Solved: Re: ISE integration with MS Intune - Auto discovery URL - Page 2

mapretty · ‎06-26-2019

Hi ISE experts

We have a customer integrating ISE with Intune. The MS supplied "Auto Discovery URL" was "graph.microsoft.com" but I checked around and the suggested URL was "graph.microsoft.net". So the customer tried that, and .net works instead of .com

Supplied https://graph.microsoft.com/xxxxxxxxxx

Working https://graph.windows.net/xxxxxxxxxx

Did anyone get it to work with ".com"

I have no visibility of what Intune is showing, but the ".com" was the MS general recommendation, but clearly didn't work. Is this an error, or is there some pointers in Intune to ".net" also?

This is happening more the once from what I can see. Is there an error in Intune, or is ISE not doing something right with .com?

thanks

Mark

Tim Fairclough · ‎03-28-2022

Hi All,

I have also been able to get the Intune integration working using the graph.windows.net URL; however, found a Cisco document that this URL will no longer work after June 2022...:

Microsoft is deprecating Azure Active Directory (Azure AD) Graph and will not support Azure AD Graph-enabled integrations after June 30, 2022. You must migrate any integrations that use Azure AD Graph to Microsoft Graph. Cisco ISE typically uses the Azure AD Graph for integration with the endpoint management solution Microsoft Intune. Any integration between Cisco ISE and Microsoft Intune that still uses Azure AD Graph applications (https://graph.windows.net/ <Directory (tenant) ID>) will not work beyond June 30, 2022.

Source: https://www.cisco.com/c/en/us/td/docs/security/ise/UEM-MDM-Server-Integration/b_MDM_UEM_Servers_CiscoISE/chapter.html#task_gvy_vnj_tnb

Although my recent integration using this URL is 'working', ISE warns that the MDM is using an old API Version (v2) instead of the new Version 3 API. This means I cannot use GUID as a device identifier, only MAC Address. You can see at the bottom where you would normally specify GUID, however it is greyed out / unavailable... I have deleted and re-added to no avail:

I built this as a Lab PoC back in September 2021 on ISE 3.1 (unpatched) with a demo Azure tenancy, and I was able to use GUID (also using the old graph/windows.net endpoint BTW)...

Has anyone else run into this 'API v2' issue?

Tim Fairclough · ‎03-28-2022

For anyone interested, here are the debug logs (ise-psc.log):

2022-03-28 17:51:22,235 DEBUG [admin-http-pool15][] cisco.cpm.mdm.authtoken.MdmAzureActiveDirectoryClient -::::- Access token has acquired succesfully from Microsoft Azure.

2022-03-28 17:51:22,235 DEBUG [admin-http-pool15][] cisco.cpm.mdm.api.MdmServerInfoApi -::::- inside the method : callMdmServerInfoApiOnMdmServer()

2022-03-28 17:51:22,235 DEBUG [admin-http-pool15][] cisco.cpm.mdm.apiimpl.MDMVerifyServer -::::- apiVersionSb : 3, mdmApiVersionSb : , tryWithV3 : false

2022-03-28 17:51:22,235 DEBUG [admin-http-pool15][] cisco.cpm.mdm.apiimpl.MDMVerifyServer -::::- MDM Rest API Server Query String -> /ciscoise/mdminfo/?ise_api_version=3

2022-03-28 17:51:22,235 DEBUG [admin-http-pool15][] cisco.cpm.mdm.apiimpl.MDMVerifyServer -::::- MDM Rest API Server Query PATH String -> /ciscoise/mdminfo/?ise_api_version=3

2022-03-28 17:51:22,235 DEBUG [admin-http-pool15][] cisco.cpm.mdm.apiimpl.MDMVerifyServer -::::- 1. Connecting to the MDM server host fef.msuc01.manage.microsoft.com using apiVersion 3

2022-03-28 17:51:22,235 DEBUG [admin-http-pool15][] cisco.cpm.mdm.util.MdmRESTClient -::::- sendGETRequestDom: start HTTP request - connectionsUsed: 2, connectionsAvailable: 198

2022-03-28 17:51:22,235 DEBUG [admin-http-pool15][] cisco.cpm.mdm.util.MdmRESTClient -::::- sendGETRequestDomNonComp: start HTTP request - connectionsUsed: 0, connectionsAvailable: 200

2022-03-28 17:51:22,235 DEBUG [admin-http-pool15][] cisco.cpm.mdm.util.MdmRESTClient -::::- ===mdmFlowInfo===null,=====serverType=====MobileDeviceManager,===serverAuthType===OAuth - Client Credentials

2022-03-28 17:51:22,235 INFO [admin-http-pool15][] cisco.cpm.mdm.util.MdmRESTClient -::::- GET: MDM Server URL: https://fef.msuc01.manage.microsoft.com/StatelessNACService/ciscoise/mdminfo/?ise_api_version=3

2022-03-28 17:51:22,235 DEBUG [admin-http-pool15][] cisco.cpm.mdm.util.MdmRESTClient -::::- Proxy Config in request = [,null,-1,nullnullnull]

2022-03-28 17:51:22,904 INFO [admin-http-pool15][] cisco.cpm.mdm.util.MdmRESTClient -::::- MDM Server Response Code: 200

2022-03-28 17:51:22,906 DEBUG [admin-http-pool15][] cisco.cpm.mdm.util.MdmRESTClient -::::- sendGETRequestDom: end HTTP request - connectionsUsed: 2, connectionsAvailable: 198

2022-03-28 17:51:22,906 DEBUG [admin-http-pool15][] cisco.cpm.mdm.util.MdmRESTClient -::::- sendGETRequestDomNonComp: end HTTP request - connectionsUsed: 0, connectionsAvailable: 200

2022-03-28 17:51:22,906 DEBUG [admin-http-pool15][] cisco.cpm.mdm.api.MdmServerInfoApi -::::- returning from the method : callMdmServerInfoApiOnMdmServer() -> com.cisco.cpm.mdm.api.MdmServerInfoData Object {

apiPath: /StatelessNacService/ciscodeviceinfo/mdm/api

redirectUrl: https://portal.manage.microsoft.com/networkaccesscontrol/index

queryMaxSize: 100

apiVersion: 2

vendor: Microsoft

productName: Microsoft Intune

productVersion: 5.0

COMMA: ,

errorMsg: null

errorOccurred: false

}

2022-03-28 17:51:22,906 DEBUG [admin-http-pool15][] cisco.cpm.mdm.util.MdmServersCache -::::- mdm Guid is null or empty

2022-03-28 17:51:25,377 INFO [Timer-12][] cisco.mnt.common.utility.AlarmMessageDiskQueue -::::- Inside dequeue

najam.shah78 · ‎07-13-2022

ISE 3.1, Patch 3

najam.shah78 · ‎03-28-2022

This is how you call an API according to MS Doco. I don't see any Cisco documentation which says to include version in there.

------------------------------------------------------------------------------------------------------------

Call a REST API method

To read from or write to a resource such as a user or an email message, you construct a request that looks like the following:

HTTPCopy

{HTTP method} https://graph.microsoft.com/{version}/{resource}?{query-parameters}

The components of a request include:

{HTTP method} - The HTTP method used on the request to Microsoft Graph.
{version} - The version of the Microsoft Graph API your application is using.
{resource} - The resource in Microsoft Graph that you're referencing.
{query-parameters} - Optional OData query options or REST method parameters that customize the response.

Version

Microsoft Graph currently supports two versions: v1.0 and beta.

v1.0 includes generally available APIs. Use the v1.0 version for all production apps.
beta includes APIs that are currently in preview. Because we might introduce breaking changes to our beta APIs, we recommend that you use the beta version only to test apps that are in development; do not use beta APIs in your production apps.

najam.shah78 · ‎07-13-2022

Finally, got it working

TAPI · ‎07-31-2022

Hi @najam.shah78
Thanks for the post. Are you able to share the rest of the screen config? The issue we are having is the error:
"This MDM or UEM server supports Cisco ISE API Version 2"

See my screenshot for where this is appearing and the greyed out options to select the GUID device identifier. It's cut off on your screenshot.

I have the same config as yours and curious if you have that same issue...also are you on ISE 3.1 patch 3?

Thank you!