Microsoft Intune
Microsoft Intune is a cloud-based endpoint protection management tool. You can bring host and mobile device data from Microsoft Intune into Brinqa to gain a comprehensive view of your hosts and take action to address any potential vulnerabilities on those assets to strengthen your cybersecurity posture.
This document details the information you must provide for the connector to authenticate with Microsoft Intune and how to obtain that information from Microsoft. See create a data integration for step-by-step instructions on setting up the integration.
Required connection settings
When setting up a data integration, select Microsoft Intune from the Connector drop-down. If you cannot find the connector in the drop-down, make sure that you have installed it first. You must provide the following information to authenticate Microsoft Intune with Brinqa:
-
API URL: The Microsoft Graph API URL. The default URL is
https://graph.microsoft.com
. -
Login URL: The Microsoft Azure authentication URL. The default URL is
https://login.microsoftonline.com
. -
Client ID and Client secret: The client ID and client secret associated with the service principal, which must have permissions to log in to the Microsoft Azure Active Directory (Active AD) and return data from the Graph API.
-
Tenant ID: The unique identifier for the Active AD tenant associated with the service principal.
Register a Microsoft Azure application
You must create a new application for the Microsoft Intune connector to authenticate with Azure AD and access the Graph API. To register an application in your Azure AD tenant, follow these steps:
-
Log in to your Microsoft Azure Portal as an administrator.
-
Navigate to and click Microsoft Entra ID.
-
On the left-hand side of the page, click App registrations, and then click New registration.
-
Give your new application a name, select the supported account types, and provide an optional Redirect URI. If you do not have a redirect URI, you can leave the field as is.
-
Click Register.
For additional details about registering an application in Azure AD and creating a service principal, see Microsoft Azure documentation.
Obtain Microsoft Azure credentials
After you have created your new Microsoft Azure application, your client and tenant ID display. Copy the Application (client) ID and Directory (tenant) ID as shown below:
To obtain your client secret, follow these steps:
-
Click Certificates & secrets and then click New client secret.
-
Provide a description, set an expiry date, and then click Add.
The new client secret displays. You cannot view the client secret again. There is both a Value and Secret ID. The Value field is needed for authentication. Copy the Value field and save it in a secure location.
Assign permissions
After you have created your new Microsoft Azure application and obtained the authentication credentials, you must assign the required permissions for the application to access your data. To do so, follow these steps:
-
Navigate to API permissions > Add a permission > Microsoft Graph.
-
Click Application permissions, grant the following permissions, and then click Add permissions.
-
Directory:
Directory.Read.All
-
User:
User.Read.All
-
-
Click Add a permission and repeat the same steps for Delegated permissions. Grant the following permissions and click Add permissions.
-
Device:
Device.Read.All
-
DeviceManagementApps:
DeviceManagementApps.Read.All
-
DeviceManagementConfiguration:
DeviceManagementConfiguration.Read.All
-
DeviceManagementManagedDevices:
DeviceManagementManagedDevices.Read.All
-
DeviceManagementRBAC:
DeviceManagementRBAC.Read.All
-
DeviceManagementServiceConfig:
DeviceManagementServiceConfig.Read.All
-
Directory:
Directory.Read.All
-
User:
User.Read.All
-
-
Click Grant admin consent for default directory, and then click Yes in the confirmation dialog. Your API permissions should resemble the following:
For additional information about Azure AD permissions, see Microsoft Azure documentation.
Types of data to retrieve
The Microsoft Intune connector can retrieve the following types of data from the Microsoft Graph API:
Connector Object | Required | Maps to Data Model |
---|---|---|
Host | Yes | Host |
Mobile Device | Yes | Device |
For detailed steps on how to view the data retrieved from Microsoft Intune in the Brinqa Platform, see How to view your data.
Operation options
The Microsoft Intune connector supports operation options. See connector operation options for information about how to apply them.
The Microsoft Intune connector supports the filter
operation option for both the Host and Mobile device connector objects. Filter is the key and for the supported values, see Microsoft documentation on using the filter query parameter.
APIs
The Microsoft Intune connector uses the Microsoft Graph REST API v1.0. Specifically, it uses the following endpoint:
GET /v1.0/deviceManagement/managedDevices
Changelog
The Microsoft Intune connector has undergone the following changes:
3.4.5
- No change.
3.4.4
- No change.
3.4.3
- No change.
3.4.2
- No change.
3.4.1
- Added support for Data lifecycle management to the Host and Mobile Device objects.
3.4.0
- No change.
3.3.9
- No change.
3.3.8
- No change.
3.1.6
-
Excluded
00000000-0000-0000-0000-000000000000
as a valid Azure Active Directory device ID. -
Updated dependencies.
3.1.5
- Fixed a null pointer exception when there's no filter provided.
3.0.1
- Normalized the MAC_ADDRESS attribute in the Computer object.
3.0.0
- Initial Integration+ release.