Get notified on Intune Configuration profile changes

You have configured your configuration profiles, compliance policies etc. in Microsoft Intune and after a lot of testing, piloting, and even more testing you are now live in production! Time to celebrate!

But now that the environment is in production, a change in one of your production profiles might have a (big) impact on the user experience and maybe a policy change might even need approval by the Change Advisory Board.

We already have an audit log available in the Endpoint Manager admin center. So the policy changes are all already available but there is no option to get notified on profile changes. I’d rather be notified by a profile change, instead that I need to dig in the logs as an incident is report about users with issues which might be caused by a profile change.

Wouldn’t it be handy to get notified when one of the production profiles is (by accident) changed?

As the events are available via Graph API, we should be able to build something to get this job done with Logic Apps.

And I don’t want to be notified of every policy change, but only on changes to production profiles. If we make sure we have a naming convention implemented, by which we can make a shift between production (PRD) and test (TST) profiles we can do some filtering in the Logic Apps flow.

When we have such a flow in place, we can get a notification for example via Teams or e-mail.

Let’s see how to build such a Logic Apps flow.

The solution in short

The flow which we are going to build isn’t really large.

The flow starts with a Recurrence trigger. You can schedule it to run once a day, once an hour, multiple times a day. Whatever is needed.

Every run (in my example every hour), Microsoft Graph is queried for the audit events via an HTTP action. At that moment the audit events are retrieved from the previous hour.

After this we use a Select action, to filter out the data we need in hour notification.

To further process this data, we parse the data with a Parse JSON action.

To get the filtering done, we use a Condition action. By this action, we drop the events from profiles which are not in production and only process the events from production profiles.

In my example I use an HTTP Post action, to post a message in a Teams channel.

<br>

<br>

Requirements

We do have some requirements to get this flow up and running. First of all, we need an Azure App Registration. We need the app registration to authenticate to Microsoft Graph to perform an HTTP action. On this app registration, we set permissions so we are allowed to get the audit events via our queries. The minimum permission for this flow is DeviceManagementApps.Read.All.

To secure the HTTP actions I use an Azure Key Vault, which is described in this previous post.

In this example, I use an HTTP Action to send a notification to a Teams channel. For this, a Teams incoming webhook connector needs to be in place.
You could also send an email, by using an Send email action.

Setup the Logic Apps flow

Sign in to the Azure portal and open the Logic Apps service. Here create a new, blank Logic App.

Open the flow and in the search box for connections and triggers search for Schedule. Select Schedule and select Recurrence which functions as our flow trigger.

I choose to run this Logic Apps flow every hour.

The first action we add is an Azure Key Vault action to retrieve the secret for authentication of the upcoming HTTP action. Search for Azure Key Vault and select Get secret.

Enter at least the Vault name and click sign-in.

Enter the name of the secret.

Add an HTTP action.
As Method select GET.
As URI enter:

https://graph.microsoft.com/beta/deviceManagement/auditEvents?$filter=%20activityDateTime%20gt%20

This URI is followed by an expression. The expression adds the current time (UTC) minus 1 hour. Or the current time minus one day. Which expression needs to be used, depends on how often the flow is triggered

The expression for minus 1 hour is:

formatDateTime(addHours(utcNow(),-1),'yyyy-MM-ddTHH:mm:ssZ')

The expression for minus 1 day is:

formatDateTime(addDays(utcNow(),-1),'yyyy-MM-ddTHH:mm:ssZ')

In the HTTP action check Authentication and choose Active Directory OAuth as Authentication type. Enter the TenantClient ID (from the app registration) and Audience.
And make sure to select the Key Vault secret value from the Key Vault action (found via Dynamic content).

This is how our HTTP action looks like.

Below is an example of the output from the HTTP action.
I want to get some values from this output to add in my notifications like:
displayName
displayName (found under resources)
activityDateTime
componentName
activityOperationType
userPrincipalName (found under actor)
type (found under actor)

As one of this output values is in an Array element, we can’t just use a Parse JSON to get the value (this would return the whole array). For this we need to use an expression with an integer index. Therefor we use an Select action, to get all values.

We add a Data Operations action called Select.

We use an expression to get the data from the output body of the HTTP output. Add below expression in the From field via the expression tab. Make sure to replace HTTP_ACTION_NAME with the name of your HTTP action, but with underscores instead of spaces.

body('HTTP_ACTION_NAME')?['value']

Next enter all the key names on the left. You can choose the key names yourself.

On the right, we need the values (items) from the previous HTTP action.
To grab these items we use an expression like below:

item()?['ITEMNAME']

For example to get the activityDateTime:

item()?['activityDateTime']

When the item is located under another object, we need an expression like below, as userPrincipalName is located under actor:

item()?['actor']?['userPrincipalName']

This is not possible for an Array, like Resources. We need to use an integer index. As the displayname is located in the first level of the array [0] as the integer index starts with a 0.

item()['Resources']?[0]?['displayName']

The expressions I used:

item()?['displayName']
item()['Resources']?[0]?['displayName']
item()?['activityDateTime']
item()?['componentName']
item()?['activityOperationType']
item()?['actor']?['userPrincipalName']
item()?['actor']?['type']

Enter all the expression one by one.

This is the complete Select action.

Save the Logic App and run the flow.
When it’s finished open the flow from the Runs history and open the Select action.
Copy the Outputs body. We use this as a sample payload in the next action.

When the outputs field doesn’t contain any data, no changes are made during the last hour. Make a minor change to one of your Intune profiles.

Next we add a Parse JSON action, which is also a Data Operations action.
As content, we use the Output from the previous Select action.
We fill the schema by using the sample payload we just copied in the previous step. Click Use sample payload to generate the schema and paste the copied data in the box which will generate the schema.

To filter out non production audit events we can make use of a Condition, which is a Control action. I filter on the displayname found under resources as my production profiles al start with PRD in their displayname.

When the audit event contains a displayname starting with PRD, the outcome of the condition is True. So our flow continues under True (and stops when the outcome is False).
Add another HTTP action (under True).

As Method select POST.
As URI enter the incoming webhook URL.
As Headers enter Content-Type – application/json

In the body, we add the text and title in JSON format. Below is the JSON format we need to use for this, without our variables:

{
 "text": "WRITE YOUR MESSAGE TEXT HERE",
  "title": "WRITE YOUR TITLE HERE"
}

We can use dynamic content (variables) from the previous PARSE JSON action and enter our own text.
Use \n\n in the text to create new lines in the text message, otherwise, the message consists of one long line of text.
And I used ** to get some text in bold.

This is the JSON from my above example:

{
  "text": "**Activity:** @{items('For_each_2')['displayName']}\n\n **Profile Name:** @{items('For_each_2')['ResourcesDisplayname']}\n\n **Date:** @{items('For_each_2')['activityDateTime']}\n\n **Component Name:** @{items('For_each_2')['componentName']}\n\n **Actor:** \n\n **UPN:** @{items('For_each_2')['UPN']}\n\n **Type:** @{items('For_each_2')['actortype']}\n\n",
  "title": "Intune profile activity '@{items('For_each_2')['ResourcesDisplayname']}' - @{items('For_each_2')['activityOperationType']}"
}

This is the flow to get notified on Intune profiles changes:

I’ve chosen to not include the modified properties to the notification itself. This would make the notification a mess as the modified properties could contain a lot of (unstructered) data. With the information we do have in the notification we can lookup the event in the audit section in the portal

But you could for example choose to send an email (instead of a Teams message) and add the modified properties data to an email attachment.

Thanks for reading the article!