1. Expel Help Center
  2. Connect Your Technology
  3. L-P Integrations
  4. Microsoft

Microsoft Intune Setup for Workbench

This article helps you provide the provisioning of the Azure App needed to perform the graph API queries for the device management endpoint, which allows the Expel Workbench to collect logs for Microsoft Intune.

Prerequisites

  1. You must be able to log into Microsoft Entra as a user assigned the Global Administrator or User Administrator role.

Quick Links

Step 1: Enable Console and Cross-tenant Access for Expel

Note
If your organization has already created a new Expel account for console access and enabled cross-tenant access for another Microsoft integration, you may skip to Step 2. The same "<Your Organization GUID>@soc.expel.io" account provides access across all Microsoft services.

Enable Console Access for a New Account

Expel requires console access to allow analysts to perform investigation and triage. Without this additional level of information, details cannot be verified by our analysts and an investigation cannot be initiated. For more information, see Why Expel Asks for Console Access.

  1. Log in to the Microsoft Entra Admin Center as a user assigned the Global Administrator or User Administrator role.
  2. Navigate to Entra ID > Users > All Users.
  3. Select User > Invite external user.
  4. On the Basics tab, include the following:
    • Email - enter  "<Your Organization GUID>@soc.expel.io". For example, a123bc45-aa12-123b@soc.expel.io
    • Display Name - enter "Expel SOC".
  5. On the Assignments tab, configure the following:
    • Select Add role.
    • Search for and select Global Reader. Note: This role provides read-only access across most Microsoft 365 and Azure management consoles.
  6. Select Review + invite and then Invite.

The user account will be added to your directory as a guest, and an invitation will be sent to the
email provided.

Enable Cross-tenant Access

In this step you will add Expel as an external organization and configure inbound trust.

  1. Still in the Microsoft Entra Admin Center, navigate to Entra ID > External Identities > Cross-tenant access settings.
  2. Select the Organizational settings tab.
  3. Select Add organization.
  4. On the Add organization pane, enter Expel’s tenant ID: 1cde81fd-b430-4035-b24d-709921922876
  5. Select Expel from the search results, and then select Add.
  6. In the Organizational settings list, locate the Expel row and select Inbound access.
  7. On the "Inbound access settings - Expel" page, select the Trust settings tab, and configure the following:
    • Select Customize settings.
    • Enable Trust multifactor authentication from Microsoft Entra tenants.
    • Enable Trust compliant devices.
    • Enable Trust Microsoft Entra hybrid joined devices.
    • Under Automatic redemption, enable Automatically redeem invitations with the tenant Expel.
  8. Select Save.

Step 2: Enable Intune Application Access

To integrate the technology with Expel, you need to create secure credentials to the API. You have two options for enabling API access:

  • Option 1: Enable the Expel Intune Integration Enterprise Application within Azure.
  • Option 2: Create a custom Microsoft Entra ID Application.

Enabling the Enterprise Application is the recommended approach. However, because the Enterprise Application supports access for multiple Microsoft integrations (Microsoft Sentinel, Azure Log Analytics, and so on), it may be that the permissions granted to the Enterprise Application are more than the minimum required for the Azure integration specifically.

The second option is available if and when the absolute minimum permissions are required. In either case, the table below lists the required items to be obtained during this step:

We need this... and it's...
Directory (tenant) ID Unique identifier for your Microsoft Entra ID instance. Expel needs this information to route our API requests to the right place. Required in all cases.
Application (client) ID (Option 2 only) Unique identifier for the application you create that grants Expel the access it needs to your Azure instance. Required if you are manually onboarding.
Application (client) Secret (Option 2 only) API secret that allows Expel to authenticate as the created application to your Azure instance. Required if you are manually onboarding.

Option 1: Enable Azure Enterprise Application

  1. As an Administrator, navigate to the Expel Admin Consent Page.
  2. Review and accept requested permissions.
  3. The Expel Intune Integration app appears under Enterprise Applications.

Option 2: Create Custom Microsoft Entra ID Application

  1. As an Azure administrator, log in to the Azure Portal.
  2. Navigate to App registrations and click +New registration.

  3. Fill in the application details. You can fill these in however you want, but we recommend the following:

    • Name: Expel Intune Integration.
    • Supported account types: accounts in this organizational directory only (first option).
  4. After you fill out the fields, click Register to create the new application.

  5. The settings page for the Expel Intune Integration app you just created opens.

    If not, navigate to App Registrations > View all applications (if you don’t see the new app) > Expel Intune Integration.

  6. Make a note of the Application (client) ID and the Directory (tenant) ID for use in later steps.
  7. Open API permissions. Click + Add a permission.
  8. Choose to add permissions to the app and select Microsoft Graph > Application permissions, and then scroll down to DeviceManagementApps. Select DeviceManagementApps.Read.All and click Add permissions to prepare the grant permissions request.

Step 3: Configure Intune in Expel Workbench

Now that you have the correct access configured and noted the credentials, you can integrate your tech with Workbench.

  1. In a new browser tab, click this link to open the Add Security Device screen in Workbench.

    Intune_AddSecDev.png

  2. Fill in the fields like this:

    Field name What to put in it
    Name The name you assign the security device.
    Location Microsoft Cloud.
    Intune (tenant) ID Microsoft Entra ID/Tenant ID.
    Application (client) ID (Option 2 only) The Azure Application (Client) ID you saved in Option 2.
    Application (client) secret (Option 2 only) The Client Secret you saved in Option 2.
  3. Click Save.

You can see if the device is healthy on the Security Devices page. It may take a few minutes to see the device listed as healthy.

To check if alerts are coming through, navigate to Dashboards > Alert Analysis. Scroll to the device you want to check and select the Expel Alerts tab to reveal more alert information. It can take 36 to 72 hours for alerts to appear after setup, as tune your device.

Related articles