Elgato_dark/fleet
1
0
Fork 0
mirror of https://github.com/fleetdm/fleet synced 2026-05-24 09:28:54 +00:00
Code Issues Projects Releases Packages Wiki Activity Actions 52

Entra conditional access guide (#32388)

Browse source 
- @noahtalerman: Seems like our latest understanding is that configuring
Fleet in Intune happens _before_ connecting Fleet to Entra
This commit is contained in:
Noah Talerman 2025-08-28 09:53:02 -07:00 committed by GitHub
parent ac7972311b
commit 4befbba103
No known key found for this signature in database
GPG key ID: B5690EEEBB952194
1 changed files with 17 additions and 16 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

33
articles/entra-conditional-access-integration.md
View file

@ -6,27 +6,29 @@ When a device fails a Fleet policy, Fleet can mark it as non-compliant in Entra.
[Microsoft](https://learn.microsoft.com/en-us/intune/intune-service/protect/device-compliance-partners) requires that this feature is only supported if you're using Fleet's managed cloud.
- [Step 1: Configure Fleet in Intune](#step-1-configure-fleet-in-intune)
- [Step 2: Create a "Fleet conditional access" group in Entra](#step-2-create-a-fleet-conditional-access-group-in-entra)
- [Step 1: Create a "Fleet conditional access" group in Entra](#step-1-create-a-fleet-conditional-access-group-in-entra)
- [Step 2: Configure Fleet in Intune](#step-2-configure-fleet-in-intune)
- [Step 3: Connect Fleet to Entra](#step-3-connect-fleet-to-entra)
- [Step 4: Deploy Company Portal and the Platform SSO configuration profile](#step-4-deploy-company-portal-and-the-platform-sso-configuration-profile)
- [Step 5: Add Fleet policies](#step-5-add-fleet-policies)
- [Step 6: Add Entra policies](#step-6-add-entra-policies)
## Step 1: Configure Fleet in Intune
## Step 1: Create a "Fleet conditional access" group in Entra
The steps to configure Fleet as "Compliance partner" for macOS devices can be found here: https://learn.microsoft.com/en-us/intune/intune-service/protect/device-compliance-partners. The steps are executed in the Intune portal (https://intune.microsoft.com).
To enforce conditional access, end users must be a member of a group called "Fleet conditional access" in Entra. First create this group in Entra and then assign users to it.
## Step 2: Configure Fleet in Intune
Login to [Intune](https://intune.microsoft.com), and follow [this Microsoft guide](https://learn.microsoft.com/en-us/intune/intune-service/protect/device-compliance-partners#add-a-compliance-partner-to-intune) to add Fleet as compliance partner in Intune.
For **Platform**, select **macOS**.
For **Assignments** add the "Fleet conditional access" group you created to **Included groups**. Don't select **Add all users** or pick a different group. Fleet requires the "Fleet conditional access" group.
After this is done, the "Fleet partner" will be shown with a "Pending activation" status.
![Conditional access pending activation](../website/assets/images/articles/compliance-partner-pending-activation-885x413@2x.png)
## Step 2: Create a "Fleet conditional access" group in Entra
To enforce conditional access, end users must be a member of a group called "Fleet conditional access" in Entra. First create this group in Entra and then assign users to it.
Fleet requires that this group is called "Fleet conditional access".
## Step 3: Connect Fleet to Entra
Now we need to connect and provision Fleet to operate on your Entra ID tenant (activate partner).
@ -157,21 +159,20 @@ Upload the following configuration profile:
## Step 5: Add Fleet policies
The final step is to add policies in Fleet that will determine whether a device is marked as "compliant" or "not compliant" on Entra.
Next, add policies in Fleet that will determine whether a device is marked as "compliant" or "not compliant" in Entra.
Head to **Policies > Select team > Automations > Conditional access**.
1. Make sure the feature is enabled for the team.
2. Check the policies you want for Conditional access.
2. Select the policies you want enforce conditional access with.
## Step 6: Add Entra policies
After you add policies in Fleet, you also need to add Entra ID "Conditional Access" policies to block end-users access to specific resources when Fleet reports non-compliance.
[Building a Conditional Access policy](https://learn.microsoft.com/en-us/entra/identity/conditional-access/concept-conditional-access-policies) outlines the steps to create such policies on Entra ID.
After you add policies in Fleet, you also need to add an Entra "Conditional Access" policy to block end-users access to specific resources when Fleet reports non-compliance. Follow [this Microsoft guide](https://learn.microsoft.com/en-us/entra/identity/conditional-access/concept-conditional-access-policies) to create the policy.
For instance, you can create a policy to "block access to Office 365 on macOS devices reported as non-compliant by Fleet":
As an example, you can create a policy to "block access to Office 365 on macOS devices reported as non-compliant by Fleet":
![Entra ID Conditional Access policy example](../website/assets/images/articles/entra-conditional-access-policy-554x506@2x.png)
Make sure to assign Entra users/groups to the created "Conditional Access" policies.
Make sure to assign the "Fleet conditional access" group to the Entra policy.
### Disabling "Conditional Access" on a team