Introduction

In this post we are going to delve into automation for Endpoint Management with Intune. The idea is to give you a powerful and secure tool that you can then use to develop solutions for any use case.
Make sure to understand Graph API and Managed Identity in advance to this post.


Solution overview

intune-automation-architecture.png

  • The blue line represents the Logic app that calls Graph through a HTTP request.
  • The orange line represents the authorization flow from the Managed Identity of the Logic app. Essentially Azure AD validates the permissions for the Managed Identity to Graph API.
  • The green line represents a successful authorization and access to the Intune/Device Management Graph API resources. -> HTTP request successful

Automation components


Azure Logic App

The creation of the Logic App is straightforward.

create-logic-app.png

Managed Identity

In this post I already talked about Managed Identities and their advantages.

Now we need to activate and assign permissions to the Managed Identity of the Logic App. You can use my script. Note, that at least an Application Administrator role is required. You need to input:

managed-identity-la-1.png

ℹ️
Consider that the system-assigned Managed Identity is bound to the Logic App lifecylce. If you delete the Logic App, the Managed Identity will get deleted too.

Logic app design

Trigger

The trigger can be anything of a Logic app part, or simply a recurrence.

logic-app-designer.png

HTTP part

The HTTP part makes the effective call to Graph API and is composed of:

  • Method (action)
  • URI (resource)
  • Authentication (effective request part)

HTTP-part-designer.png

Method

Available methods: GET / POST / PUT / PATCH / DELETE

URI

The URI is the resource request URL, so the Graph destination of the data.
https://graph.microsoft.com/{version}/{resourcetype}/{resource}?[query_parameters]

Pro tip: you should make yourself familiar with OData system query options

Examples

So for the URI, I will make some examples:
Remember to put "https://graph.microsoft.com/beta/deviceManagement/" before the URI.

URI Resource
/managedDevices All Intune devices including attributes
/configurationPolicies?$filter=platforms%20eq%20%27windows10%27 All Settings Catalog profiles for Windows 10 -I used a filter (?$filter) and set it to the platform = windows 10 %20 = space and %27 = "
/intents?$filter=templateId%20eq%20%27ccef13ea-d0a2-49b5-9a8a-5e397faeb9e4%27 All Endpoint Security profiles from the type Antivirus (current templateId)
/deviceCompliancePolicies?$expand=assignments All Compliance policies with their assignments -The expansion ($expand) allows to return non-default attributes of an item

Authentication

The Authentication must be optionally added and selected as the system-assigned Managed Identity. View more in the official docs
Don't forget to specify the Audience = https://graph.microsoft.com

logic-app-managed-identity.png

This is an example HTTP part.

LOGIC-~2.PNG

Output - use case: write to Azure Storage Account / Intune inventory in a nutshell

For this example case, I am going to export the output/response from Graph API to an Azure Storage Account. But the possibilities are nearly endless.

As you can see, everything worked fine and we receive the Graph API response.

success-logic-app-1.png

  1. Now I would recommend to copy the body (output) from the HTTP part.
  2. Add a Parse JSON action to format the output.
  3. Add dynamic content as input and select the body from the HTTP part.
  4. Use a sample payload to generate schema (tip).
  5. Insert the previously copied body (output) and verify it.
  1. Then add a For each (because there are multiple devices that have the same attributes) and select value. (This can also be generated automatically if you select any dynamic content that is not unique.)
  2. Add Create blob (V2) and create a connection, choose the Storage Account name. (The SA must be previously created and permissions given also through Managed Identity. e.g. Storage Blob Data Contributor)
  3. You can then choose a folder path and specify a blob name. I want to create one ".json" file per device and name it after the deviceName.
  4. Insert any dynamic Blob content.

create-blob.png

Hints

  • The Storage Account name may be entered manually.
  • Don't forget to add a file type extension.
  • If the dynamic content can't be selected, you need to click on "See more" on the Dynamic content page.
  • Some dynamic contents of the parse JSON part are duplicate. You need to choose the right one. (Usually the one that is listed second.)

En voilà, there is a custom Intune inventory solution in a nutshell, securely built on Azure.


Use cases

Endpoint Management with Microsoft Intune
Welcome to this coast! Learn everything on Endpoint Management with Microsoft Intune to deploy, manage, secure and monitor endpoints from all platforms through the cloud. Introduction, experience and thoughts Introduction to the Microsoft Intune product familyIntroduction This post is recommended for any reader who is new to Intune or would
Defender
Enterprise security solutions, cloud-based, intelligent and automated security responses for Endpoint, Identity, Office 365 and Cloud Apps. A full protection stack. Defender for Endpoint Handle threat and vulnerability events on endpoints to prevent malicious and harmful contents. Microsoft Defender: a reviewA review of Microsoft Defender + Defender of Endpoint (MDATP). Technical
Microsoft Security
Microsoft security conceptsLearn about Microsoft cloud security high-level concepts to secure your organization with Microsoft 365 and Azure built-in products and features. The way to secure your digital assets such as identities, infrastructures, platforms, apps and data. These are the official Microsoft security sources. On my blog you can find
You’ve successfully subscribed to Oceanleaf
Welcome back! You’ve successfully signed in.
Great! You’ve successfully signed up.
Success! Your email is updated.
Your link has expired
Success! Check your email for magic link to sign-in.