Intune Device Posture–Based Access Control

1. Configure Entra Device Sync

Foxpass retrieves device posture signals from Entra ID (which surfaces compliance status evaluated by Microsoft Intune).

• Authorize your Entra account for device sync (requires in-domain admin permissions).
• Enable device sync in Azure/Entra sync settings.
• Manually trigger sync via "Sync Azure Devices".
• Device and Compliance status syncs automatically on a recurring basis.

Note: Foxpass periodically retrieves and caches device posture signals. Compliance is not evaluated live during authentication.

2. View Device Sync and Compliance Status

• Synced devices can be viewed in the Devices page.
• For each device, Foxpass displays posture state:
  • Compliant (green)
  • Non-compliant (red)
  • Unknown (N/A) (yellow) — compliance state unknown or not set
• View device details: name, device ID, source (Entra), active status, last login, group memberships.

3. Configure Certificates for Device Identification

For posture-based access control to function correctly, Foxpass must be able to associate an authenticating certificate with an Entra device ID.

• Device certificates (EAP-TLS):

  • Device ID is read from the certificate Common Name (CN).
  • Ensure the CN matches the Azure device ID.

• User certificates (EAP-TLS):

  • Device ID is read from the SAN URI.

  • The URI must follow this format:
    IntuneDeviceId://{{AAD_Device_ID}}.
    This format is typically configured in the Microsoft Intune SCEP profile.(e.g. For windows devices- see docs)

    If using custom certificates, ensure the SAN URI extension includes the device ID in this format.

4. Enable Device Posture Enforcement

• Device posture enforcement is optional and must be explicitly enabled.
• To require compliant device posture during EAP-TLS authentication, Enable “Require compliant device posture” in for RADIUS clients, RADIUS servers, or RadSec clients.
• When enabled, only devices marked Compliant receive normal network access according to standard RADIUS policy.

5. Configure Quarantine Mode (Optional)

• Quarantine mode allows non-compliant or unknown devices to receive restricted network access instead of being denied.
• To enable:
  • Enable “Require compliant device posture.”
  • Enable “Quarantine non-compliant or unknown devices.”
  • Configure quarantine RADIUS attributes to define restricted network access.
• When quarantine mode is enabled, non-compliant and unknown devices are placed into the quarantine network.
• When quarantine mode is disabled, non-compliant and unknown devices are denied access.

6. Authentication Flow (EAP-TLS)

• When posture enforcement is enabled:
  1. Device authenticates via EAP-TLS.
  2. Foxpass maps the certificate to an Entra device ID.
  3. Foxpass references cached posture state.
  4. Foxpass applies the configured access outcome.
• Access Outcomes
  • Compliant devices → normal RADIUS policy applied
  • Non-compliant devices
    • Quarantine disabled → access denied
    • Quarantine enabled → placed into quarantine network
  • Unknown / not evaluated devices
    • Treated as non-compliant for enforcement
    • Denied or quarantined based on configuration

Only devices that satisfy your Intune compliance policies receive normal network access when posture enforcement is enabled; others can be denied or isolated based on your chosen policy.

Key Terminology Clarifications

• Intune evaluates compliance.
• Entra ID surfaces device state.
• Foxpass makes the network access decision.
• Posture signals are cached, not evaluated live during authentication.
• This feature is not Microsoft Entra Conditional Access.