1. Expel Support Center
  2. Connect your technology
  3. SaaS integrations

Microsoft Intune setup for Workbench

  • Updated

This article helps you provide the provisioning of the Azure App needed to perform the graph API queries for the deviceManagement endpoint, which allows the Expel Workbench to collect logs for Microsoft Intune.

In this article

Step 1: Enable console access

Having read-only access to the interface of your technology allows Expel to dig deeper during incident investigations. Our device health team uses this access to investigate potential health issues with your tech.

Note

Expel secures all login information our SOC analysts need about your devices in a MFA password product. Access to this login information is protected using our internal MFA processes. To learn more about the IP addresses all Expel traffic comes from, go here.

  1. Sign into the Azure portal as a user who is assigned a limited administrator directory role or the Guest Inviter role.

  2. In the navigation pane, select Azure Active Directory.

  3. Under Manage, select Users.

  4. Select New guest user.

  5. On the New user page, click Invite user, fill out the email address (expel_analyst@expel.io) and, optionally, include a message.

  6. Under Roles, add the Global Reader role.

  7. Click Invite to automatically send the invitation to the guest user.

  8. After you send the invitation, the user account is automatically added to the directory as a guest.

Step 2: Enable Intune application access

To integrate the technology with Expel, we need to create secure credentials to the API. You have 2 options for enabling API access:

  • Option 1: Enable the Expel Intune Integration Enterprise Application within Azure.

  • Option 2: Create a custom Azure Active Directory (AD) Application.

Enabling the Enterprise Application is the recommended approach. However, because the Enterprise Application supports access for multiple Microsoft integrations (Microsoft Sentinel, Azure Log Analytics, and so on), it may be that the permissions granted to the Enterprise Application are more than the minimum required for the Azure integration specifically.

The second option is available if and when the absolute minimum permissions are required. In either case, the table below lists the required items to be obtained during this step:

We need this...

and it's...

Directory (tenant) ID

Unique identifier for your Azure AD instance. Expel needs this information to route our API requests to the right place. Required in all cases.

Application (client) ID (Option 2 only)

Unique identifier for the application you create that grants Expel the access it needs to your Azure instance. Required if you are manually onboarding.

Application (client) Secret (Option 2 only)

API secret that allows Expel to authenticate as the created application to your Azure instance. Required if you are manually onboarding.

Option 1: Enable Azure Enterprise Application

  1. As an Administrator, navigate to the Expel Admin Consent Page.

  2. Review and accept requested permissions.

  3. The Expel Intune Integration app appears under Enterprise Applications.

Option 2: Create custom Azure Active Directory application

  1. As an Azure administrator, log in to the Azure Portal.

  2. Navigate to Azure Active Directory > App registrations and click +New registration.

  3. Fill in the application details. You can fill these in however you want, but we recommend the following:

    • Name: Expel Intune Integration.

    • Supported account types: accounts in this organizational directory only (first option).

  4. After you fill out the fields, click Register to create the new application.

  5. The settings page for the Expel Intune Integration app you just created opens.

    If not, navigate to Azure Active Directory > App Registrations > View all applications (if you don’t see the new app) > Expel Intune Integration.

    • Make a note of the Application (client) ID and the Directory (tenant) ID for use in later steps.

  6. Open API permissions. Click + Add a permission.

  7. Choose to add permissions to the app and select Microsoft Graph > Application permissions, and then scroll down to DeviceManagementApps. Select DeviceManagementApps.Read.All and click Add permissions to prepare the grant permissions request.

Step 3: Configure Intune in Expel Workbench

Now that we have the correct access configured and noted the credentials, we can integrate your tech with Workbench.

  1. In a new browser tab, click this link to open the Add Security Device screen in Workbench.

    Intune_AddSecDev.png

  2. Fill in the fields like this:

    Field name

    What to put in it

    Name

    The name you assign the security device.

    Location

    Microsoft Cloud.

    Intune (tenant) ID

    Azure AD Directory/Tenant ID.

    Application (client) ID

    (Option 2 only) The Azure Application (Client) ID you saved in Option 2.

    Application (client) secret

    (Option 2 only) The Client Secret you saved in Option 2.

  3. Click Save.

You can see if the device is healthy on the Security Devices page. It may take a few minutes to see the device listed as healthy.

To check if alerts are coming through, navigate to the Alerts Analysis page. Scroll to the device you want to check and click View alerts. Switch to grid view, then check the list for device alerts. It can take 36 to 72 hours for alerts to appear after setup, as we tune your device.

Tip

This article was accurate at the time of writing, but changes happen. If you find the instructions are outdated, leave a description in the comment field below and let us know!

  • Was this article helpful?

  • 0 out of 0 found this helpful

Related articles