you may need less rights. Pay attention to the Type! For most rights it should be Application type!

If you set all of these then just make sure that you add the authentication source as additional authorization source in your service config and you can use the "Authorization:Intune realtime:attribute name" in your role mapping or enforcement rules.

example role mapping:

I'm trying to authenticate a device, so no user and no UPN here.

"During authorization ClearPass fetches user groups from EntraID and we can use them with the EntraID's auth source name:attribute format for role mapping. "

I need more details. How? I can't get this to work with MAC address randomization enabled.

"Also even though there is no Intune Device ID in the cert SAN URI, it will correctly fetch information from Intune using the AAD_Device_ID and we can use those during authorization but this time with the Intune auth source's name:attribute format."

How is it doing this? Through the Endpoints Repository, it's using MAC address and not certificate fields. Unless you're doing something different.

Hi,

We are using EntraID and Intune for authenticating users and devices and don't need this what you are trying to achieve. The SCEP certificate issued by Intune to users contains in the SAN field only the UserPrincipalName and AAD_Device_ID URIs. The CN field can be anything that MS or other apps require. During authorization ClearPass fetches user groups from EntraID and we can use them with the EntraID's auth source name:attribute format for role mapping. Also even though there is no Intune Device ID in the cert SAN URI, it will correctly fetch information from Intune using the AAD_Device_ID and we can use those during authorization but this time with the Intune auth source's name:attribute format. 

For device certificates we have added only the Intune DeviceID in the certificate SAN URI. 

Note that you must have Intune Extension 6.3.5 as minimum (we are using now 6.4)

Since the changes to Microsoft's requirements for AD authentication with certificates, I have an issue which has gone from annoying to problematic.

Essentially, for many customers and what I want to do, I need to be able to access the "Intune Device ID" and the "AAD Device ID". The first is used in requests to the ClearPass extension, while the second is used to interrogate Entra ID to get various pieces of information, including group membership, user risk, "enabled" status, etc.

Currently, we can access the Intune ID in two ways:

• Put it in the certificate subject's CN field
• Retrieve it from the Endpoint Repository's "Intune Device ID" Attribute

We can access the AAD Device ID in two ways:

• Put it in the certificate subject's CN field
• Retrieve it from the Endpoint Repository's "Intune Azure AD Device Id" Attribute

The first can be problematic. For example, if your user certificate is also a WHfB certificate, and you want to do SSO to local AD, you need to put the user DN in there. There's also the problem that it doesn't fix the issue of getting both IDs.

The Endpoints Repository also requires that the MAC address gets correlated between your device and the Endpoints Repository. And this is becoming an issue with MAC address randomization becoming more prevalent. Mobile OS have been doing this for a long time, and MacOS 15 now does this also. Disabling it has security and privacy implications, not even taking into account the fact that Intune doesn't even support doing so easily for MacOS 15. There's also the issue that relying on a MAC address for anything at all in 2025 is problematic. I would prefer using the client certificate's properties to get the Intune Device Id and AAD Device Id.

As I mentioned, this came in part following Microsoft's changes to the AD certificate authentication requirements. We now need to put a tag:microsoft.com entry into the SAN certificates, as an URI field. We previously were putting the Intune Device Id in there. ClearPass now recommends putting in the Intune  Device Id and Azure AD Device Id in that field as well.

Well, that's great! I can access both field in the certificate.

Except that I cannot. I have found no documentation or method to access these fields and use them in an authorization method.

I have managed to get them from the "Endpoints Repository" authorization method instead, but I cannot use those fields in a different authorization method.

If I modify the "Endpoints Repository" source like this:

Authentication Filter Query: SELECT mac_address AS User_Password FROM tips_endpoints WHERE (mac_address = LOWER('%{Connection:Client-Mac-Address-NoDelim}') AND status = 'Known') OR (attributes->>'Intune ID' = '%{Authentication:Username}' AND attributes->>'Intune System Found' = 'true')

Intune Filter Query: select attributes->>'Intune Azure AD Device Id' as "IntuneAzureADDeviceId", attributes->>'Intune Device Name' as "IntuneDeviceName", attributes->>'Intune System Found' as "IntuneSystemFound", attributes->>'Intune ID' as "IntuneID" FROM tips_endpoints WHERE attributes->>'Intune ID' = '%{Authentication:Username}' AND attributes->>'Intune System Found' = 'true'

I can use the properties synced from Intune in my Role Mapping. But I cannot use them in my Intune or Entra ID authorization sources. If I try to add "%{Authorization:[Endpoints Repository]:IntuneAzureADDeviceId}" in a query, it appears to strip the first "[" and obviously does not succeed in querying the source.

So I have two questions:

Is there a way to access the "Intune Device Id" and the "AAD_Device_Id" fields in a certificate's SAN?

Is there a way to use attributes gleaned from one authorization method into a different authorization method?

The second method would be more convoluted, but I think I can work with that. The first would be ideal.

How are you creating a service without an Authentication source? If I try to do that I get the following:

And if I try to put in the Intune HTTP source I get the following:

We are not using the Intune synced Endpoints repository because Intune extension does not sync Android phones from Intune. 

I have created an Intune realtime authentication source (the IP in base URL is the Intune extension's IP address).

In filters I have added some useful Intune attributes:

Here is the certificate profile we use for devices:

Note however that the CN field is irrelevant for ClearPass authentication, you can set that to anything you want.

Use Intune extension 6.3.5 or 6.4 and make sure the Azure application rights are correct! That is a crucial part! Here is our settings but we use it for EntraID too so you may need less rights. Pay attention to the Type! For most rights it should be Application type!

If you set all of these then just make sure that you add the authentication source as additional authorization source in your service config and you can use the "Authorization:Intune realtime:attribute name" in your role mapping or enforcement rules.

example role mapping:

I'm trying to authenticate a device, so no user and no UPN here.

"During authorization ClearPass fetches user groups from EntraID and we can use them with the EntraID's auth source name:attribute format for role mapping. "

I need more details. How? I can't get this to work with MAC address randomization enabled.

"Also even though there is no Intune Device ID in the cert SAN URI, it will correctly fetch information from Intune using the AAD_Device_ID and we can use those during authorization but this time with the Intune auth source's name:attribute format."

How is it doing this? Through the Endpoints Repository, it's using MAC address and not certificate fields. Unless you're doing something different.

Hi,

We are using EntraID and Intune for authenticating users and devices and don't need this what you are trying to achieve. The SCEP certificate issued by Intune to users contains in the SAN field only the UserPrincipalName and AAD_Device_ID URIs. The CN field can be anything that MS or other apps require. During authorization ClearPass fetches user groups from EntraID and we can use them with the EntraID's auth source name:attribute format for role mapping. Also even though there is no Intune Device ID in the cert SAN URI, it will correctly fetch information from Intune using the AAD_Device_ID and we can use those during authorization but this time with the Intune auth source's name:attribute format. 

For device certificates we have added only the Intune DeviceID in the certificate SAN URI. 

Note that you must have Intune Extension 6.3.5 as minimum (we are using now 6.4)

Since the changes to Microsoft's requirements for AD authentication with certificates, I have an issue which has gone from annoying to problematic.

Essentially, for many customers and what I want to do, I need to be able to access the "Intune Device ID" and the "AAD Device ID". The first is used in requests to the ClearPass extension, while the second is used to interrogate Entra ID to get various pieces of information, including group membership, user risk, "enabled" status, etc.

Currently, we can access the Intune ID in two ways:

• Put it in the certificate subject's CN field
• Retrieve it from the Endpoint Repository's "Intune Device ID" Attribute

We can access the AAD Device ID in two ways:

• Put it in the certificate subject's CN field
• Retrieve it from the Endpoint Repository's "Intune Azure AD Device Id" Attribute

The first can be problematic. For example, if your user certificate is also a WHfB certificate, and you want to do SSO to local AD, you need to put the user DN in there. There's also the problem that it doesn't fix the issue of getting both IDs.

The Endpoints Repository also requires that the MAC address gets correlated between your device and the Endpoints Repository. And this is becoming an issue with MAC address randomization becoming more prevalent. Mobile OS have been doing this for a long time, and MacOS 15 now does this also. Disabling it has security and privacy implications, not even taking into account the fact that Intune doesn't even support doing so easily for MacOS 15. There's also the issue that relying on a MAC address for anything at all in 2025 is problematic. I would prefer using the client certificate's properties to get the Intune Device Id and AAD Device Id.

As I mentioned, this came in part following Microsoft's changes to the AD certificate authentication requirements. We now need to put a tag:microsoft.com entry into the SAN certificates, as an URI field. We previously were putting the Intune Device Id in there. ClearPass now recommends putting in the Intune  Device Id and Azure AD Device Id in that field as well.

Well, that's great! I can access both field in the certificate.

Except that I cannot. I have found no documentation or method to access these fields and use them in an authorization method.

I have managed to get them from the "Endpoints Repository" authorization method instead, but I cannot use those fields in a different authorization method.

If I modify the "Endpoints Repository" source like this:

Authentication Filter Query: SELECT mac_address AS User_Password FROM tips_endpoints WHERE (mac_address = LOWER('%{Connection:Client-Mac-Address-NoDelim}') AND status = 'Known') OR (attributes->>'Intune ID' = '%{Authentication:Username}' AND attributes->>'Intune System Found' = 'true')

Intune Filter Query: select attributes->>'Intune Azure AD Device Id' as "IntuneAzureADDeviceId", attributes->>'Intune Device Name' as "IntuneDeviceName", attributes->>'Intune System Found' as "IntuneSystemFound", attributes->>'Intune ID' as "IntuneID" FROM tips_endpoints WHERE attributes->>'Intune ID' = '%{Authentication:Username}' AND attributes->>'Intune System Found' = 'true'

I can use the properties synced from Intune in my Role Mapping. But I cannot use them in my Intune or Entra ID authorization sources. If I try to add "%{Authorization:[Endpoints Repository]:IntuneAzureADDeviceId}" in a query, it appears to strip the first "[" and obviously does not succeed in querying the source.

So I have two questions:

Is there a way to access the "Intune Device Id" and the "AAD_Device_Id" fields in a certificate's SAN?

Is there a way to use attributes gleaned from one authorization method into a different authorization method?

The second method would be more convoluted, but I think I can work with that. The first would be ideal.

Hi,

I think the problem is that you are trying to use the EAP TLS built in authentication Method. Create a new one and disable Authorization required in it.

This is what I use.

In the service configuration you can later define authorization sources.

How are you creating a service without an Authentication source? If I try to do that I get the following:

And if I try to put in the Intune HTTP source I get the following:

We are not using the Intune synced Endpoints repository because Intune extension does not sync Android phones from Intune. 

I have created an Intune realtime authentication source (the IP in base URL is the Intune extension's IP address).

In filters I have added some useful Intune attributes:

Here is the certificate profile we use for devices:

Note however that the CN field is irrelevant for ClearPass authentication, you can set that to anything you want.

Use Intune extension 6.3.5 or 6.4 and make sure the Azure application rights are correct! That is a crucial part! Here is our settings but we use it for EntraID too so you may need less rights. Pay attention to the Type! For most rights it should be Application type!

If you set all of these then just make sure that you add the authentication source as additional authorization source in your service config and you can use the "Authorization:Intune realtime:attribute name" in your role mapping or enforcement rules.

example role mapping:

I'm trying to authenticate a device, so no user and no UPN here.

"During authorization ClearPass fetches user groups from EntraID and we can use them with the EntraID's auth source name:attribute format for role mapping. "

I need more details. How? I can't get this to work with MAC address randomization enabled.

"Also even though there is no Intune Device ID in the cert SAN URI, it will correctly fetch information from Intune using the AAD_Device_ID and we can use those during authorization but this time with the Intune auth source's name:attribute format."

How is it doing this? Through the Endpoints Repository, it's using MAC address and not certificate fields. Unless you're doing something different.

Hi,

We are using EntraID and Intune for authenticating users and devices and don't need this what you are trying to achieve. The SCEP certificate issued by Intune to users contains in the SAN field only the UserPrincipalName and AAD_Device_ID URIs. The CN field can be anything that MS or other apps require. During authorization ClearPass fetches user groups from EntraID and we can use them with the EntraID's auth source name:attribute format for role mapping. Also even though there is no Intune Device ID in the cert SAN URI, it will correctly fetch information from Intune using the AAD_Device_ID and we can use those during authorization but this time with the Intune auth source's name:attribute format. 

For device certificates we have added only the Intune DeviceID in the certificate SAN URI. 

Note that you must have Intune Extension 6.3.5 as minimum (we are using now 6.4)

Since the changes to Microsoft's requirements for AD authentication with certificates, I have an issue which has gone from annoying to problematic.

Essentially, for many customers and what I want to do, I need to be able to access the "Intune Device ID" and the "AAD Device ID". The first is used in requests to the ClearPass extension, while the second is used to interrogate Entra ID to get various pieces of information, including group membership, user risk, "enabled" status, etc.

Currently, we can access the Intune ID in two ways:

• Put it in the certificate subject's CN field
• Retrieve it from the Endpoint Repository's "Intune Device ID" Attribute

We can access the AAD Device ID in two ways:

• Put it in the certificate subject's CN field
• Retrieve it from the Endpoint Repository's "Intune Azure AD Device Id" Attribute

The first can be problematic. For example, if your user certificate is also a WHfB certificate, and you want to do SSO to local AD, you need to put the user DN in there. There's also the problem that it doesn't fix the issue of getting both IDs.

The Endpoints Repository also requires that the MAC address gets correlated between your device and the Endpoints Repository. And this is becoming an issue with MAC address randomization becoming more prevalent. Mobile OS have been doing this for a long time, and MacOS 15 now does this also. Disabling it has security and privacy implications, not even taking into account the fact that Intune doesn't even support doing so easily for MacOS 15. There's also the issue that relying on a MAC address for anything at all in 2025 is problematic. I would prefer using the client certificate's properties to get the Intune Device Id and AAD Device Id.

As I mentioned, this came in part following Microsoft's changes to the AD certificate authentication requirements. We now need to put a tag:microsoft.com entry into the SAN certificates, as an URI field. We previously were putting the Intune Device Id in there. ClearPass now recommends putting in the Intune  Device Id and Azure AD Device Id in that field as well.

Well, that's great! I can access both field in the certificate.

Except that I cannot. I have found no documentation or method to access these fields and use them in an authorization method.

I have managed to get them from the "Endpoints Repository" authorization method instead, but I cannot use those fields in a different authorization method.

If I modify the "Endpoints Repository" source like this:

Authentication Filter Query: SELECT mac_address AS User_Password FROM tips_endpoints WHERE (mac_address = LOWER('%{Connection:Client-Mac-Address-NoDelim}') AND status = 'Known') OR (attributes->>'Intune ID' = '%{Authentication:Username}' AND attributes->>'Intune System Found' = 'true')

Intune Filter Query: select attributes->>'Intune Azure AD Device Id' as "IntuneAzureADDeviceId", attributes->>'Intune Device Name' as "IntuneDeviceName", attributes->>'Intune System Found' as "IntuneSystemFound", attributes->>'Intune ID' as "IntuneID" FROM tips_endpoints WHERE attributes->>'Intune ID' = '%{Authentication:Username}' AND attributes->>'Intune System Found' = 'true'

I can use the properties synced from Intune in my Role Mapping. But I cannot use them in my Intune or Entra ID authorization sources. If I try to add "%{Authorization:[Endpoints Repository]:IntuneAzureADDeviceId}" in a query, it appears to strip the first "[" and obviously does not succeed in querying the source.

So I have two questions:

Is there a way to access the "Intune Device Id" and the "AAD_Device_Id" fields in a certificate's SAN?

Is there a way to use attributes gleaned from one authorization method into a different authorization method?

The second method would be more convoluted, but I think I can work with that. The first would be ideal.