--- title: Microsoft Intune --- runZero integrates with ((Microsoft Intune)) to allow you to sync and enrich your asset inventory. Adding your Microsoft Intune data to runZero makes it easier to find unmanaged assets on your network. Data added includes the [discovered apps](https://learn.microsoft.com/en-us/mem/intune/apps/app-discovered-apps#details-of-discovered-apps) from Intune. Managed apps (those pushed to devices by Intune) are not currently reported. ## Getting started {#intune-getting-started} To set up the Microsoft Intune integration, you'll need to: 1. Configure Microsoft Intune to allow API access from runZero. 2. Add the Microsoft Intune credential in runZero. 3. Choose whether to configure the integration as [a scan probe or connector task](integrations-inbound.md#integration-probe-connector). 4. Activate the Microsoft Intune integration to sync your data with runZero. ## Requirements {#intune-requirements} Before you can set up the Microsoft Intune integration: * Make sure you have access to the Microsoft Azure portal. ## Step 1: Register an Azure application for Microsoft Intune API access {#intune-api-access} runZero can authenticate to the Microsoft Intune API using either a username and password or a client secret. Register an application to configure Microsoft Intune API access. 1. Sign in to the Microsoft Azure portal. 2. Go to _App registrations_ and click on _+ New registration_. * Provide a name. * Select the supported account types. * Optionally add a redirect URI. 3. Click _Register_ to register the application. 4. Once the application is created, go back to the main Azure portal page and select _App registrations_. You should be able to find the application you just registered. (It may help to select the _Owned applications_ tab.) Click on the app's name 5. You should see an overview of the app registration. Note the following information: * Application (client) ID * Directory (tenant) ID 6. From the application's details page, go to _Manage > API permissions_ and choose _+ Add a permission_. 7. Select _Microsoft Graph_ from the list of Microsoft APIs. 8. Select the correct permissions type for your needs: * **Username & password**: select _Delegated permissions_ * **Client secret**: select _Application permissions_ 9. Search for and select the following required permission: * `DeviceManagementManagedDevices.Read.All` * `User.Read.All` * `DeviceLocalCredential.ReadBasic.All` (only required if you choose to enable the Include LAPS Information option within the integration) 10. Click _Add permissions_ to save the permissions to the application. 11. Click _Grant admin consent_ to grant consent for the permissions to the application. 12. If using a client secret, also perform the following steps from the app management pages: * Navigate to _App registrations_ and select the application you created. * Go to _Certificates & secrets_ and click on _+ New client secret_. * Enter a description. * Select the expiration. * Click _Add_ to create the client secret and save the client secret value. ## Step 2: Add the Microsoft Intune credential to runZero {#intune-credential} Adding the Microsoft Intune credential requires adding an Azure username and password or an Azure Client Secret to runZero. The following sub-steps break down each task. ### Step 2a: Add an Azure Username & Password credential to runZero {#intune-credential-userpass} 1. Go to the [Credentials page](https://console.runzero.com/credentials/new) in runZero and click _Add Credential_. 2. Provide a name for the credential, like `Azure User/Pass`. 3. Choose _Azure Username & Password_ from the list of credential types. 4. Provide the following information: * **Azure application (client) ID** - The unique ID for the registered application. This can be found in the Azure portal if you go to _App registrations_ and select the application. * **Azure directory (tenant) ID** - The unique ID for the tenant. This can be found in the Azure portal if you go to _App registrations_ and select the application. * **Azure username** - The username for your Azure cloud account. This cannot be a federated user account. * **Azure password** - The password for your Azure cloud account. 5. If you want other organizations to be able to use this credential, select the _Make this a global credential_ option. Otherwise, you can configure access on a per-organization basis. 6. Save the credential. You're now ready to set up and activate the connection to bring in data from Azure. ### Step 2b: Add an Azure Client Secret credential to runZero {#intune-credential-clientsecret} This type of credential can be used to sync all resources in a single directory (across multiple subscriptions). 1. Go to the [Credentials page](https://console.runzero.com/credentials/new) in runZero and click _Add Credential_. 2. Provide a name for the credential, like `Azure Client Secret`. 3. Choose _Azure Client Secret_ from the list of credential types. 4. Provide the following information: * **Azure application (client) ID** - The unique ID for the registered application. This can be found in the Azure portal if you go to _App registrations_ and select the application. * **Azure client secret** - To generate a client secret, go to _App registrations_, select your application, go to _Manage > Certificates & secrets_ and click on _New client secret_. * **Azure directory (tenant) ID** - The unique ID for the tenant. This can be found in the Azure portal if you go to _App registrations_ and select the application. 5. If you want other organizations to be able to use this credential, select the _Make this a global credential_ option. Otherwise, you can configure access on a per-organization basis. 6. Save the credential. You're now ready to set up and activate the connection to bring in data from Azure. ## Step 3: Choose how to configure the Microsoft Intune integration The Microsoft Intune integration can be configured as either a [scan probe or a connector task](integrations-inbound.md#integration-probe-connector). Scan probes gather data from integrations during scan tasks. Connector tasks run independent of a scan, from either the cloud or one of your Explorers, and only performing the integration sync. ## Step 4: Set up and activate the Microsoft Intune integration to sync data After you add your Microsoft Intune credential, you'll need to set up a connector task or scan probe to sync your data. ### Step 4a: Configure the Microsoft Intune integration as a connector task A connection requires you to set a schedule and choose a site. The schedule determines when the sync occurs, and the site determines where any new Microsoft Intune-only assets are created. 1. Activate a [connection to Microsoft Intune](https://console.runzero.com/ingest/intune). You can access all available third-party connections from the [integrations page](https://console.runzero.com/integrations), your [inventory](https://console.runzero.com/inventory), or the [tasks page](https://console.runzero.com/tasks). 2. Choose the credential you added earlier. If you don't see the credential listed, make sure it has access to the organization you are currently in. 3. Optionally provide a filter to import only devices that match it. You can find more details in the [Filtering Intune assets](#intune-filtering) section below. 4. If you wish to retrieve LAPS information from Intune, enable the Include LAPS Information option. This functionality also has additional permission requirements; please see the [Intune API Access](#intune-api-access) section above. Please note that **runZero does not collect passwords from LAPS when using this option.** 5. Enter a name for the task, like `Microsoft Intune sync`. 6. Schedule the sync. A sync can be set to run on a recurring schedule or run once. The schedule will start on the date and time you have set. 7. Under **Task configuration**, choose the site you want to add your assets to. 8. If you want to exclude assets that have not been scanned by runZero from your integration import, switch the **Exclude unknown assets** toggle to _Yes_. By default, the integration will include assets that have not been scanned by runZero. 9. Activate the connection when you are done. The sync will run on the defined schedule. You can always check the [Scheduled tasks](https://console.runzero.com/tasks) to see when the next sync will occur. ### Step 4b: Configure the Microsoft Intune integration as a scan probe 1. Create a new scan task or select a future or recurring scan task from your [Tasks page](https://console.runzero.com/tasks). 2. Add or update the scan parameters based on any additional requirements. 3. On the Probes and SNMP tab, choose which additional probes to include, set the Intune toggle to `Yes`, and change any of the default options if needed. 4. On the Credentials tab, set the Intune toggle for the credential you wish to use to `Yes`. 5. Click _Initialize scan_ to save the scan task and have it run immediately or at the scheduled time. ## Step 5: View Microsoft Intune assets After a successful sync, you can [go to your inventory](https://console.runzero.com/inventory) to view your Microsoft Intune assets. These assets will have an Active Directory icon listed in the _Source_ column. To filter by Microsoft Intune assets, consider running the following queries: * [View all Microsoft Intune assets](https://console.runzero.com/inventory?search=source%3Aintune): ``` source:intune ``` * [View runZero assets not connected to Microsoft Intune](https://console.runzero.com/inventory?search=source%3Arunzero%20and%20not%20source%3Aintune): ``` source:runzero AND NOT source:intune ``` Click into each asset to see its individual attributes. runZero will show you the attributes returned by Microsoft Intune. ## Filtering Intune assets {#intune-filtering} An optional filter can be applied to Intune integration tasks. runZero uses the Intune reports API to retrieve assets from the `DevicesWithInventory` report. This API accepts a filter field to narrow down the results. ### Properties {#intune-filtering-properties} The `DevicesWithInventory` report supports filtering based on the following properties: - CreatedDate - LastContact - CategoryName - CompliantState - ManagementAgents - OwnerType - ManagementState - DeviceType - JailBroken - EnrollmentType - PartnerFeaturesBitmask For the most up-to-date list of properties, please refer to Microsoft's documentation on the [DevicesWithInventory](https://learn.microsoft.com/en-us/mem/intune/fundamentals/reports-export-graph-available-reports#deviceswithinventory) report. Note that not all the properties listed on that table are filterable. Scroll just below the table to find a separate list of properties that can be used in filters. ### Operators {#intune-filtering-operators} There is no official documentation on the filter syntax or supported operators for the Intune reports API, but based on our testing, the following operators may be supported. In practice, we've found that some of these, such as `not` and `in`, can produce errors, so your results may vary. - Equal to (`eq`) - Not equal to (`ne`) - Logical negation (`not`) - In (`in`) - Has (`has`) - Less than (`lt`) - Greater than (`gt`) - Less than or equal to (`le`) - Greater than or equal to (`ge`) The syntax appears to be similar to the `$filter` query parameter used elsewhere in Microsoft Graph. Examples for this syntax can be found in [Use the $filter query parameter](https://learn.microsoft.com/en-us/graph/filter-query-parameter?tabs=http). We recommend testing filters carefully and starting with basic operators like `eq` and `ne` for best results. ### Example Filters {#intune-filtering-examples} The following are examples of filters that can be applied to an Intune integration. | Search Filter | Description | | --------------------------------------------------------------------- | ---------------------------------------------------------------------| | `DeviceType eq 'android'` | Import all android devices | | `LastContact ge '2023-02-23 23:50:01.0000000'` | Import devices that checked in after a specific date and time | ## Troubleshooting {#intune-troubleshooting} If you are having trouble using this integration, the questions and answers below may assist in your troubleshooting. ### Why is the Microsoft Intune integration unable to connect? 1. Are you getting any data from the Microsoft Intune integration? * Make sure to query the inventory rather than look at the task details to review all the data available from this integration. * In some cases, integrations have a configuration set that limits the amount of data that comes into the runZero console. 2. Some integrations require very specific actions that are easy to overlook. If a step is missed when setting up the integration, it may not work correctly. Please review this documentation and follow the steps exactly. 3. If the Microsoft Intune integration is unable to connect be sure to check the task log for errors. Some common errors include: * 500 - server error, unable to connect to the endpoint * 404 - hitting an unknown endpoint on the server * 403 - not authorized, likely a credential issue ### How do I solve the following Microsoft Intune error: * `(invalid_client) AADSTS7000218: The request body must contain the following parameter: 'client_assertion' or 'client_secret'` This error means that you need to enable `Public Client Flows` in Azure. To do so, follow these steps: 1. Navigate to the App Registration page in the Azure portal 2. Choose _Authentication_ from the left navigation 3. Select _Advanced Settings_ 4. Toggle the _Allow Public Client Flows_ switch at the bottom of the page to _Yes_