Skip to main content

Configure Intune Device Compliance Integration

Written by Josh Franzen

Who can use this feature?

👤 Organizations Owners and custom roles with the "Configure Intune Integration" permission.
🚩 Only available on the Enterprise Plan.

Overview

ArborXR is a Microsoft Intune Device Compliance Partner. When you connect your Entra ID tenant, ArborXR becomes an authoritative source of compliance data for your XR devices, the same way a traditional MDM reports compliance for phones and laptops. Intune then uses that compliance state in the Conditional Access policies you already maintain in Entra ID, so signed-in users on non-compliant devices can be blocked from accessing corporate resources such as Microsoft 365, internal web apps, or VPN endpoints from within an XR session.

At a high level:

  1. An admin in your organization connects ArborXR to your Entra ID tenant.

  2. ArborXR creates an Intune compliance policy and you assign it to one or more Entra ID user groups.

  3. For devices where you turn on Intune compliance enforcement, ArborXR automatically installs Microsoft Company Portal on the headset, and the end user signs in to Entra ID on the device.

  4. ArborXR continuously reports each device's compliance state to Intune. Intune uses that state alongside your existing Conditional Access rules.

💡 You do not need to create a new app registration in Azure. Admin consent is granted directly to ArborXR's published compliance partner application during setup.


Prerequisites

You will need:

  • An active Microsoft Entra ID tenant.

  • A Microsoft account with Global Administrator rights in that tenant (required to grant admin consent on first connect).

  • Intune licenses assigned to the Entra ID accounts that will sign in to your managed devices (see the section below for guidance on choosing between dedicated and individual accounts).

  • At least one Entra ID security group containing those users. You will assign the ArborXR compliance policy to this group (or groups) during setup.

  • An ArborXR Organization Owner account in the organization you're connecting.

⚠️ Each Entra ID tenant can be connected to only one ArborXR organization at a time. If your tenant is already connected to a different ArborXR organization, disconnect it there first before starting here.


Recommendation: Dedicated Entra ID Accounts

XR devices are typically company-owned and shared across multiple users. Because Microsoft's compliance partner protocol associates each device with one Entra ID user at a time, signing in with personal accounts on shared headsets creates unnecessary friction and ties device compliance to specific employees who may change roles or leave the organization.

We recommend using dedicated, non-personal Entra ID accounts to authenticate your headsets — for example, xr-headsets@yourcompany.com. Depending on your operational model, you might use a single account across your whole fleet, one account per site or group, or one account per device. Use the dedicated account to perform the initial sign-in during provisioning. Compliance state then persists on the device regardless of who is physically using it.

Why this approach works well for XR

  • Simpler end-user experience. After a one-time sign-in during provisioning (performed by an admin or by the first end-user), users put on the headset and start working without signing in for each session.

  • Stable compliance state. Devices remain reliably reported to Intune even as employees join and leave your organization.

  • Lower licensing footprint. Only the dedicated accounts you create need Intune licenses, rather than every operator who uses a headset.

Licensing requirement

Each dedicated account still needs an Intune license assigned, as noted in the Prerequisites above. The number of Intune licenses you need scales with the number of distinct Entra accounts that sign in to ArborXR-managed devices — not the number of headsets or end-users.

Setup checklist

  1. Decide how many dedicated accounts you'll use (a single fleet-wide account, one per site or group, or one per device) based on the trade-offs described below.

  2. Create the dedicated Entra ID user account(s) — for example, a service or kiosk account named xr-headsets@yourcompany.com.

  3. Assign an Intune license to each account.

  4. Add the account(s) to the Entra ID security group you'll target with your ArborXR compliance policy.

  5. During device provisioning, sign in once through the Microsoft Company Portal using the appropriate dedicated account for that device.

Plan for occasional re-authentication

After the initial sign-in, ArborXR silently renews the authentication token in the background. Silent renewal can fail in several scenarios — for example, after a password change, an extended offline period, or when a Conditional Access policy requires periodic interactive MFA. When silent renewal fails, the Microsoft Company Portal will prompt for an interactive sign-in on every affected device.

If a dedicated account is subject to Conditional Access, we recommend excluding it from policies that require interactive MFA, or using device-bound or certificate-based authentication methods that don't require user interaction. Otherwise, every device authenticated by that account will drop back to needing a manual sign-in on each MFA cycle.

Make sure dedicated account credentials are accessible to whoever provisions or services your devices.

If you're using a single Entra account across multiple devices

When the same Entra account authenticates multiple devices, any change to that account affects all associated devices simultaneously. To avoid unexpected widespread compliance failures:

  • Disabling the account will send every associated device to non-compliant. Coordinate any account changes with your XR operations team.

  • Password rotations invalidate active tokens and require re-authentication across all associated devices. Treat rotations as planned maintenance events rather than routine security hygiene.

  • License lapse or removal breaks compliance reporting for every associated device. Confirm the dedicated account's Intune license is on a renewal cadence that matches your other infrastructure accounts.

We recommend monitoring Entra ID sign-in logs for the dedicated account to catch authentication failures early, before they propagate to user-visible compliance issues.

When to use individual accounts instead

If your organization needs per-user Conditional Access on XR devices — for example, to gate access to specific Microsoft 365 apps based on user identity — use individual user accounts and have each user sign in through the Microsoft Company Portal. Conditional Access policies evaluate against the signed-in user identity, so a dedicated account approach evaluates against that one account regardless of who is wearing the headset.


Steps to Configure the Integration

Step 1: Add ArborXR as Compliance Partner in Intune

  1. Log in to Intune.

  2. In the left sidebar, select Tenant Administration.

  3. Open the Connectors and tokens tab.

  4. Click Partner compliance management.

  5. Click Add compliance partner.

  6. In the dropdown, select ArborXR.

  7. In the Platform dropdown, select Android.

  8. Click Next, assign Groups, then click Create.

Step 2: Connect ArborXR to your Entra ID tenant

  1. Log in to ArborXR.

  2. In the left sidebar, select Settings.

  3. Open the Intune Integration tab.

  4. Enter your Entra Directory (tenant) ID.

    This is the Tenant ID copied from the Entra Admin Center by navigating to Overview. Click How to find your Microsoft Entra tenant ID for more information.

  5. Choose the Entra Authority that matches your tenant's cloud:

    • Public / Global: login.microsoftonline.com (the default, used by most customers)

    • US Government: login.microsoftonline.us

  6. Click Connect Intune.

  7. You will be redirected to Microsoft to grant admin consent. Sign in as a Global Administrator and review the permissions ArborXR is requesting. These allow ArborXR to report compliance data, manage its own compliance policy, and read Entra ID groups. Click Accept.

  8. Microsoft will redirect you back to ArborXR. The page will show a spinner with the message "Intune integration is being configured. This may take a moment…" while provisioning completes in the background.

💡 When provisioning is complete, the form turns read-only and displays three values: the Directory (tenant) ID, the Entra Authority, and a newly issued Compliance Policy ID.

You can also confirm successful provisioning by navigating to the Partner compliance management page in Intune. The Partner status for ArborXR should show Active.

If provisioning fails (the card will show a "The last Intune provisioning attempt failed" banner), click Clear to reset the configuration and try again. Common causes include admin consent being denied, an invalid tenant ID, or the tenant already being connected elsewhere.

Step 3: Assign the compliance policy to Entra ID groups

Intune only evaluates compliance for users in groups the policy is assigned to, so you must select at least one group before any devices will be reported.

  1. Still on the Intune Integration page, click Load Entra ID Groups. ArborXR will fetch the groups from your tenant (this may take a few seconds for large tenants).

  2. Check the box beside each Entra ID group whose members should be covered by the ArborXR compliance policy.

  3. Click Save Group Assignment.

💡 You can return to this page at any time to add or remove groups. Changes take effect the next time Intune evaluates compliance for users in those groups.

Step 4: Enforce Intune compliance on your XR devices

Connecting the integration does not, on its own, start reporting compliance for any device. You choose which devices participate by enabling enforcement on their configuration group's security settings.

  1. Navigate to the desired group.

  2. Open the Settings tab and select Security in the accordion menu.

  3. Check Enforce Microsoft Intune Compliance.

  4. Click Save.

From this point forward, every device in that group will:

  • Automatically install the Microsoft Company Portal app on its next check-in (ArborXR handles distribution, you do not need to install the Microsoft Company Portal app yourself).

  • Prompt the end user to sign in to Entra ID on the device.

  • Report its compliance state to Intune.

💡 You can scope enforcement as narrowly as you need (i.e. a single group, several groups, or all of them). Devices that are not in an enforced group are unaffected by the integration and will show a Disabled Entra status.


What the End User Sees on the Device

When a headset is enrolled in a configuration group that has Intune enforcement turned on, the end user will go through a one-time sign-in on the device:

  1. After the headset connects to the network and checks in with ArborXR, Microsoft Company Portal is installed automatically. You can track the installation status of the Company Portal app within your device or group's Content > ArborXR System Apps.

  2. The user is prompted to sign in with their Entra ID (work or school) credentials. This is the same credentials they use for Microsoft 365.

  3. Once sign-in succeeds, the device is registered to that user in Entra ID and ArborXR begins reporting compliance state on their behalf.

💡 Until the user completes sign-in, the device will appear in ArborXR with an Entra status of Sign-In Required and will not be considered compliant by Intune.

Important: The signed-in user must have an Intune license assigned to them in your tenant. If they do not, the device will show an Entra status of License Required in ArborXR and compliance will not be reported until a license is assigned.


Monitor Device Entra Status

Once the integration is live, ArborXR shows each enrolled device's current Entra sign-in state in the Devices table and on each device's detail page. Click the status badge on any device to open a modal that explains the state and what, if anything, needs to happen next.

  • Signed In: The device has a valid Entra sign-in and is reporting compliance. No action needed.

  • Sign-In Required: The device is enforced but no user has signed in yet. Have the user sign in to Entra ID on the device.

  • Sign-In Failed: The user attempted to sign in and was rejected. Verify the user's credentials and that they have an Intune license, then retry.

  • License Required — The signed-in user lacks an Intune license. Assign an Intune license to the user in your Microsoft admin center.

  • Sync Error: A synchronization error occurred while reporting to Intune. Check the Integration Health card for heartbeat status; retry the device's check-in. If it persists, contact ArborXR support.

  • Disabled: The device is not in a configuration group with Intune enforcement turned on. Expected if you have not enabled enforcement for this device's group.


Validate device compliance in Microsoft Entra ID

Once ArborXR is reporting compliance, you can verify the status of your XR devices directly in Microsoft Entra ID, not in the Intune portal.

  1. Go to Devices > All Devices.

  2. Once on this page you can view devices' compliance state as reported by ArborXR.


Check Integration Health

The Integration Health card on the Intune Integration page surfaces the live state of the connection:

  • Last Heartbeat: the most recent time ArborXR sent a keep-alive to Intune (ArborXR heartbeats automatically every few hours).

  • Last Device Sync: the most recent time ArborXR uploaded device inventory and compliance state to Intune.

  • Intune-Registered Devices: the count of devices in your organization that have reported an Entra device ID.

💡 If the Last Heartbeat is more than 48 hours old, ArborXR will display a warning banner. This usually indicates a credential, network, or tenant-level issue and is worth investigating or reporting to support.


Disconnect the Integration

To disconnect ArborXR from Intune — for example, if you are decommissioning the integration or migrating to a different ArborXR organization:

  1. Go to Settings > Intune Integration.

  2. Click Disconnect Intune.

  3. Confirm the action in the prompt.

ArborXR will:

  • Delete the compliance policy it created in your Intune tenant.

  • Stop reporting any device compliance state.

  • Clear the stored Intune configuration from your ArborXR organization.

During teardown the page shows a "Intune integration is being disconnected. This may take a moment…" banner. Once it clears, you are free to connect a different tenant if you wish.


Troubleshooting

A device's Entra status in ArborXR shows 'Signed In' and it is reported as compliant in Intune, but the user sees a sign-in screen when they open Company Portal. Is something wrong?

No, this is expected behavior. Company Portal displays a sign-in screen whenever it is opened directly, regardless of the device's current compliance state. The existing sign-in is still active and ArborXR will continue reporting the device as compliant. Additionally, other users can sign in through Company Portal if they wish to add their own Microsoft account to the device.

Why do I see a "The last Intune provisioning attempt failed" banner when connecting?

Click Clear on the banner to reset the configuration, then re-try Step 2. Make sure you granted (rather than denied) admin consent in Microsoft, and that the Directory (tenant) ID matches the tenant whose admin actually granted consent.

Why do I see an "Intune integration is suspended because the tenant could not be found" banner?

This means Microsoft no longer recognizes ArborXR's configuration for your tenant — typically because admin consent was revoked in Entra ID, or the ArborXR partner relationship was removed from Intune. Clear the configuration and re-connect, or contact ArborXR support if the issue persists.

Why are devices stuck on 'Sign-In Required'?

The user has not yet signed in to Entra ID on the device. Confirm Company Portal has installed on the headset (allow time for it to download on first check-in) and have the user complete the Entra sign-in flow. Click Assign licenses to users so they can enroll devices in Intune to learn more.

Why are devices showing 'License Required' Entra Status?

The signed-in user does not have an Intune license. Assign an Intune license in the Microsoft 365 admin center, then have the user re-authenticate on the device.

Why is the Last Heartbeat stale (>48 hours)?

Most often caused by a tenant-side change (revoked consent, tenant migration, deleted partner relationship) or a transient outage. Open a support ticket with ArborXR, including your Directory (tenant) ID and approximate time of the last successful sync.

Why do I only see the integration page but not the configuration form?

You may not have the Configure Intune Device Compliance Integration permission. Ask an Organization Owner or Admin to grant it or perform the setup. If the feature has not been enabled for your organization, contact your ArborXR account team.

If I disable Intune compliance enforcement on a device or configuration group, what happens to the Company Portal app ArborXR installed?

ArborXR will attempt to uninstall Company Portal automatically. What happens depends on how the user originally signed in:

  • If the user signed in through ArborXR's automated Company Portal flow, ArborXR can uninstall Company Portal once the device is no longer configured to use Intune.

  • If the user manually launched Company Portal and signed in themselves, this creates a device admin record on the device that ArborXR cannot remove. In this case, the user must first open Company Portal and tap "Remove Company Portal" before ArborXR is able to uninstall the app.

Did this answer your question?