hey Jason

So, from the Intune setup (https://www.cisco.com/c/en/us/td/docs/security/ise/2-4/admin_guide/b_ise_admin_guide_24/b_ise_admin_guide_24_new_chapter_01001.html#id_37138) 

step 8, configuring Auto Discovery URL, we get the URL from MS, but it was originally graph.windows.com. The connection to Intune from ISE failed with this configuration, and the log:

>>>>>>

2019-06-17 12:47:01,567 ERROR [admin-http-pool1][] cpm.mdm.auto.discovery.MdmServerAutoDiscoveryManager -::::- Unable to discover MDM server for IntuneMDM.
com.cisco.cpm.mdm.auto.discovery.MdmServerAutoDiscoveryException: Unrecognized field "error" (Class com.cisco.cpm.mdm.auto.discovery.MdmAzureDirectoryServiceErrorResponse), not marked as ignorable
at [Source: java.io.StringReader@abcdef; line: 2, column: 13] (through reference chain: com.cisco.cpm.mdm.auto.discovery.MdmAzureDirectoryServiceErrorResponse["error"])

<<<<<<<

however, I noted in other cases with the same error, specifically the error: Unrecognized field "error" that changing to .net resolved the issue.

I realise this is a URL controlled and published by MS, I just want to understand why ISE may not like the .com, and if there is somewhere else in Intune (as I don't have a login) it show's a .net URL?

cheers
Mark

hi Nidhi

Not at the moment, I'll open one if it helps

cheers
Mark

I don't have an answer for you, but I can say I've had the windows.net autodiscovery URL configured for several years without issue on my deployment

The config guide also mentions  .net  .

you might want to verify the url in intune setup as well . Engineering says there is no such limitation from the code

Auto Discovery URL—Enter the value of Microsoft Azure AD Graph API Endpoint from the Microsoft Azure management portal. This URL is the endpoint at which an application can access directory data in your Microsoft Azure AD directory using the Graph API. The URL is of the form: https://<hostname>/<tenant id>, for example, https://graph.ppe.windows.net/47f09275-5bc0-4807-8aae-f35cb0341329. An expanded version of this URL is also in the property file, which is of the form: https://<Graph_API_Endpoint>/<TenantId_Or_Domain>/servicePrincipalsByAppId/<Microsoft Intune AppId>/serviceEndpoints?api-version=1.6&client-request-id=<Guid.NewGuid()>.

hi Nidhi

thanks again, the URL supplied by MS via the customer was: https://graph.microsoft.com/........

Our issue here is there are 3 URLs being thrown around.

1. graph.microsoft.com - supplied by customer from Intune. Didn't work

2. graph.ppe.windows.net - Cisco documentation. Didn't work

3. graph.micrsoft.net - found in various TAC cases and not known where it really came from.....Works!

If there's no limitation, why would the first two, well documented, URLs not work?

thanks

Mark

---

If there's no limitation, why would the first two, well documented, URLs not work?

Please see my earlier response.

The URL is what set in the MS Azure management portal and the customers need copy from the values I indicated there. The URL string given there is an example and will look different on each Azure account.

To be clear, Microsoft Intune as MDM server for Cisco ISE – Rohit Goel’s Blog says,

---

7.  In ISE, configure the Intune server in ISE

For more information about configuring and external MDM server, see Define Mobile Device Management Servers in ISE. The fields that are important for Intune are described below:

• Auto Discovery URL - Enter the value of Microsoft Azure AD Graph API Endpoint from the Microsoft Azure management portal. This the endpoint at which an application can access directory data in your Microsoft Azure AD directory using the Graph API. The URL is of the form: https://<hostname>/<tenant id>, for example, https://graph.ppe.windows.net/47f09275-5bc0-4807-8aae-f35cb0341329. An expanded version of this URL is also in the property file, which is of the form:

...

Have you got any resolution to this ? Cisco documentation is vague at best.

This is a cert issue. Add these into the Cisoc ISE trust certificate store -  4 certs (2 root and 2 intermediate) need to be in there as well as the URL certificates for the following:

• DigiCert
• DigiCert Sha2 Secure Server CA
• DigiCert Global Root G2
• Microsoft Azure TLS issuing CA 06

• https://login.microsoftonline.com/<Tenat ID>/oauth2/v2.0/token
• https://fef.msuc05.manage.microsoft.com/
• https://graph.windows.net/

Try to add permissions also to Azure Active Directory Graph and not just to Microsoft Graph & Intune.

Azure Active Directory Graph:

=======================

Directory.Read.All- Delegated

Directory.Read.All- Application

User.Read.All- Delegated