Skip to main content

Microsoft Intune

Microsoft Intune is a cloud-based endpoint protection management tool. You can bring host and mobile device data from Microsoft Intune into Brinqa to gain a comprehensive view of your hosts and take action to address any potential vulnerabilities on those assets to strengthen your cybersecurity posture.

This document details the information you must provide for the connector to authenticate with Microsoft Intune and how to obtain that information from Microsoft. See create a data integration for step-by-step instructions on setting up the integration.

Required connection settings

When setting up a data integration, select Microsoft Intune from the Connector drop-down. If you cannot find the connector in the drop-down, make sure that you have installed it first. You must provide the following information to authenticate Microsoft Intune with Brinqa:

  • API URL: The Microsoft Graph API URL. The default URL is https://graph.microsoft.com.

  • Login URL: The Microsoft Azure authentication URL. The default URL is https://login.microsoftonline.com.

  • Client ID and Client secret: The client ID and client secret associated with the service principal, which must have permissions to log in to the Microsoft Azure Active Directory (Active AD) and return data from the Graph API.

  • Tenant ID: The unique identifier for the Active AD tenant associated with the service principal.

Register a Microsoft Azure application

You must create a new application for the Microsoft Intune connector to authenticate with Azure AD and access the Graph API. To register an application in your Azure AD tenant, follow these steps:

  1. Log in to your Microsoft Azure Portal as an administrator.

  2. Navigate to and click Microsoft Entra ID.

  3. On the left-hand side of the page, click App registrations, and then click New registration.

  4. Give your new application a name, select the supported account types, and provide an optional Redirect URI. If you do not have a redirect URI, you can leave the field as is.

    microsoft azure new application page

  5. Click Register.

note

For additional details about registering an application in Azure AD and creating a service principal, see Microsoft Azure documentation.

Obtain Microsoft Azure credentials

After you have created your new Microsoft Azure application, your client and tenant ID display. Copy the Application (client) ID and Directory (tenant) ID as shown below:

Microsoft Intune client and tenant ID

To obtain your client secret, follow these steps:

  1. Click Certificates & secrets and then click New client secret.

  2. Provide a description, set an expiry date, and then click Add.

    The new client secret displays. You cannot view the client secret again. There is both a Value and Secret ID. The Value field is needed for authentication. Copy the Value field and save it in a secure location.

    microsoft azure new client secret

Assign permissions

After you have created your new Microsoft Azure application and obtained the authentication credentials, you must assign the required permissions for the application to access your data. To do so, follow these steps:

  1. Navigate to API permissions > Add a permission > Microsoft Graph.

  2. Click Application permissions, grant the following permissions, and then click Add permissions.

    • Directory: Directory.Read.All

    • User: User.Read.All

  3. Click Add a permission and repeat the same steps for Delegated permissions. Grant the following permissions and click Add permissions.

    • Device: Device.Read.All

    • DeviceManagementApps: DeviceManagementApps.Read.All

    • DeviceManagementConfiguration: DeviceManagementConfiguration.Read.All

    • DeviceManagementManagedDevices: DeviceManagementManagedDevices.Read.All

    • DeviceManagementRBAC: DeviceManagementRBAC.Read.All

    • DeviceManagementServiceConfig: DeviceManagementServiceConfig.Read.All

    • Directory: Directory.Read.All

    • User: User.Read.All

  4. Click Grant admin consent for default directory, and then click Yes in the confirmation dialog. Your API permissions should resemble the following:

    Microsoft Azure grant admin consent for default directory

note

For additional information about Azure AD permissions, see Microsoft Azure documentation.

Types of data to retrieve

The Microsoft Intune connector can retrieve the following types of data from the Microsoft Graph API:

Connector ObjectRequiredMaps to Data Model
HostYesHost
Mobile DeviceYesDevice
info

For detailed steps on how to view the data retrieved from Microsoft Intune in the Brinqa Platform, see How to view your data.

Operation options

The Microsoft Intune connector supports operation options. See connector operation options for information about how to apply them.

The Microsoft Intune connector supports the filter operation option for both the Host and Mobile device connector objects. Filter is the key and for the supported values, see Microsoft documentation on using the filter query parameter.

APIs

The Microsoft Intune connector uses the Microsoft Graph REST API v1.0. Specifically, it uses the following endpoint:

  • GET https://graph.microsoft.com/v1.0/deviceManagement/managedDevices

Changelog

The Microsoft Intune connector has undergone the following changes:

3.1.6

  • Excluded 00000000-0000-0000-0000-000000000000 as a valid Azure Active Directory device ID.
  • Updated dependencies.

3.1.5

  • Fixed a null pointer exception when there's no filter provided.

3.0.1

  • Normalized the MAC_ADDRESS attribute in the Computer object.

3.0.0