Set up Chrome Enterprise Premium integration with Microsoft Intune

This document shows you how to set up Chrome Enterprise Premium integration with Microsoft Intune. Setting up this integration involves setting up Intune, setting up Endpoint Verification, setting up Azure workload identity, and enabling Microsoft Intune on your organizational units.

Before you begin

Connect to Intune

  1. Find your Microsoft 365 tenant ID.
  2. Register your application to obtain an application ID.
  3. From the Admin console Home page, go to Devices.

    Go to Devices
  4. In the navigation menu, click Mobile & endpoints > Settings > Third-party integrations > Security and MDM partners > Manage.
  5. Look for Microsoft Intune and click Open connection.
  6. In the Connect to Intune dialog, enter the tenant ID in the Azure directory tenant id field and application ID in the Azure application id field.

    manual sync
  7. Depending on whether you want to import only company-owned devices or import all devices, perform the appropriate action:
    • To import only company-owned devices, click the Import only company-owned devices toggle. In the Device properties to import section, select the properties that must be stored in Chrome Enterprise Premium.
    • To import all devices, in the Device properties to import section, select the properties that must be stored in Chrome Enterprise Premium.

      manual sync

    The mandatory device properties such as device identifier, last sync time, serial number, and wifi MAC address are collected by default.

    For more information about the device properties that Intune collects, see Intune device properties.

  8. Click Continue.
  9. Copy the Service account ID.
  10. Use the Service account ID to authorize Azure workload identity to collect data from the Intune devices:
    1. Configure your app to trust an external identity provider.

      Specify the following values in the corresponding fields:

      • Name: Any name for the federated credential.
      • Subject identifier: The Service account ID that you copied.
      • Issuer: https://accounts.google.com.
    2. Grant your app permissions:
      1. Search for DeviceManagementManagedDevices.Read.All and DeviceManagementApps.Read.All permissions and add these permissions to Microsoft Graph. When requesting the API permissions, select Application permissions.

        DeviceManagementManagedDevices.Read.All provides read access to all devices and their properties managed by Intune, and DeviceManagementApps.Read.All provides read access to the Intune audit logs for device deletion events.

      2. Grant admin consent to the permissions configured for your application.
  11. In the Connect to Intune dialog, click Connect.

The connection to Intune is set to open.

Enable Intune for your organizational unit

To collect device information by using Intune, enable Intune for your organizational unit by doing the following:

  1. From the Admin console Home page, go to Devices.

    Go to Devices
  2. In the navigation menu, click Mobile & endpoints > Settings > Third-party integrations > Security and MDM partners.
  3. From the Organizational units pane, select your organization unit.
  4. Select the checkbox for Microsoft Intune, and click Save.

    Microsoft Intune is now listed in the Security and MDM partners section. Depending on the size of your organization, it might take a few seconds to establish the connection between Endpoint Verification and Intune. After the connection is established, the devices might take a few minutes to an hour to report Intune data.


Verify Intune data on devices

  1. From the Admin console Home page, go to Devices.

    Go to Devices
  2. Click Endpoints.
  3. Select any device from your organizational unit for which Intune is enabled.

    Device page
  4. Verify that the Microsoft Intune data is listed in the Third-party services section.

    Device page2
  5. To see the complete details, expand the Third-party services section.

    The following image shows details of the data collected by Intune:

    Device page2

The compliance states reported by Intune are broadly categorized into the following compliance states:

Compliance states on the Google Admin console Compliance states reported by Intune
COMPLIANCE_STATE_UNSPECIFIED unknown, configManager
COMPLIANT compliant
NON_COMPLIANT noncompliant, conflict, error, inGracePeriod

What's next