Endpoint Security

Search

Microsoft Intune

Secureframe integrates with Microsoft Intune and pulls in device and app information for Windows and Mac devices. Linux, Android, iOS, and iPadOS devices are not supported for compliance check evaluation at this time.

Connecting the integration

Navigate to the Integration

  1. Go to the Integrations page in Secureframe.
  2. Search for Microsoft Intune in the "Available Integrations" list. (If you have the Custom Integration feature, click on Add native connection). 
  3. Click Connect.

Select Secureframe OAuth App or Your Own App Registration

Screenshot 2025-10-16 at 12.36.04 PM (1).png

How to connect 

When setting up your integration, you’ll be prompted to choose between two connection methods:

Option 1: Secureframe OAuth App

Use this option for the fastest and most streamlined setup.

  • Click Connect via Secureframe OAuth App
     
  • Sign in with an admin account that has the necessary permissions
  • Review and approve the requested permissions to complete the setup

Option 2: Your Own App Registration

Secureframe now supports an alternate workflow for connecting Microsoft Intune. This option is designed for organizations that prefer to limit Secureframe’s access more narrowly when establishing connections.

Use this option if your organization prefers greater control over permissions and access scopes, or if you use Privileged Identity Management (PIM) tools.

  • Click Connect via your own App Registration
     
  • Follow the guided steps in Secureframe to register your own app within your identity provider or cloud platform
  • Enter the app credentials (Client ID, Secret, and Tenant/Directory ID, if applicable) to finalize the connection

Configuring Checks (Tests)

Understanding Compliance and Configuration Policies

In Microsoft Intune, it's essential to distinguish between compliance policies and configuration policies:

  • Compliance Policies: These policies assess whether a device meets your organization's defined security and operational standards without directly configuring the device. They monitor and report on the device's adherence to specified conditions.

  • Configuration Policies: These policies actively configure device settings to align with organizational requirements, such as enforcing password complexity or enabling encryption.

For effective monitoring and management within Secureframe, it's recommended to create individual compliance policies for each specific check (e.g., separate policies for antivirus status, firewall status, etc.). This approach allows Secureframe to display compliance statuses more granularly, facilitating precise tracking and remediation.

By implementing distinct policies for each compliance aspect, you ensure that each device's adherence to specific security standards is accurately evaluated and reported.

To get more Intune information, users can head to their Intune dashboard:

  • Devices > All devices then click on the device name of the devices in question.
  • Once viewing the device, they can go to Monitor > Device compliance or Monitor > Device configuration and there it will list all of the policies and their current statuses. 

Important Note: The individual policies are required for us to display the configuration information accurately in Secureframe. 

Compliance Policies

These policies check and evaluate whether a device meets your organization’s defined security and operational standards, but doesn’t directly configure the device. Instead, these policies will monitor and report on whether the given conditions are met.
We ask that individual policies be created so that we can display compliance status within Secureframe more granularly.

Compliance Policies: Anti-malware Check

MacOS:

  1. Go to https://intune.microsoft.com 
  2. Click “Devices” from the left sidebar menu.
  3. On the “Devices” page menu, scroll down the inner sidebar to the “Manage devices” section and click “Compliance”.
  4. Click “Create policy”
  5. In the “Platform” dropdown, select “macOS” and click “Create”.
  6. Name your policy as “MacOS Native Antivirus Enabled” and provide an optional description, then click “Next”.
  7. Under “Compliance settings” expand “System Security”.
  8. For “Gatekeeper”, set the “Allow apps downloaded from these locations” to either “Mac App Store” or “Mac App Store and identified developers”.
  9. Click “Next”.
  10. Optionally determine your actions for non-compliance and click “Next”.
  11. In the “Assignments” tab under “Included groups”, click “Add all devices” and click “Next”.
  12. Under “Review + create” review your settings and click “Create”.

Windows:

  1. Go to https://intune.microsoft.com 
  2. Click “Devices” from the left sidebar menu.
  3. On the “Devices” page menu, scroll down the inner sidebar to the “Manage devices” section and click “Compliance”.
  4. Click “Create policy”
  5. In the “Platform” dropdown, select “Windows 10 and later” and click “Create”.
  6. Name your policy as “Windows Native Antivirus Enabled” and provide an optional description, then click “Next”.
  7. Under “Compliance settings” expand “System Security”.
  8. Scroll down to “Antivirus” and set it to “Require”.
  9. Click “Next”.
  10. Optionally determine your actions for non-compliance and click “Next”.
  11. In the “Assignments” tab under “Included groups”, click “Add all devices” and click “Next”.
  12. Under “Review + create” review your settings and click “Create”.

Compliance Policies: Firewall Check

MacOS:

  1. Go to https://intune.microsoft.com
  2. Click “Devices” from the left sidebar menu.
  3. On the “Devices” page menu, scroll down the inner sidebar to the “Manage devices” section and click “Compliance”.
  4. Click “Create policy”
  5. In the “Platform” dropdown, select “macOS” and click “Create”.
  6. Name your policy as “MacOS Local Firewall Enabled” and provide an optional description, then click “Next”.
  7. Under “Compliance settings” expand “System Security”.
  8. For “Device Security”, set the “Firewall” to “Enable”.
  9. Click “Next”.
  10. Optionally determine your actions for non-compliance and click “Next”.
  11. In the “Assignments” tab under “Included groups”, click “Add all devices” and click “Next”.
  12. Under “Review + create” review your settings and click “Create”.

Windows:

  1. Go to https://intune.microsoft.com
  2. Click “Devices” from the left sidebar menu.
  3. On the “Devices” page menu, scroll down the inner sidebar to the “Manage devices” section and click “Compliance”.
  4. Click “Create policy”
  5. In the “Platform” dropdown, select “Windows 10 and later” and click “Create”.
  6. Name your policy as “Windows Local Firewall Enabled” and provide an optional description, then click “Next”.
  7. Under “Compliance settings” expand “System Security”.
  8. For “Device Security”, set the “Firewall” to “Enable”.
  9. Click “Next”.
  10. Optionally determine your actions for non-compliance and click “Next”.
  11. In the “Assignments” tab under “Included groups”, click “Add all devices” and click “Next”.
  12. Under “Review + create” review your settings and click “Create”.

Compliance Policies: Password Enforcement Check

MacOS:

  1. Go to https://intune.microsoft.com
  2. Click “Devices” from the left sidebar menu.
  3. On the “Devices” page menu, scroll down the inner sidebar to the “Manage devices” section and click “Compliance”.
  4. Click “Create policy”
  5. In the “Platform” dropdown, select “macOS” and click “Create”.
  6. Name your policy as “MacOS Password Enforcement Check” and provide an optional description, then click “Next”.
  7. Under “Compliance settings” expand “System Security”.
  8. Under “Password” set the following values:
    1. Require a password to unlock devices = Require
      Password type = Alphanumeric
      Minimum password length = 8 or greater
      Number of non-alphanumeric characters in password = 1 or greater
      Click “Next”.
  9. Optionally determine your actions for non-compliance and click “Next”.
  10. In the “Assignments” tab under “Included groups”, click “Add all devices” and click “Next”.
  11. Under “Review + create” review your settings and click “Create”.

Windows:

  1. Go to https://intune.microsoft.com
  2. Click “Devices” from the left sidebar menu.
  3. On the “Devices” page menu, scroll down the inner sidebar to the “Manage devices” section and click “Compliance”.
  4. Click “Create policy”
  5. In the “Platform” dropdown, select “Windows 10 and later” and click “Create”.
  6. Name your policy as “Windows Password Enforcement Check” and provide an optional description, then click “Next”.
  7. Under “Compliance settings” expand “System Security”.
  8. Under “Password” set the following values:
    1. Require a password to unlock devices = Require
      Password type = Alphanumeric
      Password complexity = Require digits and lowercase letters (or better)
      Minimum password length = 8 or greater
      Click “Next”.
  9. Optionally determine your actions for non-compliance and click “Next”.
  10. In the “Assignments” tab under “Included groups”, click “Add all devices” and click “Next”.
  11. Under “Review + create” review your settings and click “Create”.

Compliance Policies: Session Timeout Check

MacOS:

  1. Go to https://intune.microsoft.com
  2. Click “Devices” from the left sidebar menu.
  3. On the “Devices” page menu, scroll down the inner sidebar to the “Manage devices” section and click “Compliance”.
  4. Click “Create policy”
  5. In the “Platform” dropdown, select “macOS” and click “Create”.
  6. Name your policy as “MacOS Session Timeout Check” and provide an optional description, then click “Next”.
  7. Under “Compliance settings” expand “System Security”.
  8. Under “Password” set the following values:
  9. Require a password to unlock devices = Require
    Maximum minutes of inactivity before password is required = 15 minutes (or less)
    Click “Next”.
  10. Optionally determine your actions for non-compliance and click “Next”.
  11. In the “Assignments” tab under “Included groups”, click “Add all devices” and click “Next”.
  12. Under “Review + create” review your settings and click “Create”.

Windows:

  1. Go to https://intune.microsoft.com
  2. Click “Devices” from the left sidebar menu.
  3. On the “Devices” page menu, scroll down the inner sidebar to the “Manage devices” section and click “Compliance”.
  4. Click “Create policy”
  5. In the “Platform” dropdown, select “Windows 10 and later” and click “Create”.
  6. Name your policy as “Windows Session Timeout Check” and provide an optional description, then click “Next”.
  7. Under “Compliance settings” expand “System Security”.
  8. Under “Password” set the following values:
    1. Require a password to unlock devices = Require
      Maximum minutes of inactivity before password is required = 15 minutes (or less)
      Click “Next”.
  9. Optionally determine your actions for non-compliance and click “Next”.
  10. In the “Assignments” tab under “Included groups”, click “Add all devices” and click “Next”.
  11. Under “Review + create” review your settings and click “Create”.

Configuration Policies

These policies push specific settings / configurations down to devices. Using these kinds of policies will automatically deploy, configure, and enforce various rules set by your organization. Secureframe will use these policies to check to see whether a particular device has been configured in this way to determine if they are compliant.
We ask that individual policies be created so that we can display compliance status within Secureframe more granularly.

Configuration Policies: Anti-malware Check

MacOS

Intune does not support anti-malware configuration policies for MacOS. In order for MacOS to pass the anti-malware check, you will either need to ensure Xprotect is installed on your machine, or consider using a Compliance Policy.

Windows
Note: if you want to use a different non-Defender anti-virus, you will need to set up a Compliance Policy instead. Compliance Policies will support other anti-virus software that is also supported by Windows.

  1. Go to https://intune.microsoft.com 
  2. Click “Devices” from the left sidebar menu.
  3. On the “Devices” page menu, scroll down the inner sidebar to the “Manage devices” section and click “Configuration”.
  4. Click “Create > New Policy”.
  5. In the “Platform” dropdown, select “Windows 10 and later”.
  6. Under the “Profile type” dropdown, select “Templates”.
  7. Select “Device restrictions” from the templates section and click “Create”.
  8. Name your policy as “Windows Native Antivirus Enabled” and provide an optional description, then click “Next”.
  9. In “Configuration settings”, scroll down to “Microsoft Defender Antivirus” and expand it. Set the value for the following settings:
    1. Real-time monitoring = Enable
      Behavior monitoring = Enable
      Scan all downloads = Enable
      Monitor file and program activity = Monitor all files
  10. Click “Next”
  11. In the “Assignments” tab under “Included groups”, click “Add all devices” and click “Next”.
  12. Skip the “Applicability Rules” and click “Create”.

Configuration Policies: Firewall Check

MacOS
Microsoft has deprecated the ability to check for firewall compliance using Configuration Policies. To do so you will need to create a Compliance Policy.

Windows

  1. Go to https://intune.microsoft.com  
  2. Click “Devices” from the left sidebar menu.
  3. On the “Devices” page menu, scroll down the inner sidebar to the “Manage devices” section and click “Configuration”.
  4. Click “Create > New Policy”.
  5. In the “Platform” dropdown, select “Windows 10 and later”.
  6. Under the “Profile type” dropdown, select “Templates”.
  7. Select “Endpoint protection” from the templates section and click “Create”.
  8. Name your policy as “Windows Local Firewall Enabled” and provide an optional description, then click “Next”.
  9. In “Configuration settings” expand “Windows Firewall” and scroll down to “Network settings”.
  10. Expand “Domain (workplace) network” and set the following value:
    1. Windows Firewall = Enable
    2. Expand “Private (discoverable) network” and set the following value:
    3. Windows Firewall = Enable
    4. Expand “Public (non-discoverable) network” and set the following values:
      1. Windows Firewall = Enable
      2. Windows Firewall rules from the local store = Allow
  11. Click “Next”.
  12. In the “Assignments” tab under “Included groups”, click “Add all devices” and click “Next”.
  13. Skip the “Applicability Rules” and click “Create”.

Configuration Policies: Password Enforcement Check

MacOS:

  1. Go to https://intune.microsoft.com
  2. Click “Devices” from the left sidebar menu.
  3. On the “Devices” page menu, scroll down the inner sidebar to the “Manage devices” section and click “Configuration”.
  4. Click “Create > New Policy”.
  5. In the “Platform” dropdown, select “macOS”.
  6. Under the “Profile type” dropdown, select “Templates”.
  7. Select “Device restrictions” from the templates section and click “Create”.
  8. Name your policy as “MacOS Password Enforcement Check” and provide an optional description, then click “Next”.
  9. In “Configuration settings” expand “Password” and set the following values:
    1. Password = Require
    2. Required password type = Alphanumeric
    3. Number of non-alphanumeric characters in password = 1 or greater
    4. Minimum password length = 8
  10. Click “Next”.
  11. In the “Assignments” tab under “Included groups”, click “Add all devices” and click “Next”.
    Skip the “Applicability Rules” and click “Create”.

Windows

  1. Go to https://intune.microsoft.com
  2. Click “Devices” from the left sidebar menu.
  3. On the “Devices” page menu, scroll down the inner sidebar to the “Manage devices” section and click “Configuration”.
  4. Click “Create > New Policy”.
  5. In the “Platform” dropdown, select “Windows 10 and later”.
  6. Under the “Profile type” dropdown, select “Templates”.
  7. Select “Device restrictions” from the templates section and click “Create”.
  8. Name your policy as “Windows Password Enforcement Check” and provide an optional description, then click “Next”.
  9. In “Configuration settings” expand “Password” and set the following values:
    1. Password = Require
    2. Required password type = Alphanumeric
    3. Password complexity = Numbers and lowercase letters required
    4. Minimum password length = 8
  10. Click “Next”.
  11. In the “Assignments” tab under “Included groups”, click “Add all devices” and click “Next”.
  12. Skip the “Applicability Rules” and click “Create”.

Configuration Policies: Session Timeout Check

MacOS

  1. Go to https://intune.microsoft.com
  2. Click “Devices” from the left sidebar menu.
  3. On the “Devices” page menu, scroll down the inner sidebar to the “Manage devices” section and click “Configuration”.
  4. Click “Create > New Policy”.
  5. In the “Platform” dropdown, select “macOS”.
  6. Under the “Profile type” dropdown, select “Templates”.
  7. Select “Device restrictions” from the templates section and click “Create”.
  8. Name your policy as “MacOS Session Timeout” and provide an optional description, then click “Next”.
  9. In “Configuration settings” expand “Password” and set the following values:
    1. Password = Require
    2. Maximum minutes of inactivity until screen locks = 10 minutes or less
  10. Click “Next”.
    In the “Assignments” tab under “Included groups”, click “Add all devices” and click “Next”.
    Skip the “Applicability Rules” and click “Create”.

Windows:

  1. Go to https://intune.microsoft.com 
  2. Click “Devices” from the left sidebar menu.
  3. On the “Devices” page menu, scroll down the inner sidebar to the “Manage devices” section and click “Configuration”.
  4. Click “Create > New Policy”.
  5. In the “Platform” dropdown, select “Windows 10 and later”.
  6. Under the “Profile type” dropdown, select “Templates”.
  7. Select “Device restrictions” from the templates section and click “Create”.
  8. Name your policy as “Windows Session Timeout” and provide an optional description, then click “Next”.
  9. In “Configuration settings” expand “Password” and set the following values:
    1. Password = Require
    2. Maximum minutes of inactivity until screen locks = 15 minutes or less
  10. Click "Next"
  11. In the "Assignments" tab under "Included groups," click "Add all devices" and click "Next"
  12. Skip the Applicability Rules and click "Create"

Troubleshooting Connection Errors

If you're seeing a "Not an Admin" error when attempting to reconnect the Microsoft Intune integration, even while using Azure credentials with Intune Administrator or Global Administrator roles, the issue may be related to your Secureframe user permissions.

To resolve:

  • Ensure the user reconnecting the integration in Secureframe has the Super Admin role assigned within the Secureframe platform.

  • Azure permissions are still required (Intune Admin or Global Admin), but they must be paired with Super Admin access in Secureframe for the reconnection to succeed.

Once Super Admin permissions were granted, the issue was resolved.

Helpful resources

Additional considerations on endpoint security, including device scoping, can be found here.

Permissions, Fields Pulled, Controls, and Automated Tests

  1. Click the provided link or navigate to the “Integration” page.
  2. Select the “Available” tab.
  3. Search for the integration.
  4. Click “View Details”.

Frequently Asked Questions (FAQ)

We have two separate M365 tenants with Intune to separately manage our servers and workstation policies. Is it possible to connect both Intune environments to the integration at the same time?

  • Yes, you can proceed with a separate connection.

Do you pull in iOS or Android device information?

  • Yes, we can pull in mobile devices (iOS and Android), but not in all situations. This depends on how device profiles are configured in Intune.
    • Please note that we currently do not support compliance checks for mobile devices.

Do you pull in data for non-corporate devices?

  • Intune only reports on UDIDs or installed apps for corporate devices, so we do not have the ability to run checks on these devices.

How often is the data refreshed for Intune?

  • Intune only allows scans and reports on device data once every 7 days, thus the data refreshes following the same timing in Secureframe

What are the licensing requirements?

  • Only users with an Intune license can enroll their corporate devices

For the "Firewall enforcement for user endpoints (Microsoft Intune)" test, why are some of my users showing "local firewall is not enabled for device, when I know they are?

  • Because we pull in compliance information fromcompliance or configuration policies, we may not have the same status as what is displayed in the Endpoint security section of Intune.
  • With that said, we recommend you review the following in your intune to confirm:
    • Devices > All devices then click on the device name of the devices in question.
    • Once viewing the device, they can go to Monitor > Device compliance or Monitor > Device configuration and there it will list all of the policies and their current statuses. 

Does the Microsoft Intune integration require a Global Admin role to connect?

  • While some documentation suggests Intune Administrator should suffice, we’ve seen that the integration often requires the Global Admin role to connect successfully. This is especially true during initial setup. If you experience connection failures with Intune Administrator, try temporarily elevating to Global Admin.

What happens if Global Admin access is temporary or limited (e.g., via Just-in-Time access)?

  • If Global Admin access expires after a set time (such as a 1-hour JIT session), the integration may disconnect or become unstable. We recommend ensuring the connecting account retains the necessary privileges or remains in touch with your IT team for regular refreshes until a more permanent setup is supported.

Are there any plans to support Intune connection without Global Admin access?

  • Yes. Secureframe is currently exploring support for App Registration-based authentication, which would allow more flexible permission management and reduce reliance on elevated admin roles. We’ll update this article once that option becomes available.

Do you support compliance checks for Linux devices?

  • No. The Microsoft Intune integration currently supports compliance check evaluation for Windows and macOS devices only. Linux devices enrolled in Intune will be pulled in, but individual compliance checks (encryption, firewall, antivirus, session timeout, etc.) will not pass. This is a known limitation and not a sync error. If your organization manages Linux devices, we recommend excluding them from compliance-gated tests in Secureframe until native Linux support is available.

Was this article helpful?

Have more questions? Submit a request

Comments

0 comments

Article is closed for comments.