After the release of App-based authentication for MS Intune Graph access, I decided to have a look at setup some Intune monitoring with Azure Monitor and integrating this with Microsoft Teams for alerting. What I am looking into in this blog post is monitoring of Apple Push Notification Certificate, Apple VPP and DEP tokens and the expiry date of this. If the Expiry date is less than 30 days I will post an alert to Microsoft Teams so that IT Admins are aware of the situation and can renew these before the date is passed.

Let us start with defining what we need for this all to work.

  • Azure AD App with correct permissions in MS Graph
  • A Team in MS Teams with a configured Webhook to receive the alert
  • Azure Automation Account
    • With a Scheduled Runbook in this Azure Automation (powershell script) to validate the tokens and certificate

Azure AD App Registration

To be able to authenticate fully unattended using a service principal instead of creating a service account with a password and a lot of rights in our tenant, we need to define a Azure AD App in Azure AD that we use for this purpose. Go to https://aad.portal.azure.com, click on Azure Active Directory and then App Registration.

On the top of the page click on + New Registration

Give your app a name, and keep the rest as default and click on register. You will then be redirected to this new apps properties blade.

Copy the Application (client) ID, we need that for later, but remember to keep it safe. Then click on View API permissions. We need to add some specific permissions for our runbook to work as we want. You can always go back and add more permissions if needed by another job, but try to always keep thinking least privileged access for all you do.

Click on Microsoft Graph

Then choose Application Permissions

Now we select just the type permissions we need, we will only need read access for this task, so that is all we are going to assign for now. The permissions we need are the following:

  • DeviceManagementManagedDevices.Read.All
  • DeviceManagementServiceConfig.Read.All

We now need to wait just a little but before we can Grant Consent to this application. When the button comes available you click on Grant admin consent for xxx, confirm by choosing your Global Admin account in the next window, and the accept the following permission request for our AzureAD Application.

And when we come back to the Azure Portal we should see that the Status on the permissions is Green and permissions are Granted for your organization.

The next thing we need to do on our application is to create a Client Secret. This is what is being used to authenticate from our monitoring runbook. Click on Certificates and secrets within your Azure AD App. On this page click on New Client Secret.


Now you must decide how long you want your secret to last before you have to renew it, and then click on Add. Just remember that if you forget to create new secrets for your app, the monitoring will stop working with an authentication failure.


IMPORTANT: WHEN YOU CLICK ON ADD, YOUR SECRET WILL SHOWED ON YOUR SCREEN ONLY ONCE. 
This means that if you do not copy this secret before you move away from this page, you will need to create a new one. So remember to copy this NOW into notepad or similar to have it ready for when we need it later on in this implementation. Now our Azure AD App is ready and we can move on to creating the Automation Account and setting up the runbook for monitoring.

Azure Automation Account

Now we need to create an Azure Automation account in Azure. To do that we go to portal.azure.com and log on with a user that has the rights to create resources in Azure. Either you need subscriptions rights, or preferably have rights on a resource group.

In the portal you click on Create Resource:

Search for Automation and select it. Click on Create

Here we need to choose a name for our Automation Account, choose subscription, resource group and location for the account. This will define where this will run and compute.

Click for details

When this is done and you click on create the resource is being deployed in the background. Lets have a look on how this looks.

 

Now our automation account is ready for use. But before we go ahead and create the runbook, we need to create the MS Teams channel and webhook that our solution is going to post alerts to.

Creating the alerting channel in MS Teams

I recommend you create a separate team for monitoring activities, this can be expanded to monitoring of many other services as well. So when you have the Team, create a new channel and call it for instance “Intune Monitor”. When we have the channel we need to go and configure a connector on the channel it self. Click on the 3 dots on the channel to open up more options, and click on Connectors:

On the Connectors for Channel in Team page, search for Incoming Webhook and click on Configure.

Now we need to give the connector a name, and if you want you can also upload your own picture for the connector to visualize better inside MS Teams.

After we click on Create the Webhook URL comes visible. Please keep this URL safe as it is the only thing needed to post messages to this channel. Copy the webhook URL by clicking the button and keep it safe until we need it a bit later:

Now our Channel is ready and should have a single post that says that you have setup a connection to a incoming webhook.

Azure Automation Runbook

Now we must go back to the Azure Automation account we created and start configuring it to be ready for our runbook. The first thing we need is to define some important variables that the script will be needing. Variables needed are

  • ClientID for our AzureAD Application
  • ClientSecret for our AzureAD Application
  • TenantName (onmicrosoft.com name)
  • The Webhook URI

Under shared resources in the Automation Account you will find Variables.

Now click on Add a variable and define the variables above. When you define sensitive variables, remember to select that the variable should be encrypted.  All variables should be configured as String 

As you can see, the sensitive variables are hidden and encrypted. You can still get them from the runbook, so make sure you are controlling who can create a runbook to run in your automation account.

We also need 1 PowerShell Module for this to work. Go to Modules Gallery inside your automation account and search for Intune. Select Microsoft.Graph.Intune and click on Import. 

Now we are ready to start with our runbook. Inside your automation account – Process Automation – click on Runbooks – Create a runbook.

When you click on Create it will redirect you to a PowerShell editor. Now go to our Github and download the runbook here: https://github.com/SCConfigMgr/Intune/blob/master/Automation/Monitor-IntuneAppleConnectors.ps1   When you have the script, open it up and copy it over to your PowerShell editor window.

Now in this windows there are a few things we need to change in the script based on our configuration, and that is the name of the variables you created, and potentially how long before expiry of token you want to be alerted.

#Define Your Notification Ranges
$AppleMDMPushCertNotificationRange = ’30’
$AppleVPPTokenNotificationRange = ’30’
$AppleDEPTokenNotificationRange = ’30’
# Grab variables frrom automation account – this must match your variable names in Azure Automation Account 
$TenantName = Get-AutomationVariable -Name ‘TenantName’
$AppID = Get-AutomationVariable -Name “IntuneMonitorClientID”
$AppSecret = Get-AutomationVariable -Name “IntuneMonitorClientSecret”
$Uri = Get-AutomationVariable -Name “IntuneMonitorTeamsUri”

For testing purposes you could change the notification ranges to 365 days to make sure get your alerts delivered to your Teams Channel. Nothing else needs to be changed in this script. Now click on Test Pane on the top to test your script and click on Start

The result should look like this, depending on your notification range configuration:

So now lets take a quick look on how this looks inside Teams:

Now the only thing left to do is to Publish the runbook and create a preferred schedule.

Publish:

Schedule: Go to Resources – Schedules and Click on Add a Schedule

Click on Create and you are ready to go. Now just monitor the first week that your runbooks is working. And also remember to set your notification range to something usefull like 30 days.

This post is showing only 1 use case for monitoring or automation regarding Intune. There is truly so much more you can do. Follow our blog for more in this area.

(712)

comments
  • Ryan Morren
    Posted at 10:58 January 6, 2020
    Ryan Morren
    Reply
    Author

    Would there be a way to run this for multi-tenancy? I.E. “Customer No.1’s APN certificate is expiring in 30 days”

    • Jan Ketil Skanke
      Posted at 11:37 January 6, 2020
      Jan Ketil Skanke
      Reply
      Author

      Yes, it is possible to do this across more tenants. The easiest way would be to implement the runbook in each customer, and use the same webhook uri. Then you could just include customer name in the message card you send.
      If you want to run this in your own environment, you could just run a separate runbook pr customer to make this work, but the AzureAD App needs to be setup in each AzureAD tenant.

  • Leave a Reply

    This site uses Akismet to reduce spam. Learn how your comment data is processed.