Restrict device access with Microsoft Intune

Microsoft Intune collects a series of signals from the MDM profile installed on devices and these signals can be used to determine the security posture of a device. Tailscale can fetch these signals from Intune and use them as device posture attributes in access rules, which can allow organizations to grant access to sensitive resources only to devices that have a high enough level of trust.

This can be achieved using Tailscale's device posture management features:

• Device Identity Collection, which collects identifiers (for example, serial numbers), used to match devices in Tailscale to devices in Intune.
• Intune posture integration, which synchronizes signals from Intune to device posture attributes in Tailscale.
• Posture conditions in access rules, which allows configuring access restrictions based on device attributes.

This document provides instructions on how to:

• Enable Device Identity collection for your tailnet.
• Configure Microsoft Intune posture integration.

What is Intune posture integration?

Intune posture integration lets you connect your Tailscale network to Intune. The integration runs periodically and copies signals from Intune to device posture attributes.

When configured, it will periodically:

• Fetch a list of devices recorded in your Intune account, and their details.
• Match Intune devices with corresponding devices in your tailnet, based on the serial number associated with a device.
• Write the data from each device into the following Tailscale device posture attributes:

Prerequisites

• Device Identity Collection is enabled, and devices on your tailnet are reporting identifiers
• An Azure Application credential to connect to Microsoft Intune

Create Azure Application credential to connect Intune

To connect to Microsoft Intune, a set of Azure Application credentials is required to connect to the Microsoft Graph API. To create a new application and credentials, follow these steps to create the necessary credentials:

1. In Azure Portal, in the Azure Services menu, select App registrations.

2. Select New registration.

3. Enter a name for the application, for example, Tailscale and select Register. Take note of the Application (Client) ID and Directory (Tenant) ID for later.

4. Under Essentials, select Add a certificate or secret.

5. Select New client secret.

6. Enter a description for the secret, select an expiration period, and select Add. Take note of the Value for later.

7. Under API permissions, select Add a permission.

8. Select Microsoft Graph.

9. Select Application permissions.

10. Search for and select DeviceManagementManagedDevices.Read.All and select Add permissions.

11. Select Grant admin consent for your-organization and select Yes.

Configure Intune posture integration

Configure Tailscale to fetch the attributes from Intune.

1. Open the Device management page of the Tailscale admin console.

2. Under the Device Posture Integrations section, select Connect next to the Microsoft Intune integration.

3. Select your Microsoft Region, the region where your Intune account is located.

4. Enter your Application (Client) ID, Directory (Tenant) ID and Client Secret.

   

5. Select the Connect to Intune button.

View the integration status

Check that the integration has run successfully.

In the Device Posture Integrations section of the Device management page of the Tailscale admin console, configured integrations and their status will show under Integrations. The time of the most recent sync will be displayed on this page. If an error occurs while synchronizing, it will display on this page.

Check node attributes

After you configure Intune posture integration, you can confirm that the new attributes are being written for your Tailscale nodes via the Machines page of the admin console.

1. Open the Machines page of the Tailscale admin console.
2. Select a machine you want to inspect.
3. The attributes for the machine are in the Machine Details section. This should include the set of intune: attributes listed previously.

You can also check node attributes via the Tailscale API.

Adjust Tailscale access rules

Once Intune posture integration is configured and your devices have device posture attributes that reflects their signals as reported by Intune, you can use that device posture attribute as part of your posture rules.

For example, to only allow access to tag:production from devices that Intune reports as compliant and are supervised by Intune, you can create a new posture and use it as part of a corresponding access rule:

"postures": {
  "posture:trusted": [
    "intune:complianceState == 'compliant'",
    "intune:isSupervised == true",
  ],
},
"acls": [
  {
    "action":     "accept",
    "src":        ["autogroup:member"],
    "srcPosture": ["posture:trusted"],
    "dst":        ["tag:production:*"],
  },
]

Schedule

For each configured integration, Tailscale will aim to sync device posture attributes every 15 minutes, with a few exceptions:

• Adding a new integration, or changing configuration of an existing one, will trigger an out-of-schedule sync.
• If an integration fails due to authentication error (usually caused by invalid credentials), it will be paused for up to 24 hours.

Limitations

We have observed that Intune does not report serial numbers for some machines running Linux. Without serial number details, Tailscale will not be able to populate device posture attributes for such machines.

Audit log events

The following audit log events are added for device posture.