Microsoft Intune

Community Platform

runZero integrates with Microsoft Intune to allow you to sync and enrich your asset inventory. Adding your Microsoft Intune data to runZero makes it easier to find unmanaged assets on your network. Data added includes the discovered apps from Intune. Managed apps (those pushed to devices by Intune) are not currently reported.

Getting started

To set up the Microsoft Intune integration, you’ll need to:

  1. Configure Microsoft Intune to allow API access from runZero.
  2. Add the Microsoft Intune credential in runZero.
  3. Choose whether to configure the integration as a scan probe or connector task.
  4. Activate the Microsoft Intune integration to sync your data with runZero.

Requirements

Before you can set up the Microsoft Intune integration:

  • Verify that you have a runZero Platform license.
  • Make sure you have access to the Microsoft Azure portal.

Step 1: Register an Azure application for Microsoft Intune API access

runZero can authenticate to the Microsoft Intune API using either a username and password or a client secret. Register an application to configure Microsoft Intune API access.

  1. Sign in to the Microsoft Azure portal.
  2. Go to Azure Active Directory > App registrations and click on New registration.
    • Provide a name.
    • Select the supported account types.
    • Optionally add a redirect URI.
  3. Click Register to register the application.
  4. Once the application is created, you should see the Overview dashboard. Note the following information:
    • Application (client) ID
    • Directory (tenant) ID
  5. From the application’s details page, go to API permissions > Add a permission.
  6. Select Microsoft Graph from the list of Microsoft APIs.
  7. Select the correct permissions type for your needs:
    • Username & password: select Delegated permissions
    • Client secret: select Application permissions
  8. Search for and select the following required permission:
    • DeviceManagementManagedDevices.Read.All
    • User.Read.All
  9. Click Add permissions to save the permissions to the application.
  10. Click Grant admin consent to grant consent for the permissions to the application.
  11. If using a client secret, also perform the following steps:
    • Navigate to Azure Active Directory > App registrations and select the application you created.
    • Go to Certificates & secrets and click on New client secret.
      • Enter a description.
      • Select the expiration.
    • Click Add to create the client secret and save the client secret value.

Step 2: Add the Microsoft Intune credential to runZero

Adding the Microsoft Intune credential requires adding an Azure username and password to and an Azure Client Secret to runZero. The following sub-steps breaks down each task.

Step 2a: Add an Azure Username & Password credential to runZero

  1. Go to the Credentials page in runZero and click Add Credential.
  2. Provide a name for the credential, like Azure User/Pass.
  3. Choose Azure Username & Password from the list of credential types.
  4. Provide the following information:
    • Azure application (client) ID - The unique ID for the registered application. This can be found in the Azure portal if you go to Azure Active Directory > App registrations and select the application.
    • Azure directory (tenant) ID - The unique ID for the tenant. This can be found in the Azure portal if you go to Azure Active Directory > App registrations and select the application.
    • Azure username - The username for your Azure cloud account. This cannot be a federated user account.
    • Azure password - The password for your Azure cloud account.
  5. If you want other organizations to be able to use this credential, select the Make this a global credential option. Otherwise, you can configure access on a per organization basis.
  6. Save the credential. You’re now ready to set up and activate the connection to bring in data from Azure.

Step 2b: Add an Azure Client Secret credential to runZero

This type of credential can be used to sync all resources in a single directory (across multiple subscriptions).

  1. Go to the Credentials page in runZero and click Add Credential.
  2. Provide a name for the credential, like Azure Client Secret.
  3. Choose Azure Client Secret from the list of credential types.
  4. Provide the following information:
    • Azure application (client) ID - The unique ID for the registered application. This can be found in the Azure portal if you go to Azure Active Directory > App registrations and select the application.
    • Azure client secret - To generate a client secret, go to Azure Active Directory > App registrations, select your application, go to Certificates & secrets and click on New client secret.
    • Azure directory (tenant) ID - The unique ID for the tenant. This can be found in the Azure portal if you go to Azure Active Directory > App registrations and select the application.
  5. If you want other organizations to be able to use this credential, select the Make this a global credential option. Otherwise, you can configure access on a per organization basis.
  6. Save the credential. You’re now ready to set up and activate the connection to bring in data from Azure.

Step 3: Choose how to configure the Microsoft Intune integration

The Microsoft Intune integration can be configured as either a scan probe or a connector task. Scan probes gather data from integrations during scan tasks. Connector tasks run independently from either the cloud or one of your Explorers, only performing the integration sync.

Step 4: Set up and activate the Microsoft Intune integration to sync data

After you add your Microsoft Intune credential, you’ll need to set up a connector task or scan probe to sync your data.

Step 4a: Configure the Microsoft Intune integration as a connector task

A connection requires you to set a schedule and choose a site. The schedule determines when the sync occurs, and the site determines where any new Microsoft Intune-only assets are created.

  1. Activate a connection to Microsoft Intune. You can access all available third-party connections from the integrations page, your inventory, or the tasks page.

  2. Choose the credential you added earlier. If you don’t see the credential listed, make sure it has access to the organization you are currently in.

  3. Optionally provide a filter following the Microsoft Graph API filter syntax. We will only import devices that match the filter.

    1. Note that we only support the filters available for the DevicesWithInventory report:

      • CreatedDate
      • LastContact
      • CategoryName
      • CompliantState
      • ManagementAgents
      • OwnerType
      • ManagementState
      • DeviceType
      • JailBroken
      • EnrollmentType
      • PartnerFeaturesBitmask

      For an updated list of filters, please refer to Microsoft’s documentation on the DevicesWithInventory report. Not all the columns on that table are filterable. The available filters are listed after the table.

  4. Enter a name for the task, like Microsoft Intune sync.

  5. Schedule the sync. A sync can be set to run on a recurring schedule or run once. The schedule will start on the date and time you have set.

  6. Under Task configuration, choose the site you want to add your assets to.

  7. If you want to exclude assets that have not been scanned by runZero from your integration import, switch the Exclude unknown assets toggle to Yes. By default, the integration will include assets that have not been scanned by runZero.

  8. Activate the connection when you are done. The sync will run on the defined schedule. You can always check the Scheduled tasks to see when the next sync will occur.

Step 4b: Configure the Microsoft Intune integration as a scan probe

  1. Create a new scan task or select a future or recurring scan task from your Tasks page.
  2. Add or update the scan parameters based on any additional requirements.
  3. On the Probes and SNMP tab, choose which additional probes to include, set the Intune toggle to Yes, and change any of the default options if needed.
  4. On the Credentials tab, set the Intune toggle for the credential you wish to use to Yes.
  5. Click Initialize scan to save the scan task and have it run immediately or at the scheduled time.

Step 5: View Microsoft Intune assets

After a successful sync, you can go to your inventory to view your Microsoft Intune assets. These assets will have an Active Directory icon listed in the Source column.

To filter by Microsoft Intune assets, consider running the following queries:

Click into each asset to see its individual attributes. runZero will show you the attributes returned by Microsoft Intune.

Filtering Intune assets

An optional filter can be applied to Intune integration tasks. runZero uses Microsoft Graph $filter query paramater to filter assets. GraphQL follows the syntax <property> [operator] <value>. Multiple expressions can be combined for more complex filtering by adding an and or or between expressions.

Properties

Any property that runZero imports from Intune can be used to apply a filter. The following are some examples.

Intune Property runZero Attribute Description Example
deviceName @intune.dev.deviceName The hostname of the device EXPLORER-01
osVersion @intune.dev.osVersion The version of the specified operoating system 10.0.x
manufacturer @intune.dev.manufacturer The manufacturer of the device Dell Inc.
model @intune.dev.model The model of the device Precision 3560
azureADRegistered @intune.dev.azureADRegistered Boolean value specifying whether device is registered in Azure AD true, false
easActivated @intune.dev.easActivated Boolean value specifying whether device is Exchange ActiveSync activated true, false

Operators

The following are common operators that can be used in an Intune filter.

  • Equal to (eq)
  • Not equal to (ne)
  • Has (has)
  • Less than (lt)
  • Greather than (gt)
  • Less than or equal to (le)
  • Greater than or equal to (ge)

The following are common functions that can be used in an Intune filter. Functions follow the syntax function(<property>, <value>).

  • Starts with (startswith)
  • Ends with (endswith)
  • Contains (contains)

Example Filters

The following are examples of filters that can be applied to an Intune integration.

Search Filter Description
azureADRegistered eq true Import all assets that are registered in Azure AD
startswith(deviceName, 'PROD') Import all devices with a hostname that starts with PROD
not(startswith(deviceName, 'DEV')) Import all devices except those with a hostname that starts with DEV
not(startswith(model, 'iPhone')) and not(startswith(model, 'iPad')) Import all devices except iPhones and iPads

Troubleshooting

If you are having trouble using this integration, the questions and answers below may assist in your troubleshooting.

Why is the Microsoft Intune integration unable to connect?

  1. Are you getting any data from the Microsoft Intune integration?
    • Make sure to query the inventory rather than look at the task details to review all the data available from this integration.
    • In some cases, integrations have a configuration set that limits the amount of data that comes into the runZero console.
  2. Some integrations require very specific actions that are easy to overlook. If a step is missed when setting up the intergration, it may not work correctly. Please review this documentation and follow the steps exactly.
  3. If the Microsoft Intune integration is unable to connect be sure to check the task log for errors. Some common errors include:
    • 500 - server error, unable to connect to the endpoint
    • 404 - hitting an unknown endpoint on the server
    • 403 - not authorized, likely a credential issue

How do I solve the following Microsoft Intune error:

  • (invalid_client) AADSTS7000218: The request body must contain the following parameter: 'client_assertion' or 'client_secret'

This error means that you need to enable Public Client Flows in Azure. To do so, follow these steps:

  1. Navigate to the App Registration page in the Azure portal
  2. Choose Authentication from the left navigation
  3. Select Advanced Settings
  4. Toggle the Allow Public Client Flows switch at the bottom of the page to Yes
Updated