Microsoft Intune is a cloud-based endpoint management solution. Intune simplifies app and device management across your device portfolio, including mobile devices, desktop computers, and virtual endpoints. For more information, refer to Microsoft’s official documentation.
Integration Method: API
Tables: Account Change (3001), Entity Management (3004), Group Management (3006), Device Inventory Info (5001), User Inventory Info (5003)
Following events are supported by this integration.
Events | Description |
---|---|
Devices | List properties and relationships of the managedDevice objects. |
Audits | Get the list of audit logs generated by Microsoft Entra ID. |
Detected Apps | Get the list of applications found. |
This integration supports the following versions.
Microsoft Graph API version | v1.0 |
Prerequisites
Access to the Azure portal with an account that has the Global Administrator role.
Access to the DataBee console.
Configuration Overview
Create an application with required permissions to fetch the data.
Create Microsoft Intune Data Feed in the DataBee console with the required Client credentials.
DataBee Feed Parameter
Azure Parameter
Client Key
Application (client) ID
Client Secret
Token URL(<application_id>)
Directory (Tenant) ID
Azure Configuration
Create an application
Log on to Azure portal with an account that has the Global Administrator role.
In the search bar, search for App Registrations and select it.
On the “App registrations” page, select New registration, the “Register an application” window will appear.
On the “Register an application” window:
Under ‘Name’ enter your Application Name then click on Register to create the application.
On the app Overview page, copy the Application (client) ID and Directory (tenant) ID for later use.
Add Endpoint Access
Once the application is created, following three permissions are needed on the Graph API.
DeviceManagementManagedDevices.Read.All,
AuditLog.Read.All
Directory.Read.All
This section details how to configure and add permissions to the required endpoints.
Add Permissions
From the Azure Active Directory portal:
Select the application registered in the previous step.
Under Manage, click API Permissions and then click Add a Permission, the “Request API permissions” window will appear.
On “Request API permissions” window, Click on Microsoft APIs then on Microsoft Graph.
Click on Application Permissions.
The following permissions need to be granted for the endpoint to function properly:
Event
Type
Permission
Devices
Application
DeviceManagementManagedDevices.Read.All
Audits
Application
AuditLog.Read.All
Audits
Application
Directory.Read.All
Detected Apps
Application
DeviceManagementManagedDevices.Read.All
In the Select permissions search bar, enter the permission shown above, and check the box to include them.
Click the Add permissions button after selecting all required permissions.
On the “API permissions” page, click Grant Admin Consent for <tenant>.
Click the Yes button on the consent confirmation.
The required permissions are now added for the endpoints.
Create the Client Secret
The final step to access the APIs is creating a Client Secret. To create it from the Azure Portal:
Select the application created above.
Under Manage, Click Certificates and Secrets, and then Client Secrets.
Click New client secret. Then “Add a client secret” window appears.
In the “Add a client secret” window:
Enter a ‘Description’ for this client secret and select the desired expiry period from the ‘Expires’ drop-list.
Then click on Add to create the client secret.
Note:
The user needs to re-create the client secret when it expires.
DataBee Configuration
Login to the DataBee UI, navigate to Data > Data Feeds and click the Add New Data Feed button.
Search for the Microsoft Intune and select it.
Click on the API Ingest.
In the configuration page, enter the following:
Authorization Method: OAuth2
Client Key: paste the Application (client) ID generated earlier.
Client Secret: paste the Client Secret value generated earlier.
Token URL: replace <application_id> placeholder with the Directory (Tenant) ID generated earlier.
Click Submit.
Troubleshooting Tips
If you are facing an invalid client or unauthorized client error this might be possibly due to incorrect credentials. Ensure the client key, client secret and Tenant ID are pasted correctly. Since you cannot view the client secret after the 1st time, re-create it, paste it on a text editor to ensure no spaces or unexpected characters are included and reconfigure the DataBee feed.
If you are facing a 403-response code this might be possibly due to missing permission. Ensure that all the required permissions are granted correctly as per the above-mentioned steps.