In this post, I’ll cover a solution to monitor Intune App creation and assignments using Logic Apps to generate alerts on Slack. This is largely based on the great work of Peter Klapwijk in his blog series How to monitor your Microsoft Intune tenant with logic apps

Pre Requisites

  • Slack Subscription and Workspace Admin access (required to approve the Slack Connection)
  • Azure Subscription with enough permission to create the resources (Logic App with system-managed identity and API Connection )
  • Global Admin access to give the Managed Identity access to query Intune via Graph

How to deploy

To deploy you can get started by clicking on the button below.

Logic App to monitor app assignments on Intune

Deploy to Azure

Logic App to monitor app creation on Intune

Deploy to Azure

That should take you to the custom template windows below

The fields Subscription, Resource group, Region and Location are Azure wide and should be filled according to where you want to deploy the Logic App and the API Connection to Slack.

  • Logic App Name = is the name of the logic app (make sure you save that as it will be needed in the next step)
  • Slack Connection Name = if you already have another API connection to Slack you can re-use, or in case you are deploying both Logic Apps (the creation and the assignments alert) make sure you use the same name so only one connection is shared between both apps.
  • Slack Channel Name = the name of the channel you want to send notifications to. Bare in mind that to send notifications to a private channel you need to invite the logic app account to that channel otherwise the logic app will fail with *“error”: “channel_not_found” * (@Microsoft Azure Logic Apps on the channel to invite the app)
  • Bot Name = The name that you want to show on the slack message
  • Icon Url = The logo that you want to show on the slack message
  • Timezone = By default, Intune shows all logging messages in UTC, this field allows you to localize the times to your preferred Timezone. Please refer to Default Time Zones and use the exact match for your location.

Delegating Permissions

Managed Identity Permission Delegation

To perform this task we can slightly modify this blog post from Microsoft as per below and run on PowerShell.

  • $TenantID = Your Tenant ID or domain

  • $DisplayNameOfMSI = The name you chose for the logic app above. (Note that if you are deploying both logic apps you need to run the below code block twice, once for each logic app).

      $TenantID="mydomain.com"
  $GraphAppId = "00000003-0000-0000-c000-000000000000"
  $DisplayNameOfMSI="MyLogicAppName"
  $PermissionName = "DeviceManagementApps.Read.All"
  Connect-AzureAD -TenantId $TenantID
  $MSI = (Get-AzureADServicePrincipal -Filter "displayName eq '$DisplayNameOfMSI'")
  $GraphServicePrincipal = Get-AzureADServicePrincipal -Filter "appId eq '$GraphAppId'"
  $AppRole = $GraphServicePrincipal.AppRoles | Where-Object {$_.Value -eq $PermissionName -and $_.AllowedMemberTypes -contains "Application"}
  New-AzureAdServiceAppRoleAssignment -ObjectId $MSI.ObjectId -PrincipalId $MSI.ObjectId -ResourceId $GraphServicePrincipal.ObjectId -Id $AppRole.Id

Slack API Connection

To allow the logic app to send notifications you can navigate to the Slack API Connection on Azure (SlackConnection if you have not renamed it), then go to Edit API Connection, then Authorize, a new window will open and ask for a Slack Administrator to login and authorize.

Enable Logic App

Once the steps above are completed you can now Enable the logic app from its main page.

Alert Examples

Assignments creation

Here we have 2 examples of app assignments, one for Adobe Creative Cloud of type Microsoft Store app (new) and one for Citrix Workspace App 2212 of type Win32Lob

Application creation

Here we have 2 examples of app creations, one for PowerShell of type Microsoft Store app (new) and one for Firefox 110.0 of type macOS

Customisation

Here is where your creativity comes up. The messages can be easily changed to add, remove or update information. By default, the apps will alert on an hourly based, but for example, you can change the Recurrence Step and the Uri of the HTTP GET Intune Audit Events to run daily or twice a day.

Thanks for reading and I hope these logic apps can help you on monitoring your Intune tenant.

Updated:

Comments