How to monitor your Microsoft Intune tenant with Logic Apps

I have been working with Microsoft Intune for about 6 years now and have seen it involved from the Silverlight portal to the current Microsoft Endpoint Manager admin center which we have today. A lot has changed, new features are released every month and the product becomes better and better.

But a feature that I still miss is some sort of monitoring of the Intune environment with notifications. Off course, all the information is available in the Intune portal itself, but I’m not continuously having a look at the service health blade. Or having a look at the auditing data of Intune to see if somebody changed one of the production policies.

So, for some of the Intune parts I’d like to monitor and receive a notification of, I’ve built my own monitoring and notification solution. As all this information is available via Microsoft Graph, there are several ways to pull this data from Graph and process it further. As I’m not a scripting guru, I decided to use Microsoft Logic Apps for my solutions.

With a Logic Apps HTTP action, I can pull the data from Microsoft Graph on a recurring base, process the information to my needs, and send a notification to a Microsoft Teams channel for example, or create a CSV report and send it to my mailbox.

On this website, I shared several different Intune monitoring solutions in the “Intune Monitoring series”, which I briefly share in this article to give you a quick overview of the possibilities you can easily create yourself.

Get your Windows Autopilot deployment events in a Teams channel with Logic Apps

One of the first Logic Apps flows I built was one to receive notifications once an hour, of the Autopilot enrollments. At my employer we already received such kinds of notifications in Teams when a machine finished the imaging process with SCCM, I wanted to investigate if something like that was also possible for Autopilot enrollments.

We have the Autopilot deployments tab in the monitor section available (in preview) in the Intune portal, so at least the data is available. With a Teams webhook, it is possible to send a message of every successful or failed deployment to a Teams channel.

If you’re interested in the solution, the blog post can be found here.

Get Intune Service Health messages in a Teams channel

I would also like to receive service health messages related to Intune in my Teams app. I know this information can be easily sent via email, but I’d like to receive this in Teams. Again, I built a flow in Logic Apps, to pull the service health messages via Microsoft Graph (at the beginning via the Office 365 management API, which is now deprecated) and sent the messages to a Teams channel.

This solution could also be used to receive all Microsoft 365 service health messages, or you can filter out any other service. The full article on this topic can be found here.

Get notified on Intune Configuration profile changes

You have configured your configuration profiles, compliance policies etc. in Microsoft Intune and after a lot of testing, piloting, and even more testing you are now live in production! Time to celebrate!

But now that the environment is in production, a change in one of your production profiles might have a (big) impact on the user experience and maybe a policy change might even need approval by the Change Advisory Board.

Policy changes can be found in the audit logs, but you might want to receive a notification when a production profile is changed.

In this blog post I wrote, I show a flow that runs every hour and sends a Teams message of every profile change which is done in the previous hour.

Another option would be to run the flow on a daily or weekly basis and create a CSV report which you receive via email.

Monitor security baselines in Endpoint Security

In Intune, we have several security baselines available. If you are using these security baselines, it is important to keep track of new versions of the baselines. If a new version is available, you want to review the (new/ changed) baseline settings and apply these to your devices. But out of the box, there is no notification for this.

Besides that, if you want to keep your environment clean up, you might also want to get notified when you gave baseline profiles that are not assigned.

Again, Logic Apps and Microsoft Graph are to the rescue as you can read in this post.

MEM Assignment monitoring to keep your tenant cleaned up

I don’t know what your Intune (lab) tenant looks like, but at least my lab tenants become a bit messy. I would like to receive a report occasionally with an overview of all the items in Intune which are not assigned anymore and might get cleaned up. After reviewing the listed configuration items, I can decide whether to delete the items or not.

The flow which I created and shared in this post, pules almost every item which is found in Intune, besides the unassigned applications. To grab all other items, besides the apps, via Graph the flow already gets a bit large. So, a flow to monitor the unassigned apps will be a separate one (in the future 😉).

This flow can be found here.

Autopilot Profile Assignment Monitoring

This is a flow that I created after a question that was asked in the Modern Endpoint Management LinkedIn group.

This guy wanted to get notified on Windows Autopilot registrations that do not have a deployment profile assigned, so he is sure during enrollment of a device always a profile is assigned.

Ok, no problem. I created a simple flow that grabs the Windows Autopilot device identities from MS Graph and determines the value of the Assignment status. If this is not assigned, a message is sent via a Teams webhook.

The blog post is found here.

Create a Windows Driver update approval report with Logic Apps

In this blog post, I describe a Logic Apps flow that creates an Excel overview of all the Windows Drivers that need to be reviewed in Intune. The Excel sheet is send via e-mail, that functions as reminder to review the new published drivers.

This is related to the feature to manage Windows drivers and firmware with Microsoft Intune.

The blog post is found here.

Wrap up

Currently, these are all the Intune monitoring Logic Apps with notifications I created to keep an eye on the Intune environment. But probably more will follow.

To create one of these yourself, just follow all the steps in the blog post. You will learn how to create these flows and all the necessary actions to create the flow.

But I also shared the flows on my GitHub repository, for easy deployment most with Bicep files (and the others will follow).

In case you start using a (user-assigned) Managed Identity instead of an App Registration for authentication to MS Graph, read this article on how to create such an identity.

Let me know what you think of the solutions and if you think something is missing from the list of items to monitor, let me know in the comments here or under one of the articles!

Be the first to comment

Leave a Reply

Your email address will not be published.