Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
16161
Views
5
Helpful
20
Replies

ISE integration with MS Intune - Auto discovery URL

Go to solution
mapretty
Cisco Employee
Cisco Employee

‎06-26-2019 06:06 AM

Hi ISE experts

We have a customer integrating ISE with Intune. The MS supplied "Auto Discovery URL" was "graph.microsoft.com" but I checked around and the suggested URL was "graph.microsoft.net". So the customer tried that, and .net works instead of .com

Supplied                  https://graph.microsoft.com/xxxxxxxxxx

Working               https://graph.windows.net/xxxxxxxxxx

Did anyone get it to work with ".com"

I have no visibility of what Intune is showing, but the ".com" was the MS general recommendation, but clearly didn't work. Is this an error, or is there some pointers in Intune to ".net" also?

 

This is happening more the once from what I can see. Is there an error in Intune, or is ISE not doing something right with .com?

 

thanks

Mark

1 person had this problem
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
hslai
Cisco Employee
Cisco Employee
In response to mapretty

‎06-29-2019 07:56 PM - edited ‎06-29-2019 08:00 PM

I just checked the URL you provided and it looked like already corrected.

Both Microsoft Intune as MDM server for Cisco ISE – Rohit Goel’s Blog and How to Integrate Microsoft Intune with ... - Cisco Community show it a string value for "MICROSOFT AZURE AD GRAPH API ENDPOINT" from the MS Azure management portal.

ISE Intune
Auto Discovery URL Endpoints > Microsoft Azure AD Graph API Endpoint
Client ID {Registered-App-Name} > Application ID
Token Issuing URL Endpoints > OAuth 2.0 Token Endpoint

 

 

View solution in original post

0 Helpful
20 Replies 20

Go to solution
Jason Kunst
Cisco Employee
Cisco Employee

‎06-26-2019 07:50 AM

ISE doesn’t do anything with that, can you provide more information on where you are doing this and what for? I would suggest asking Microsoft as well as its their service
0 Helpful

Go to solution
mapretty
Cisco Employee
Cisco Employee
In response to Jason Kunst

‎06-26-2019 02:45 PM

hey Jason

So, from the Intune setup (https://www.cisco.com/c/en/us/td/docs/security/ise/2-4/admin_guide/b_ise_admin_guide_24/b_ise_admin_guide_24_new_chapter_01001.html#id_37138) 

 

step 8, configuring Auto Discovery URL, we get the URL from MS, but it was originally graph.windows.com. The connection to Intune from ISE failed with this configuration, and the log:

>>>>>>

2019-06-17 12:47:01,567 ERROR [admin-http-pool1][] cpm.mdm.auto.discovery.MdmServerAutoDiscoveryManager -::::- Unable to discover MDM server for IntuneMDM.
com.cisco.cpm.mdm.auto.discovery.MdmServerAutoDiscoveryException: Unrecognized field "error" (Class com.cisco.cpm.mdm.auto.discovery.MdmAzureDirectoryServiceErrorResponse), not marked as ignorable
at [Source: java.io.StringReader@abcdef; line: 2, column: 13] (through reference chain: com.cisco.cpm.mdm.auto.discovery.MdmAzureDirectoryServiceErrorResponse["error"])

<<<<<<<

however, I noted in other cases with the same error, specifically the error: Unrecognized field "error" that changing to .net resolved the issue.

 

I realise this is a URL controlled and published by MS, I just want to understand why ISE may not like the .com, and if there is somewhere else in Intune (as I don't have a login) it show's a .net URL?

 

cheers
Mark

0 Helpful

Go to solution
Nidhi
Cisco Employee
Cisco Employee
In response to mapretty

‎06-27-2019 08:00 AM

Allow me sometime to check on this . do you also have a TAC case opened for this ? Thanks, Nidhi
0 Helpful

Go to solution
mapretty
Cisco Employee
Cisco Employee
In response to Nidhi

‎06-27-2019 03:02 PM

hi Nidhi

Not at the moment, I'll open one if it helps

cheers
Mark

0 Helpful

Go to solution
packetplumber9
Level 1
Level 1
In response to mapretty

‎06-28-2019 11:47 AM

I don't have an answer for you, but I can say I've had the windows.net autodiscovery URL configured for several years without issue on my deployment

0 Helpful

Go to solution
Nidhi
Cisco Employee
Cisco Employee
In response to mapretty

‎06-30-2019 11:53 PM

The config guide also mentions  .net  .

you might want to verify the url in intune setup as well . Engineering says there is no such limitation from the code

 

Auto Discovery URL—Enter the value of Microsoft Azure AD Graph API Endpoint from the Microsoft Azure management portal. This URL is the endpoint at which an application can access directory data in your Microsoft Azure AD directory using the Graph API. The URL is of the form: https://<hostname>/<tenant id>, for example, https://graph.ppe.windows.net/47f09275-5bc0-4807-8aae-f35cb0341329. An expanded version of this URL is also in the property file, which is of the form: https://<Graph_API_Endpoint>/<TenantId_Or_Domain>/servicePrincipalsByAppId/<Microsoft Intune AppId>/serviceEndpoints?api-version=1.6&client-request-id=<Guid.NewGuid()>.

0 Helpful

Go to solution
mapretty
Cisco Employee
Cisco Employee
In response to Nidhi

‎07-01-2019 06:21 PM

hi Nidhi

thanks again, the URL supplied by MS via the customer was: https://graph.microsoft.com/........

 

Our issue here is there are 3 URLs being thrown around.

 

1. graph.microsoft.com - supplied by customer from Intune. Didn't work

2. graph.ppe.windows.net - Cisco documentation. Didn't work

3. graph.micrsoft.net - found in various TAC cases and not known where it really came from.....Works!

 

If there's no limitation, why would the first two, well documented, URLs not work?

 

thanks

Mark

0 Helpful

Go to solution
hslai
Cisco Employee
Cisco Employee
In response to mapretty

‎07-01-2019 07:08 PM - edited ‎07-01-2019 07:23 PM

If there's no limitation, why would the first two, well documented, URLs not work?

Please see my earlier response.

The URL is what set in the MS Azure management portal and the customers need copy from the values I indicated there. The URL string given there is an example and will look different on each Azure account.

To be clear, Microsoft Intune as MDM server for Cisco ISE – Rohit Goel’s Blog says,

7.  In ISE, configure the Intune server in ISE

For more information about configuring and external MDM server, see Define Mobile Device Management Servers in ISE. The fields that are important for Intune are described below:

  • Auto Discovery URL - Enter the value of Microsoft Azure AD Graph API Endpoint from the Microsoft Azure management portal. This the endpoint at which an application can access directory data in your Microsoft Azure AD directory using the Graph API. The URL is of the form: https://<hostname>/<tenant id>, for example, https://graph.ppe.windows.net/47f09275-5bc0-4807-8aae-f35cb0341329. An expanded version of this URL is also in the property file, which is of the form:

...

0 Helpful

Go to solution
hslai
Cisco Employee
Cisco Employee
In response to mapretty

‎06-29-2019 07:56 PM - edited ‎06-29-2019 08:00 PM

I just checked the URL you provided and it looked like already corrected.

Both Microsoft Intune as MDM server for Cisco ISE – Rohit Goel’s Blog and How to Integrate Microsoft Intune with ... - Cisco Community show it a string value for "MICROSOFT AZURE AD GRAPH API ENDPOINT" from the MS Azure management portal.

ISE Intune
Auto Discovery URL Endpoints > Microsoft Azure AD Graph API Endpoint
Client ID {Registered-App-Name} > Application ID
Token Issuing URL Endpoints > OAuth 2.0 Token Endpoint

 

 

0 Helpful

Go to solution
Freemen
Level 1
Level 1

‎11-17-2020 06:51 PM

Unrecognized field "error" (Class com.cisco.cpm.mdm.auto.discovery.MdmAzureDi
rectoryServiceErrorResponse), not marked as ignorable at [Source: java.io.StringReader@4810b402; line: 2, column: 13] (through reference chain: com.cisco.cpm.mdm.auto.discovery.MdmAzureDi
rectoryServiceErrorResponse["error"])

 

I got this error despite i imported alot of CA cert related.. any advise?

0 Helpful

Go to solution
najam.shah78
Level 1
Level 1
In response to Freemen

‎12-09-2020 03:14 PM

Have you got any resolution to this ? Cisco documentation is vague at best.

0 Helpful

Go to solution
fontenot.garrett
Level 1
Level 1
In response to Freemen

‎07-20-2021 10:45 AM

This is a cert issue. Add these into the Cisoc ISE trust certificate store -  4 certs (2 root and 2 intermediate) need to be in there as well as the URL certificates for the following:

  • DigiCert
  • DigiCert Sha2 Secure Server CA
  • DigiCert Global Root G2
  • Microsoft Azure TLS issuing CA 06

 

0 Helpful

Go to solution
nir-r
Level 4
Level 4
In response to Freemen

‎09-09-2021 03:46 AM

 

Try to add permissions also to Azure Active Directory Graph and not just to Microsoft Graph & Intune.

Azure Active Directory Graph:

=======================

Directory.Read.All- Delegated

Directory.Read.All- Application

User.Read.All- Delegated

 

 

Preview file
76 KB
0 Helpful

Go to solution
Aileron88
Level 1
Level 1

‎09-10-2021 02:37 AM

I've integrated Intune successfully recently, with the following settings:

 

Server Type: Mobile Device Manager

Authentication Type: OAuth – Client Credentials

Auto Discovery: Yes

Auto Discovery URL: https://graph.windows.net/{TenantID}

Client ID: {ClientID}

Token Issuing URL: https://login.microsoftonline.com/{TenantID}/oauth2/v2.0/token

Token Audience: https://api.manage.microsoft.com/

 

Intune Permissions.jpg

Customers Also Viewed These Support Documents