This website uses Cookies. By clicking Accept, you agree to the storing of cookies on your device to enhance your community and translation experience. Read our Privacy Policy.
Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
Buy or Renew
Buy or Renew

Enforce GlobalProtect Access Based on Microsoft Intune Compliance Status

cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 

Enforce GlobalProtect Access Based on Microsoft Intune Compliance Status

S.Jayathunge241341
L0 Member

‎05-07-2026 06:09 AM - edited ‎05-07-2026 06:12 AM

Hello Palo Alto Community,

 

One of my customers previously used on-premises Active Directory and has now migrated to Microsoft Entra ID and Microsoft Intune.

 

All endpoints in the environment are Windows 11 computers.

 

They have a requirement to allow access to sensitive internal destinations through GlobalProtect only from Intune-compliant devices. Devices that are not compliant with Intune policies should be blocked from accessing these resources.

 

I would like to know whether this requirement can be achieved using HIP checks in GlobalProtect . Specifically, is there a way to validate Microsoft Intune device compliance status through HIP and use that information in security policies to allow or deny access ?

 

Has anyone implemented a similar setup with GlobalProtect , Entra ID, and Intune compliance-based access control ?

 

Any guidance, recommended approach, or reference documentation would be highly appreciated.

 

Thank you.

GlobalProtect
Thumbnail of GlobalProtect
Palo Alto Networks
GlobalProtect
Network Security
View on Product Page
GlobalProtect
Thumbnail of GlobalProtect
Palo Alto Networks
GlobalProtect
Network Security
View on Product Page
GlobalProtect
Thumbnail of GlobalProtect
Palo Alto Networks
GlobalProtect
Network Security
View on Product Page
0 Likes Likes
3 REPLIES 3

BPry
Cyber Elite

‎05-07-2026 07:31 AM

@S.Jayathunge241341,

What exactly are you checking for compliance on the Intune side of things? I would generally recommend maintaining the same within HIP checks if you're in a more legacy environment as you'll find it easier than trying to incorporate Intune Compliance via other means. If you want to analyze Intune compliance however, you would need to do so via conditional access policies on the Azure side of things through an SSO/SAML integration. 

0 Likes Likes

S.Jayathunge241341
L0 Member
In response to BPry

‎05-07-2026 07:53 AM

Hi @BPry ,

 

The customer is currently validating HIP checks such as domain, disk encryption, anti-malware status, and device OS. After moving to entra Domain info isn't available on HIP. Due to this, customer has an additional requirement where the HIP profile should only match devices that are enrolled and managed through Microsoft Entra ID and Microsoft Intune.

If we rely only on standard HIP checks like disk encryption, anti-malware, and device OS (Without Domain Check), then personal devices that meet those conditions could also gain access to sensitive destinations. To avoid this, the customer wants the compliance status to be retrieved directly from Intune and passed to the firewall through HIP, so that access is granted only to Intune-compliant and Entra ID-managed devices.

0 Likes Likes

BPry
Cyber Elite

‎05-07-2026 08:17 AM

@S.Jayathunge241341,

So this is perhaps a larger conversation, but you actually can check to see if a device is Entra registered via a custom HIP check. If you look under HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\CloudDomainJoin\TenantInfo\ you'll find the GUID of your tenant ID and validate that the value 'DisplayName' matches what you would expect on your tenant. This would replace what you traditionally had as the domain check.

 

You're not going to get Intune compliance information as a HIP check to the best of my knowledge. There's just nothing returned that would allow you to get that level of information and there's no registry entry for whether or not the device is compliant. That would need to be done via Conditional Access controls and authenticating for the sensitive resource. You would essentially need something capable of front-ending authentication to those resources to be able to get that information. 

0 Likes Likes
  • 65 Views
  • 3 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!

LEGAL NOTICES
RESOURCES
Khoros awards 2022
Copyright 2007 - 2026 - Palo Alto Networks