Intune Windows

Enable network authentication with Entra ID only joined devices & Intune

by Niklas Tinner 3 min read

Introduction

This post is a brief summary of establishing network connection (wired or wireless network) on Intune managed devices, from my experience.

Challenges

-Azure AD only joined devices are not present in Active Directory and therefore certificates can not be issued by the PKI, resulting that clients can not authenticate with a certificate.

-Your network is one layer of your security perimeter and should be protected.

-Additionally, the configuration must be accomplished with Intune.

Solutions for network authentication

  • Open (no authentication)
  • Pre-shared key (password)
  • Certificate authentication <- this posts focus
  • User authentication with username + password
User authentication by providing credentials with SSO will not work if you have Credential Guard activated. It is recommended to move from MSCHAPv2-based connections to certificate-based authentication.

Background: Kerberos unconstrained delegation cloud allow attackers to extract Kerberos keys from the isolated LSA process. NTLMv1 classic authentication is attackable. Learn more from the Microsoft docs

Certificate-based authentication

My recommendation is to achieve authentication to your corporate network through certificates, because it is the most secure way. Even though you need some technical prerequisites in place:

  • Certificate deployment to clients - PKCS or NDES Intune
💡
My recommendation is to implement PKCS, read the blog post:
Intune certificate deployment overview
Introduction Authentication with certificates is considered as very secure and seamless for the user. Simply put, a Certificate Authority (CA) serves as the custodian of trust. To establish their identity as trustworthy, devices and users can request a signed certificate from our CA, which they can then present to other
OceanleafNiklas Tinner
  • Network profile configuration deployed from Intune
  • Trusted Root certificate deployed to your clients (from the CA and authentication service server certificate)
  • Configuration from your network devices / RADIUS setup

Network authentication

Another challenge is the configuration from the network side. Your clients typically talk EAP (TLS) with the end network device which could be an access point or switch and these then forward the request to a central component, that can handle RadSec or RADIUS protocols in order to validate the authentication request.
There are multiple validation techniques available, depending on the product and vendor. But to verify the request, the network component can do one or more of these checks:

  • Verify the client certificate if it was issued by a trusted certification authority
  • Check the Subject (Alternative) Name -> here it is important to configure these right in the Intune profile (correct attribute such as DNS)
  • Confirm if an Azure AD device object exists (requires integration, usually Enterprise Application to view devices)
  • Check the compliance state of the device (also requires an integration to Azure AD)

Intune profiles

You need the following profile types:

  • Trusted Root and Intermediate certificates (trust chain must be complete)
  • PKCS or SCEP for certificate deployment
  • Wi-Fi or wired network

See some samples:

Endpoint Management with Microsoft Intune
Welcome to this coast! Learn everything on Endpoint Management with Microsoft Intune to deploy, manage, secure and monitor endpoints from all platforms through the cloud. Introduction, experience and thoughts Introduction to the Microsoft Intune product familyIntroduction This post is recommended for any reader who is new to Intune or would
OceanleafNiklas Tinner
Read more posts by this author

Niklas Tinner

The link has been copied!
You’ve successfully subscribed to Oceanleaf
Welcome back! You’ve successfully signed in.
Great! You’ve successfully signed up.
Success! Your email is updated.
Your link has expired
Success! Check your email for magic link to sign-in.