Integrate MDM and UEM Servers with Cisco ISE

Connect Microsoft Intune to Cisco ISE as a mobile device management server

Updated: February 6, 2026

Want to summarize with AI?

On this page

Overview

Register Account
Export Cisco ISE certificate
Upload Cisco ISE certificate to Microsoft Azure
Set API permissions and collect application details
Download and import Microsoft Intune certificates into Cisco ISE
Add Microsoft Intune as an external MDM server
Manage MDM server status in Microsoft Intune

Overview

Learn how to connect Microsoft Intune to Cisco ISE as an MDM server.

Microsoft Intune retired support for Azure AD Graph Applications on June 30, 2023. You must migrate any integrations that use Azure AD Graph to Microsoft Graph. Cisco ISE typically uses the Azure AD Graph for integration with the endpoint management solution Microsoft Intune.

To configure Microsoft Intune as an MDM or UEM server, follow this workflow:

Register Account

Before you begin

You must upgrade to one of these Cisco ISE releases that support Microsoft Graph applications for successful integration with Microsoft Intune:

Cisco ISE release 3.1 patch 3 and later releases
Cisco ISE release 3.2 and later releases

For more information on the migration from Azure AD Graph to Microsoft Graph, refer to these resources:

After you update Cisco ISE to one of the supported versions, in each Microsoft Intune server integration in Cisco ISE, manually update the Auto Discovery URL.

Replace https://graph.windows.net<Directory (tenant) ID> with https://graph.microsoft.com.

Procedure

	1.	Log in to the Microsoft Azure portal, and navigate to Azure Active Directory.
	2.	Choose Manage > App registrations.
	3.	Click New registration.
	4.	In the Register an application page, enter a value in the Name field.
	5.	In the Supported Account Types area, click the Accounts in this organizational directory only radio button.
	6.	Click Register. The Overview window of the newly registered application is displayed. With this window open, log in to the Cisco ISE administration portal.

Export Cisco ISE certificate

Procedure

	1.	In the Cisco ISE GUI, click the Menu icon () and choose Administration > System > Certificates > System > Certificates.
	2.	From the list of certificates, check the check box next to the Default self-signed server certificate, or next to any other certificate you have configured for Admin usage, and click Export.
	3.	In the dialog box displayed, click the Export Certificate Only radio button, then click Export.
	4.	Click View to see the details of this certificate. Scroll down the displayed Certificate Hierarchy dialog box to the Fingerprints area and note the values.

Upload Cisco ISE certificate to Microsoft Azure

Procedure

	1.	In the Microsoft Azure Active Directory portal, click Certificates and Secrets in the left pane.
	2.	Click Upload certificate and upload the exported Cisco ISE certificate. If there is any change in the status of the Cisco ISE self-signed certificate, you must perform the Manage MDM server status in Microsoft Intune procedure in Cisco ISE.
	3.	After the certificate is uploaded, verify that the Thumbprint value matches the Fingerprint value in the Cisco ISE certificate.
	4.	Navigate to Manifest on the left pane. Confirm that the displayName value matches the common name in the Cisco ISE certificate.

Set API permissions and collect application details

Procedure

In the Microsoft Azure portal, click API permissions.

Click Add a permission and add these permissions:


API or permission name	Type	Description
Intune
get_device_compliance	Application	Obtain device state and compliance information from Microsoft Intune.
Microsoft Graph
Application.Read.All	Application	Read all applications.

Click Grant admin consent for > tenant name.

Note the Application (client) ID and the Directory (tenant) ID from the Overview page of the application.

Click Endpoints in the Overview page. Note the value in the Oauth 2.0 token endpoint (V2) field.

Download and import Microsoft Intune certificates into Cisco ISE

Procedure

	1.	Download the Microsoft Intune certificates from DigiCert Root Certificates in the PEM certificate (chain) format. If you see the error “Connection Failed to the MDM server: There is a problem with the server Certificates or Cisco ISE trust store,”. This message indicates that the Cisco ISE does not trust the Microsoft Intune certificates. To resolve this issue, capture network traffic on the Cisco ISE Primary Administration Node (PAN) to identify the certificates used by Microsoft. Download the certificates from the Microsoft PKI repository and import them into Cisco ISE’s Trusted Certificates store. After you update, disable the MDM server status in Cisco ISE and then re-enable it to refresh the connection and restore trust. Tip To ensure a successful connection between Microsoft Intune and Cisco ISE, import new root certificates. For more information, refer to Intune certificate updates: Action may be required for continued connectivity.
	2.	In the Cisco ISE administration portal, click the Menu icon () and choose Administration > System > Certificates > Trusted Certificates.
	3.	For each downloaded certificate: Click Import. Click Choose File and choose the corresponding downloaded certificate from your system. In the Usage area, check the Trust for authentication within Cisco ISE and Trust for authentication of Cisco Services check boxes. Click Save.

Add Microsoft Intune as an external MDM server

Procedure

	1.	In the Cisco ISE administration portal, click the Menu icon () and choose Administration > Network Resources > External MDM.
	2.	Click Add and enter a value in the Name field.
	3.	From the Authentication Type drop-down list, choose OAuth – Client Credentials.
	4.	Enter these details in the respective fields: Auto Discovery URL: https://graph.microsoft.com. The URL https://graph.windows.net<Directory(tenant) ID> was used when Microsoft Intune supported Azure AD Graph Applications. However, Microsoft Intune retired support for Azure AD Graph Applications on 2023-06-30. Upgrade to a Cisco ISE release that supports Microsoft Graph for successful integration. These are the Cisco ISE releases that support Microsoft Graph applications: Cisco ISE release 3.1 patch 3 and later Cisco ISE release 3.2 and later releases Client ID: Enter the Application (client) ID value from the Microsoft Intune application. Token Issuing URL: Enter the Oauth 2.0 Token Endpoint (V2) value. Token Audience: Enter https://api.manage.microsoft.com//.default if you use these releases of Cisco ISE: Cisco ISE release 3.1 patch 8 and later releases Cisco ISE release 3.2 patch 3 and later releases, and Cisco ISE release 3.3 and later releases In the listed Cisco ISE releases, when you create a new integration, the new token audience value is automatically filled when you choose OAuth–Client Credentials. If you upgrade to these releases with existing integrations, you must update the token audience field manually to continue receiving updates from the integrated servers. This is because Microsoft mandates that applications that use the Azure Active Directory Authentication Library (ADAL) for authentication and authorization must migrate to the Microsoft Authentication Library (MSAL). For more information, refer to Migrate applications to the Microsoft Authentication Library (MSAL). For other releases of Cisco ISE, enter https://api.manage.microsoft.com/.
	5.	Enter the required values for the Polling Interval and Time Interval For Compliance Device ReAuth Query fields.
	6.	Click Test Connection to ensure that Cisco ISE can connect to the Microsoft server.
	7.	When the connection test is successful, choose Enabled from the Status drop-down list and click Save.

In the Cisco ISE administration portal, click the Menu icon () and choose Administration > Network Resources > External MDM. The Microsoft Intune server that is added must be displayed in the list of MDM Servers displayed.

Manage MDM server status in Microsoft Intune

After uploading a new certificate to Microsoft Intune, first disable the MDM server status, then re enable it.

Procedure

	1.	Click the Menu icon () and choose Administration > Network Resources > External MDM.
	2.	Click Edit.
	3.	Click Test Connection to ensure that Cisco ISE can connect to the Microsoft server.
	4.	When the connection test succeeds, choose Disabled from the Status drop-down list and click Save.
	5.	Click Edit, then click Test Connection .
	6.	When the connection test succeeds, choose Enabled from the Status drop-down list and click Save.

Need help?

Open a support case

(Requires a Cisco Service Contract)

The documentation set for this product strives to use bias-free language. For the purposes of this documentation set, bias-free is defined as language that does not imply discrimination based on age, disability, gender, racial identity, ethnic identity, sexual orientation, socioeconomic status, and intersectionality. Exceptions may be present in the documentation due to language that is hardcoded in the user interfaces of the product software, language used based on RFP documentation, or language that is used by a referenced third-party product. Learn more about how Cisco is using Inclusive Language.