This article helps you provide the provisioning of the Azure App needed to perform the graph API queries for the deviceManagement endpoint, which allows the Expel Workbench to collect logs for Microsoft Intune.


This article was accurate at the time of writing, but changes happen. If you find the instructions are outdated, leave a description in the comment field below and let us know!

Step 1: Enable console access

  1. Sign into Azure and search for app registrations.

  2. In the App registrations pane, select New registration.

  3. Give the application a name, choose the supported account type that can access the API, assign a redirect URL if needed, and click Register to create the app.

  4. After you load into the app, select API permissions to begin selecting the necessary permissions for the integration.

  5. Choose to add permissions to the app and select Microsoft Graph > Application permissions, and then scroll down to DeviceManagementApps. Select DeviceManagementApps.Read.All and click Add permissions to prepare the grant permissions request.

  6. Create a Client secret to enter into Workbench to facilitate API authentication for alert polling. Save this for later use.

  7. As an Administrator, navigate to the Expel Admin Consent Page.

  8. Review and accept the requested permissions.

  9. The Expel Intune Integration app should now appear under Enterprise Applications. Review properties and make sure that all permissions were properly granted.

Step 2: Configure Slack in Expel Workbench

  1. In a new browser tab, click this link to open the Add Security Device screen in Workbench.

  2. Fill in the fields like this:

    Field Name

    What to put in it


    What you want to name the security device.


    Geographic location of the server.

    Intune (tenant) ID


    Application (client) ID

    Application (client) secret

    The client secret created in Step 1.