After the release of App-based authentication for MS Intune Graph access, I decided to have a look at setup some Intune monitoring with Azure Monitor and integrating this with Microsoft Teams for alerting. What I am looking into in this blog post is monitoring of Apple Push Notification Certificate, Apple VPP and DEP tokens and the expiry date of this. If the Expiry date is less than 30 days I will post an alert to Microsoft Teams so that IT Admins are aware of the situation and can renew these before the date is passed.
Let us start with defining what we need for this all to work.
- Azure AD App with correct permissions in MS Graph
- A Team in MS Teams with a configured Webhook to receive the alert
- Azure Automation Account
- With a Scheduled Runbook in this Azure Automation (powershell script) to validate the tokens and certificate
Azure AD App Registration
To be able to authenticate fully unattended using a service principal instead of creating a service account with a password and a lot of rights in our tenant, we need to define a Azure AD App in Azure AD that we use for this purpose. Go to https://aad.portal.azure.com, click on Azure Active Directory and then App Registration.
Give your app a name, and keep the rest as default and click on register. You will then be redirected to this new apps properties blade.
Copy the Application (client) ID, we need that for later, but remember to keep it safe. Then click on View API permissions. We need to add some specific permissions for our runbook to work as we want. You can always go back and add more permissions if needed by another job, but try to always keep thinking least privileged access for all you do.
Click on Microsoft Graph
Then choose Application Permissions
Now we select just the type permissions we need, we will only need read access for this task, so that is all we are going to assign for now. The permissions we need are the following:
We now need to wait just a little but before we can Grant Consent to this application. When the button comes available you click on Grant admin consent for xxx, confirm by choosing your Global Admin account in the next window, and the accept the following permission request for our AzureAD Application.
And when we come back to the Azure Portal we should see that the Status on the permissions is Green and permissions are Granted for your organization.
The next thing we need to do on our application is to create a Client Secret. This is what is being used to authenticate from our monitoring runbook. Click on Certificates and secrets within your Azure AD App. On this page click on New Client Secret.
Now you must decide how long you want your secret to last before you have to renew it, and then click on Add. Just remember that if you forget to create new secrets for your app, the monitoring will stop working with an authentication failure.
IMPORTANT: WHEN YOU CLICK ON ADD, YOUR SECRET WILL SHOWED ON YOUR SCREEN ONLY ONCE. This means that if you do not copy this secret before you move away from this page, you will need to create a new one. So remember to copy this NOW into notepad or similar to have it ready for when we need it later on in this implementation. Now our Azure AD App is ready and we can move on to creating the Automation Account and setting up the runbook for monitoring.
Azure Automation Account
Now we need to create an Azure Automation account in Azure. To do that we go to portal.azure.com and log on with a user that has the rights to create resources in Azure. Either you need subscriptions rights, or preferably have rights on a resource group.
In the portal you click on Create Resource:
Search for Automation and select it. Click on Create
Here we need to choose a name for our Automation Account, choose subscription, resource group and location for the account. This will define where this will run and compute.
When this is done and you click on create the resource is being deployed in the background. Lets have a look on how this looks.
Now our automation account is ready for use. But before we go ahead and create the runbook, we need to create the MS Teams channel and webhook that our solution is going to post alerts to.
Creating the alerting channel in MS Teams
I recommend you create a separate team for monitoring activities, this can be expanded to monitoring of many other services as well. So when you have the Team, create a new channel and call it for instance “Intune Monitor”. When we have the channel we need to go and configure a connector on the channel it self. Click on the 3 dots on the channel to open up more options, and click on Connectors:
On the Connectors for Channel in Team page, search for Incoming Webhook and click on Configure.
Now we need to give the connector a name, and if you want you can also upload your own picture for the connector to visualize better inside MS Teams.
After we click on Create the Webhook URL comes visible. Please keep this URL safe as it is the only thing needed to post messages to this channel. Copy the webhook URL by clicking the button and keep it safe until we need it a bit later:
Now our Channel is ready and should have a single post that says that you have setup a connection to a incoming webhook.
Azure Automation Runbook
Now we must go back to the Azure Automation account we created and start configuring it to be ready for our runbook. The first thing we need is to define some important variables that the script will be needing. Variables needed are
- ClientID for our AzureAD Application
- ClientSecret for our AzureAD Application
- TenantName (onmicrosoft.com name)
- The Webhook URI
Under shared resources in the Automation Account you will find Variables.
Now click on Add a variable and define the variables above. When you define sensitive variables, remember to select that the variable should be encrypted. All variables should be configured as String
We also need 1 PowerShell Module for this to work. Go to Modules Gallery inside your automation account and search for Intune. Select Microsoft.Graph.Intune and click on Import.
When you click on Create it will redirect you to a PowerShell editor. Now go to our Github and download the runbook here: https://github.com/SCConfigMgr/Intune/blob/master/Automation/Monitor-IntuneAppleConnectors.ps1 When you have the script, open it up and copy it over to your PowerShell editor window.
Now in this windows there are a few things we need to change in the script based on our configuration, and that is the name of the variables you created, and potentially how long before expiry of token you want to be alerted.
For testing purposes you could change the notification ranges to 365 days to make sure get your alerts delivered to your Teams Channel. Nothing else needs to be changed in this script. Now click on Test Pane on the top to test your script and click on Start
The result should look like this, depending on your notification range configuration:
Now the only thing left to do is to Publish the runbook and create a preferred schedule.
Schedule: Go to Resources – Schedules and Click on Add a Schedule
Click on Create and you are ready to go. Now just monitor the first week that your runbooks is working. And also remember to set your notification range to something usefull like 30 days.
This post is showing only 1 use case for monitoring or automation regarding Intune. There is truly so much more you can do. Follow our blog for more in this area.
Jan Ketil is an Enterprise Mobility MVP since 2016 and are working as a COO and Principal Cloud Architect at CloudWay AS in Norway. He has been in the industry for about 20 years working for both Microsoft Partners and Microsoft. He loves to speak about anything around Enterprise Mobility and Secure Productivity. Jan Ketil has presented at large industry conferences like Microsoft Ignite, Microsoft Inspire, Experts Live Europe, IT/DevConnections and NIC Conference in Oslo. He has also previously spoken at several occasions locally in Scandinavia for years. Jan ketil is also in charge of bringing the Experts Live community conference to Norway by organizing the Experts Live Norway. He is also one of the founders and speaker of a yearly community day “MVP Dagen” in Norway