Microsoft Intune Partner Compliance

Microsoft supports integration with third-party Mobile Device Management (MDM) solutions through its Partner Compliance Program. This integration allows Scalefusion MDM to report the compliance status of a device to Microsoft.

Using this device state in combination with Microsoft Entra Conditional Access, administrators can define access rules for Microsoft apps and cloud applications on Android, iOS, and macOS devices.

Device compliance is evaluated based on two aspects: the device’s management state and its compliance with the rules defined by the MDM.

Supported Platforms

• Android

• iOS

• macOS

Pre-requisites

General

1. Entra ID (formerly Azure AD) (P1 or P2) subscription plan with Conditional Access

2. The account used to perform this action must be assigned the Global Administrator role.

3. Microsoft Enterprise Mobility + Security (E3 or E5) for users to perform the WPJ device registration

Platform specific

Android & iOS

1. Microsoft Authenticator app must be installed (either via Scalefusion Dashboard or manually).

macOS

1. Install Microsoft Company Portal

   The Microsoft Company Portal application must be installed on the device.

You can install it using either of the following methods:

• Via Scalefusion Dashboard

• Manual installation by the end user

2. Install the SSO Extension Payload

The following SSO extension payload must be installed on the device:

com.microsoft.CompanyPortalMac.ssoextension 

This payload must be created using Apple Configurations and deployed to the device.

Steps to Create the SSO Extension Payload in Scalefusion

Follow the steps below to configure and deploy the required payload:

1. Navigate to:
   Device → Profile → Apple Configurations → Create Configuration

2. Select:
   macOS → Single Sign-On Extension

3. Configure the extension:

   • Extension Type : Redirect

   • Extension Identifier : com.microsoft.CompanyPortalMac.ssoextension

   • Team Identifier : UBF8T346G9
     

4. Add the following URLs in the URLs section:

   https://login.microsoftonline.com 
   https://login.microsoft.com 
   https://sts.windows.net 
   https://login.partner.microsoftonline.cn 
   https://login.chinacloudapi.cn 
   https://login.microsoftonline.us 
   https://login-us.microsoftonline.com 

 5. Save the configuration.

 6. Publish the configuration to the required device profile.

Setup Integration on Scalefusion Dashboard

1. Log in to the Scalefusion Dashboard, click Veltar from the left navigation pane, and select Essential Integrations.

2. Click Configure New on the top-right corner of the page.

3. The Choose Integration screen appears after clicking on Configure New option.

4. Select Microsoft Intune Partner Compliance. Click Configure to launch the configuration wizard.

Configuring the Compliance

Step 1: Configure Scalefusion as a Partner Compliance Partner in Microsoft Intune

This section explains how to register Scalefusion as a Partner Compliance Partner in Microsoft Intune so that device compliance data evaluated by Scalefusion can be consumed by Intune for Conditional Access and compliance decisions.

1.1 Sign in to the Microsoft Intune Admin Center

1. Open a web browser and navigate to the Microsoft Intune admin center.

2. Sign in using an account that has one of the following permissions:

   • Global Administrator

Without the required administrative role, the Partner Compliance Management option will not be visible.

1.2 Navigate to Tenant Administration → Connectors and Tokens

1. From the left-hand navigation pane, select Tenant administration.

2. Under Tenant administration, click Connectors and tokens.

This section contains all integrations between Intune and third-party services such as MDM partners, compliance partners, certificate authorities, and enrollment connectors.

1.3 Open Partner Compliance Management

1. Within Connectors and tokens, locate and select Partner compliance management.

   The Partner compliance management page lists all third-party partners that can provide device compliance signals to Intune.

1.4 Add a New Compliance Partner

1. On the Partner compliance management page, click + Add.

   This action initiates the workflow to register a new partner that will share compliance status with Intune.

1.5 Select Scalefusion and the Required Platforms

1. In the Add compliance partner pane:

   • From the Compliance partner list, select Scalefusion.

2. Under Platforms, select the operating systems for which Scalefusion will provide compliance data.

Only select platforms that are actively managed using Scalefusion to ensure accurate compliance reporting.

1.6 Assign Intune Groups (Intune-side Only)

1. Included groups

   • Add all users: Applies Scalefusion compliance to all users in the tenant.

   • Add groups: Select specific Microsoft Entra ID (Azure AD) groups to limit the scope.

   Excluded groups (optional)

   • Add groups to explicitly exclude them from the compliance partner scope.

This group selection is configured only within Intune. Scalefusion does not select, manage, or modify these groups.

Only devices associated with users in the selected Intune groups will have their compliance evaluated using Scalefusion.

1.7 Add Scalefusion as a Compliance Partner

1. Review the selected partner and platforms.

2. Click Add to complete the configuration.

Once added:

• Scalefusion appears in the Partner compliance management list.

• Intune is now ready to receive compliance signals from Scalefusion for the selected platforms.

At this stage, Intune only establishes the partnership. Compliance data will not be shared until the Scalefusion-side configuration is completed and the relevant compliance policies are mapped.

Step 2: Authorize

After selecting Microsoft Intune Partner Compliance and clicking Configure over the scalefusion dashboard the configuration wizard opens.

Enter Configuration Name

1. Enter a name in the Enter Configuration Name field to save the configuration.

2. The name appears under Veltar → Essential Integrations for identification.

3. Click Authorize and you will be redirected to the Microsoft Sign in page .

4. Complete the Microsoft sign-in to return to the Scalefusion dashboard and continue setup.

Note: The Microsoft account used for authorization must have sufficient permissions in the Intune tenant to complete the authorization process.

Once you have completed the Microsoft sign-in process the Authorize button changes to Next.

Groups

Add the Microsoft Entra ID groups for which Scalefusion is configured as the Partner Compliance provider.

1. Click Add Group Object ID.

2. Enter the Group Name and Object ID of the required Microsoft Entra ID group.

   The Group Name and Object ID have to be exact as per what is visible under the Intune portal

   

3. The added groups are listed with their Group Name and Object ID.

   Only devices associated with the added groups are evaluated for compliance through Scalefusion.

4. Click Next to continue to Device Configuration Settings.

Device Configuration Settings

Use this section to select the platforms for which Scalefusion compliance should be applied.

• Select one or more platforms:

  • Android devices

  • iOS/iPadOS devices

  • macOS devices

• Enable compliance only for the platforms you want Scalefusion to manage.

The selected platforms determine where Scalefusion acts as the compliance source during Intune evaluation.

Ensure the selected platforms match the platforms configured for Scalefusion in Microsoft Intune → Partner compliance management.

Select the condition based on which a device is evaluated as Compliant or Non-Compliant:

• Based on the managed state reported by Scalefusion
  Compliance is determined by whether the device is successfully enrolled in and actively managed by Scalefusion.

• Based on the compliance status reported by Veltar Compliance
  Compliance is evaluated using the device compliance status calculated by Veltar based on the configured security and policy checks.

• Based on the compliance status of Extended Access Policy
  Compliance is determined according to the rules defined in the Extended Access Policy configured within OneIdp.

Only one compliance condition can be selected.

Configure Enrollment Message

• Enter the message displayed to users when a device is not enrolled.

Configure Compliance Message

• Enter the message displayed to users when a device is marked as non-compliant.

After configuring the compliance condition and messages, click Save to complete the setup.

Configure Microsoft Conditional Access Policy for Device Compliance

Let us now see how to configure a Microsoft Entra (Azure AD) Conditional Access policy that allows access only from devices marked as compliant using Microsoft Intune and Scalefusion (Veltar Partner Compliance).

Step 1: Open Conditional Access

1. Sign in to the Microsoft Entra admin center.

2. Navigate to: Protection → Conditional Access

3. Click + Create new policy.

   

Step 2: Name the Policy

1. Enter a descriptive policy name, for example: Require compliant device (Scalefusion / Veltar)

   

Step 3: Select Users or Groups

1. Click Users.

2. Choose one of the following:

   • All users only choose this if you are to apply the policy for all users under the portal, or

   • Select users and groups (recommended if only specific users or groups should have the compliance policy applied to them).

3. Exclude at least one emergency or break‑glass administrator account(optional)

The users or groups should be the ones that we had already added when adding scalefusion as a compliance partner in the intune portal.

Step 4: Select Target Applications

1. Click Target resources → Cloud apps.

2. You would see the option to Include apps.

3. Select one of the following:

   • All resources (formely known as ‘Cloud apps‘), or

   • Select specific applications (for example: Microsoft 365, VPN, internal apps).

4. The entire process happens through the Scalefusion app so ensure that is added to the Exclude list.

Step 5: Configure Conditions

You may restrict the policy further using conditions.

1. Click Conditions → Device platforms

2. Select the required platform on which you want the compliance policy to be applied from Scalefusion (you can choose multiple platforms as well)

3. Click Done.

   

Step 6: Configure Access Controls (Require Compliance)

1. Click Access controls → Grant

2. Select Grant access

3. Check Require device to be marked as compliant

4. Click Select

This ensures access is only allowed when Intune receives a compliant status from Scalefusion.

Step 7: Enable the Policy

1. Under Enable policy, choose to keep the policy on.

2. Click Create.

Once you have completed the above steps return back to the scalefusion dashboard and publish the Intune Compliance policy to the Device Group or User Group.

End user Experience over the device

This section explains how device compliance behaves across supported platforms and how the compliance state is reflected in Microsoft Intune and Microsoft Entra ID (Azure AD).

How to register an Android device.

1. Once we have published the Intune Compliance configuration on an android device it would show us and icon on the kiosk screen for Intune signin.

2. Click on the Intune Signin icon and you will be redirected to a Microsoft login page complete the login process using the user from the group that we had used to setup the compliance policy.

3. Post entering your Credentials you would be prompted with a screen to register your device. This would then register and create an entry of the device on the intune portal as well.

   

How to register an iOS device

Unlike Android, iOS devices do not display a separate Intune registration icon on the kiosk/home screen. The registration and authentication flow happens from within the Scalefusion app using Microsoft sign-in.

1. Open the Scalefusion app on your iOS device.

2. You will see the following notification:

“Sign in to your Microsoft account to access the Microsoft applications assigned to you.”

3. Inside the Scalefusion app, tap Sign in with your Microsoft account (with the Intune logo)

• The Microsoft Authenticator process launches in the background.

  

• The Microsoft sign-in page is displayed.

• Enter your Microsoft account credentials.

4. After successful sign-in, the Register device screen appears.

   Tap Register to continue.

5. Once registration is completed:

• The device is registered with Microsoft Intune.

• The device is associated with the signed-in user account.

6. You will receive this confirmation:

“Thank you for authenticating with your Microsoft account. You can now access the Microsoft applications assigned to you.”

Behavior in Microsoft Intune:

• Device compliance status changes to Compliant.

• Partner compliance source is shown as Scalefusion.

If device becomes non-compliant:

• Intune compliance status changes to Non-compliant.

• Conditional Access blocks access to configured cloud applications.    

  

                                                                                                                                                 

When the device is compliant

• User signs in to Microsoft apps (Outlook, Teams, OneDrive, browser apps, etc.).

• Authentication completes successfully.

• No additional prompts are shown.

• Device access remains uninterrupted.

When the device is non-compliant

• User attempts to sign in to a protected application.

• Microsoft Entra blocks the authentication request.

• User sees a message similar to:

  • "Your organization requires this device to be compliant."

  • or "Access blocked due to device compliance policy."

Similar behavior would be across all the supported platforms

• User may be redirected to:

  • Scalefusion enrollment page (if not enrolled), or

  • Scalefusion compliance page (if enrolled but non-compliant)

How These Compliance Sources Affect Azure / Intune

Regardless of which option is selected:

• Scalefusion sends the final compliance result to Microsoft Intune.

• Intune displays the device status as Compliant or Non-compliant.

• Microsoft Entra Conditional Access uses this status to allow or block access.