Close Menu
Peter Klapwijk – In The Cloud 24-7Peter Klapwijk – In The Cloud 24-7
    Facebook X (Twitter) Instagram
    Peter Klapwijk – In The Cloud 24-7Peter Klapwijk – In The Cloud 24-7
    • Home
    • Intune
    • Windows
      • Modern Workplace
    • macOS
    • Android
    • iOS
    • Automation
      • Logic Apps
      • Intune Monitoring
      • GitHub
    • Security
      • Passwordless
      • Security
    • Speaking
    • About me
    Peter Klapwijk – In The Cloud 24-7Peter Klapwijk – In The Cloud 24-7
    Home»Intune»MEM Monitoring: Autopilot Profile Assignment Monitoring
    Intune

    MEM Monitoring: Autopilot Profile Assignment Monitoring

    Peter KlapwijkBy Peter KlapwijkAugust 18, 2022Updated:February 14, 202535 Mins Read

    As a response on the MEM Monitoring series which I posted in the Modern Endpoint Management LinkedIn group, I was asked if it is also possible to get a notification in case an Autopilot object is not assigned a deployment profile. Yes, this is possible with a pretty simple Logic Apps flow, where we send a notification to a Teams channel for example.

    This blog post is part of the MEM (Intune) Monitoring series. An article with a short explanation of every MEM Monitoring flow I shared and links to the related articles can be found here.

    So let’s quickly have a look how simple that solution is.

    The solution in short

    We can query Microsoft Graph using a Logic Apps flow in Azure, which runs on a daily base for the Autopilot objects. We query all objects in our Autopilot tenant and check if the deploymentProfileAssignmentStatus equals notAssigned. If that is true, we send a message to Teams via a Teams Webhook.

    Requirements

    We don’t have many requirements for this simple flow, we only need an Azure Managed Identity. The managed identity should have enough permissions to query Microsoft Graph for the required information.
    The required Graph (application) permission needed is DeviceManagementServiceConfig.Read.All

    And if you want to receive the notification in Teams, you must configure a Webhook in the Teams channel.
    Another options is to create a report and send it via email.

    Setup the Logic App flow

    When the Managed identity is created, we can start creating the flow.

    Sign in to the Azure portal and open the Logic App service. I created a blank Logic App of type Consumption.



    When the flow is created, click on the name of the flow at the top of the screen, open the Identity section, and on the tab User assigned add your Managed Identity.

    Open the Overview tab, which shows a few templates, and choose Recurrence.

    Change the interval settings to your needs.

    Next, we add our first HTTP action.
    As Method select GET.
    As URI enter:

    https://graph.microsoft.com/beta/deviceManagement/windowsAutopilotDeviceIdentities

    Choose Add Parameter and select Authentication.
    As Authentication type select Managed identity.
    Select your Managed identity from the list.
    And add https://graph.microsoft.com as Audience.

    Next, we need to add a new Parse JSON action. We parse the output of the HTTP action, to be able to use the values later on in the flow.
    As Content, we select Body from the Dynamic content list that is from our HTTP action.
    As Schema, we can run the current flow and grab the body from the HTTP action and add it via the Use sample payload option. We can also grab the body when we run the same query via Graph Explorer.

    This is the schema:

    {
        "properties": {
            "@@odata.context": {
                "type": "string"
            },
            "@@odata.count": {
                "type": "integer"
            },
            "value": {
                "items": {
                    "properties": {
                        "addressableUserName": {
                            "type": "string"
                        },
                        "azureActiveDirectoryDeviceId": {
                            "type": "string"
                        },
                        "azureAdDeviceId": {
                            "type": "string"
                        },
                        "deploymentProfileAssignedDateTime": {
                            "type": "string"
                        },
                        "deploymentProfileAssignmentDetailedStatus": {
                            "type": "string"
                        },
                        "deploymentProfileAssignmentStatus": {
                            "type": "string"
                        },
                        "deviceAccountPassword": {},
                        "deviceAccountUpn": {
                            "type": "string"
                        },
                        "deviceFriendlyName": {},
                        "displayName": {
                            "type": "string"
                        },
                        "enrollmentState": {
                            "type": "string"
                        },
                        "groupTag": {
                            "type": "string"
                        },
                        "id": {
                            "type": "string"
                        },
                        "lastContactedDateTime": {
                            "type": "string"
                        },
                        "managedDeviceId": {
                            "type": "string"
                        },
                        "manufacturer": {
                            "type": "string"
                        },
                        "model": {
                            "type": "string"
                        },
                        "productKey": {
                            "type": "string"
                        },
                        "purchaseOrderIdentifier": {
                            "type": "string"
                        },
                        "remediationState": {
                            "type": "string"
                        },
                        "remediationStateLastModifiedDateTime": {
                            "type": "string"
                        },
                        "resourceName": {
                            "type": "string"
                        },
                        "serialNumber": {
                            "type": "string"
                        },
                        "skuNumber": {
                            "type": "string"
                        },
                        "systemFamily": {
                            "type": "string"
                        },
                        "userPrincipalName": {
                            "type": "string"
                        }
                    },
                    "required": [
                        "id",
                        "deploymentProfileAssignmentStatus",
                        "deploymentProfileAssignmentDetailedStatus",
                        "deploymentProfileAssignedDateTime",
                        "groupTag",
                        "purchaseOrderIdentifier",
                        "serialNumber",
                        "productKey",
                        "manufacturer",
                        "model",
                        "enrollmentState",
                        "lastContactedDateTime",
                        "addressableUserName",
                        "userPrincipalName",
                        "resourceName",
                        "skuNumber",
                        "systemFamily",
                        "azureActiveDirectoryDeviceId",
                        "azureAdDeviceId",
                        "managedDeviceId",
                        "displayName",
                        "deviceAccountUpn",
                        "deviceAccountPassword",
                        "deviceFriendlyName",
                        "remediationState",
                        "remediationStateLastModifiedDateTime"
                    ],
                    "type": "object"
                },
                "type": "array"
            }
        },
        "type": "object"
    }

    This is the Parse JSON Action.

    Now we add a Condition action which is a Control action.
    We check if deploymentProfileAssignmentStatus has a value of notAssigned.

    in the left box add deploymentProfileAssignmentStatus from the Dynamic content. Choose is equal to from the drop-down list and enter notAssigned to the right box.

    By adding the dynamic content, the Condition is added to a For each action.

    If the deploymentProfileAssignmentStatus has a value of notAssigned, the condition is true. So under True we add the action to send a notification. We use another HTTP action, to send a message to Teams.

    Choose POST as method.
    Enter your Teams webhook URL in the URI field. In the Body field we enter the text we like to send to the Teams channel. We can use dynamic content (variables) from the previous Parse JSON action and enter our own text.
    Use \n\n in the text to create new lines in the text message, otherwise, the message consists of one long line of text.
    And I used ** to get some text in bold.

    And this is our flow! Simple, isn’t it?

    Your subtitle here

    And this is my notification in Teams, which notifies me on the Autopilot object which doesn’t have a deployment profile assigned.

    Autopilot Intune Intune Monitoring Logic Apps MEM MEMMonitoring Power Automate Windows Autopilot
    Share. Facebook Twitter LinkedIn Email WhatsApp
    Peter Klapwijk
    • Website
    • X (Twitter)
    • LinkedIn

    Peter is a Security (Intune) MVP since 2020 and is working as Modern Workplace Engineer at Wortell in The Netherlands. He has more than 15 years of experience in IT, with a strong focus on Microsoft technologies like Microsoft Intune, Windows, and (low-code) automation.

    Related Posts

    MEM Monitoring: Monitor Security baselines in Endpoint Security

    August 16, 2022

    Re-import Autopilot information from Azure Storage on-demand with a Logic Apps flow

    July 9, 2022

    Export Endpoint Analytics Proactive remediation data with Logic Apps

    April 19, 2021
    View 3 Comments

    3 Comments

    1. Omer on September 13, 2022 15:44

      Hello Peter,

      I used the teams body part that you used while assigning the device series that does not assign a profile to the teams channel, but I am getting a 400 error. I checked the Teams uri, it’s correct, but I couldn’t solve the error.

      Reply
      • Peter Klapwijk on September 16, 2022 20:24

        HI Omer,

        I understand you used to built-in Teams action to send messages. That’s indeed also an option.

        Regards,

        Peter

        Reply
    2. Rich Wells on April 15, 2023 00:12

      Hello Peter,

      I have created the flow with listed steps. No errors or warning are shown in the Flower checker. However, the specified condition says the Expression Result: false and the HTTP POST webhook reports the following message:
      ActionBranchingConditionNotSatisfied. The execution of template action ‘HTTP_POST_Teams_Webhook’ skipped: the branching condition for this action is not satisfied.

      Any assistance would be greatly appreciated. RWells

      Reply
    Leave A Reply Cancel Reply

    Peter Klapwijk

    Hi! Welcome to my blog post.
    I hope you enjoy reading my articles.

    Hit the About Me button to get in contact with me or leave a comment.

    Awards
    Sponsor
    Latest Posts

    Hide the “Turn on an ad privacy feature” pop-up in Chrome with Microsoft Intune

    April 19, 2025

    How to set Google as default search provider with Microsoft Intune

    April 18, 2025

    Using Windows Autopilot device preparation with Windows 365 Frontline shared cloud PCs

    April 13, 2025

    Using Visual Studio with Microsoft Endpoint Privilege Management, some notes

    April 8, 2025
    follow me
    • Twitter 4.8K
    • LinkedIn 6.1K
    • YouTube
    Tags
    Administrative Templates Android Automation Autopilot Azure Azure AD Browser Conditional Access Edge EMS Exchange Online Feitian FIDO2 Flow Google Chrome Graph Graph API Identity Management Intune Intune Monitoring iOS KIOSK Logic Apps macOS MEM MEMMonitoring Microsoft 365 Microsoft Edge Microsoft Endpoint Manager Modern Workplace Office 365 OneDrive for Business Outlook Passwordless PowerApps Power Automate Security SharePoint Online Teams Windows Windows 10 Windows10 Windows 11 Windows Autopilot Windows Update
    Copy right

    This information is provided “AS IS” with no warranties, confers no rights and is not supported by the authors, or In The Cloud 24-7.

     

    Copyright © 2025 by In The Cloud 24-7/ Peter Klapwijk. All rights reserved, No part of the information on this web site may be reproduced or posted in any form or by any means without the prior written permission of the publisher.

    Shorthand; Don’t pass off my work as yours, it’s not nice.

    Recent Comments
    • Peter Klapwijk on Using Windows Autopilot device preparation with Windows 365 Frontline shared cloud PCs
    • John M on Using Windows Autopilot device preparation with Windows 365 Frontline shared cloud PCs
    • Christoffer Jakobsen on Connect to Azure file shares with Microsoft Entra Private Access
    • Ludo on How to block Bluetooth file transfer with Microsoft Intune
    • RCharles on Automatically configure the time zone (during Autopilot enrollment)
    most popular

    Application installation issues; Download pending

    October 1, 2024

    Restrict which users can logon into a Windows 10 device with Microsoft Intune

    April 11, 2020

    How to change the Windows 11 language with Intune

    November 11, 2022

    Update Microsoft Edge during Windows Autopilot enrollments

    July 9, 2024
    Peter Klapwijk – In The Cloud 24-7
    X (Twitter) LinkedIn YouTube RSS
    © 2025 ThemeSphere. Designed by ThemeSphere.

    Type above and press Enter to search. Press Esc to cancel.

    Manage Cookie Consent
    To provide the best experiences, we use technologies like cookies to store and/or access device information. Consenting to these technologies will allow us to process data such as browsing behavior or unique IDs on this site. Not consenting or withdrawing consent, may adversely affect certain features and functions.
    Functional Always active
    The technical storage or access is strictly necessary for the legitimate purpose of enabling the use of a specific service explicitly requested by the subscriber or user, or for the sole purpose of carrying out the transmission of a communication over an electronic communications network.
    Preferences
    The technical storage or access is necessary for the legitimate purpose of storing preferences that are not requested by the subscriber or user.
    Statistics
    The technical storage or access that is used exclusively for statistical purposes. The technical storage or access that is used exclusively for anonymous statistical purposes. Without a subpoena, voluntary compliance on the part of your Internet Service Provider, or additional records from a third party, information stored or retrieved for this purpose alone cannot usually be used to identify you.
    Marketing
    The technical storage or access is required to create user profiles to send advertising, or to track the user on a website or across several websites for similar marketing purposes.
    Manage options Manage services Manage {vendor_count} vendors Read more about these purposes
    View preferences
    {title} {title} {title}