Microsoft Intune connector

Microsoft Intune connector allows devices associated with Microsoft Intune to be added as assets. All types of endpoints can be integrated, whether they are workstations, smartphones, or tablets, regardless of their operating system: Windows, Linux, macOS, Android, or iOS.

This connector has the ability to analyze workstations or mobile devices without requiring script execution or the installation of additional agents, and enables retrieval of the operating system version, security patch level, and installed applications.

Scanning capabilities are limited to the data available in Microsoft Intune. The data retrieved in Cyberwatch depends entirely on the policies applied to the devices from Microsoft Intune. For example, the list of installed applications is only reported by Microsoft Intune if the device is defined as Corporate.

Entra ID discovery also allows the detection of assets managed by Microsoft Intune. Additional information is available in the Entra ID discovery documentation.

Prerequisites

Creating agentless connections of type Microsoft Intune requires enabling this type of connection from the menu Administration > Connector Management.

Microsoft Entra ID

Microsoft Graph API permissions required:

  • Device.Read.All
  • DeviceManagementManagedDevices.Read.All

Note that these permissions require the consent of an administrator of the Azure instance in order to be applied.

Configure API access

To obtain the Application ID, you must create a new app registration from the Azure console, under the Microsoft Entra ID service. The Tenant ID should also be visible on the application’s overview page.

Once the application is created, you must grant it read access to your environment from the Subscriptions service, under the Access control (IAM) section, in the Role assignments tab.

Back on the app registration page, you can generate a client secret under Certificates & secrets.

With these three pieces of information, you can create Microsoft Azure credentials in Cyberwatch, under the Saved Credentials menu.

Add an asset using the Microsoft Intune connector

Once the Microsoft Entra ID credential has been created and the Microsoft Graph API permissions have been configured, you can add a device associated with Intune.

This is done from the agentless connection creation page, by selecting the Microsoft Intune access protocol and filling in the Address field with the Intune ID of your device. This ID can be found in the properties of your device directly within your Microsoft Intune portal.

In Cyberwatch, under the Assets section:

  1. Go to the Assets menu and click on Agentless Connections
  2. Select the Microsoft Intune access protocol
  3. In the Address field, enter your device’s Intune ID
  4. Select the Microsoft Entra ID credential set
  5. Click Save

Add using Microsoft Entra ID discovery

Microsoft Entra ID discovery enables detection of all your associated devices. From the Entra ID discovery asset list page, you can add assets by selecting them and creating agentless connections using the bulk actions button. After that, simply select the Microsoft Intune connector and the credential set used during discovery.

In Cyberwatch, under the Assets section:

  1. Go to the Discoveries menu
  2. On the Entra ID discovery, click View Discovered Assets
  3. Select the detected devices to add
  4. Click the Bulk Actions button, then select Scan with agentless connections
  5. Under Credentials, select the previously saved Microsoft Azure account
  6. Select the connection type Microsoft Intune, and choose the same credential set used during the Entra ID discovery
  7. Click Create Agentless Connections

Back to top