Notifications for Intune app creation and assignments

This post is an improved version of my previous solution, so if you implemented it before I’d suggest revising the new versions as it adds lots of new features like group friendly names, support for filters and more.

If you use any kind of automation (third party or in-house) to publish and/or assign applications to Intune or simply would like to know whenever someone creates or assigns applications to your Intune tenant this solution is for you. Based on Azure Logic Apps, the solution:

Runs on a scheduled timeframe
It’s really low cost (cents/month)
Allows you to generate alerts to a Teams or Slack channel (depending on which deployment you choose)

Pre Requisites

Azure Subscription with enough permission to create the resources required - Logic App with system-managed identity and Key Vault to securely store the webhook information
Global Admin or Cloud Application Administrator access (one time only) - give the logic app managed identity access to query Intune
Enough access to Slack / Teams to create a webhook - allow the logic app to send notifications to your favorite IM tool

Architecture

This solution is comprised of three Azure resources, a logic app which is where all the logic for the alerting happens. A key vault which is a “safe” where we securely store the webhook link (with this link anyone can send messages to a specified channel, hence why we want to secure it), and an api connection which allows the logic app to read information (the webhook) from the key vault.

The logic app runs on a scheduled, query Intune via Graph API, and upon finding new records for application creation or assignments it generates a message that is then sent via webhook to the preferred IM tool (Teams or Slack).

Deploying

Slack Option

Teams Option

That should take you to the custom Azure template windows shown below

The fields Subscription, Resource group and Region are Azure wide and should be filled according to where you want to deploy the resources.

Key Vault Name = is the name of the key vault (keep in mind the names are up to 24 characters and need to be globally universal)
Logic App Name = is the name of the logic app (make sure you save that as it will be needed in the next step)
Slack / Teams Weboook = the link for the webhook of you IM solution.
Timezone = Graph API localize all timestamps to UTC, so this will allow you to use a conversion to a preferred timezone (please refer to this list)
Recurrence = How often (in hours) you want the logic app to run and send notifications on the chosen channel

Delegating Permissions

Managed Identity Permission Delegation

Your logic app needs read access to some Graph resources so it can read Intune Audit logs, Intune Filters and Entra ID groups so it can translate unique identifiers (GUIDs) to friendly group names. To perform this task we can slightly modify this blog post from Microsoft as per below and run on PowerShell.

$TenantID = Your Tenant ID or domain

$DisplayNameOfMSI = The name you chose for the logic app above.

  Connect-AzureAD
  $TenantID="provide the tenant ID"
  $GraphAppId = "00000003-0000-0000-c000-000000000000"
  $DisplayNameOfMSI="Provide the Logic App name"
  $PermissionName = @("GroupMember.Read.All","DeviceManagementConfiguration.Read.All","DeviceManagementApps.Read.All")
  foreach ($perm in $PermissionName)
          {
                  $MSI = (Get-AzureADServicePrincipal -Filter "displayName eq '$DisplayNameOfMSI'")
                  Start-Sleep -Seconds 10
                  $GraphServicePrincipal = Get-AzureADServicePrincipal -Filter "appId eq '$GraphAppId'"
                  $AppRole = $GraphServicePrincipal.AppRoles | Where-Object {$_.Value -eq $perm  -and $_.AllowedMemberTypes -contains "Application"}
                  New-AzureAdServiceAppRoleAssignment -ObjectId $MSI.ObjectId -PrincipalId $MSI.ObjectId -ResourceId $GraphServicePrincipal.ObjectId -Id $AppRole.Id
          }