Entra mapping, user certs & Intune
In the Entra variant, an EntryPoint group is a mirror of a Microsoft Entra group: membership lives in Entra and is read on every authentication, so the network policy a user receives follows their directory membership rather than a local roster.
Group mapping
Section titled “Group mapping”Each EntryPoint group is mapped to one Microsoft Entra group, recorded on the group’s settings. On authentication, EntryPoint reads the user from the presented certificate and confirms that the user is a member of the mapped Entra group; a match returns the group’s Attribute Profile (a VLAN through tunnel attributes, or a Cisco security group tag). Because the check happens against Entra each time:
- Adding or removing a user from the Entra group changes their network access without any change on the EntryPoint side.
- Repointing a group at a different Entra group changes which directory population it serves.
- If the mapped Entra group is removed, the EntryPoint group no longer resolves any members.
User certificates
Section titled “User certificates”The certificate identifies the person — its subject names the user. Certificates are issued by the organization’s PKI and deployed to managed devices through Intune, Group Policy, or another MDM, as described in Certificates & PKI. EntryPoint validates the chain against the trusted CAs and checks revocation through the configured CRL before reading the identity from the certificate.
Device compliance with Intune
Section titled “Device compliance with Intune”Device compliance is an optional gate on top of group membership. When Device Compliance Check is enabled on the context, every EAP-TLS authentication triggers an Entra lookup after the certificate and group match succeed:
- Compliant → access proceeds and the group’s Attribute Profile is returned.
- Not compliant → access is rejected, even when the certificate and group membership would otherwise allow it.
Compliance state is drawn from Microsoft Intune, so the device must satisfy the organization’s Intune policy. The same gate is available to device-certificate groups.
How an authentication resolves
Section titled “How an authentication resolves”- The device presents its user certificate.
- EntryPoint validates the chain against the trusted CAs and checks revocation.
- The user is read from the certificate and matched against the mapped Entra group.
- If Device Compliance Check is enabled, Intune posture is confirmed through Entra.
- On success, the group’s Attribute Profile is returned and the network applies the policy.
Related sections
Section titled “Related sections”- EAP-TLS with Entra overview.
- Entra connection: the application registration and permissions behind the mapping.
- Authentication log: the per-attempt outcome and reason for each authentication.