If you have been using EPM (Endpoint Privilege Management) from Intune Suite you must be aware that in March (2024) Microsoft released a new elevation type called support approved. This rule allows users to request elevation for any supported file extension (currently .exe, .msi and .ps1). But whenever a user request an elevation, the Intune portal is currently the only place where those requests are available, well until now.
This post will cover using Logic Apps to forward those notifications to a Slack or Teams channel (but it’s really easy to tweak them and send those notifications anywhere).
Pre Requisites
- Azure Subscription with enough permission to create the resources required - Logic App with system-managed identity and Key Vault to securely store the webhook information
- Global Admin or Cloud Application Administrator access (one time only) - give the logic app managed identity access to query Intune
- Enough access to Slack / Teams to create and configure webhooks - allow the logic app to send notifications to your favorite IM tool
Architecture
This solution comprises three Azure resources, a logic app which is where all the logic for the alerting happens. A key vault which is a “safe” where we securely store the webhook link (with this link anyone can send messages to a specified channel, hence why we want to secure it), and an API connection which allows the logic app to read information (the webhook) from the key vault.
The logic app runs on a scheduled, query pending Intune EPM elevation requests via Graph API, and upon finding new requests it generates a message that is then sent via webhook to the preferred IM tool (Teams or Slack).
Deploying
Slack Option
Teams Option
The above links should take you to the custom Azure template windows like the one shown below
The fields Subscription, Resource group and Region are Azure wide and should be filled according to where you want to deploy the resources.
- Key Vault Name = is the name of the key vault (keep in mind the names are up to 24 characters and need to be globally unique)
- Logic App Name = is the name of the logic app (make sure you take note of that as it will be required in the next steps)
- Slack / Teams Weboook = the link for the webhook of you IM solution (if you are unsure how to create those check below).
- Timezone = Graph API localize all timestamps to UTC, so this will allow you to use a conversion to a preferred timezone (please refer to this list)
- Recurrence = How often (in minutes) you want the logic app to run and send notifications on the chosen channel
Delegating Permissions
Managed Identity Permission Delegation
Your logic app needs read access to some Graph scopes, so it can read Intune EPM logs. To perform this task we can use the Microsoft.Graph PowerShell module with the below code snipet (thanks Jeroen)
Install-Module Microsoft.Graph -Force -AllowClobber
Connect-MgGraph -Scopes Application.Read.All, AppRoleAssignment.ReadWrite.All
$MI = "LOGICAPP_NAMER_OR_ID"
$roleName = "DeviceManagementConfiguration.Read.All"
$MIID = if (!([guid]::TryParse("$MI", $([ref][guid]::Empty)))) {Get-MgServicePrincipal -Filter "DisplayName eq '$MI'"} else{Get-MgServicePrincipal -ServicePrincipalId $MI}
$msgraph = Get-MgServicePrincipal -Filter "AppId eq '00000003-0000-0000-c000-000000000000'"
foreach ($role in $roleName)
{
$role = $Msgraph.AppRoles| Where-Object {$_.Value -eq $role}
New-MgServicePrincipalAppRoleAssignment -ServicePrincipalId $MIID.id -PrincipalId $MIID.id -ResourceId $msgraph.Id -AppRoleId $role.Id
}
Disconnect-MgGraph
Creating webhooks
The following icons are direct links for the documentation on how to create webhooks on teams or slack.
 |
 |
|---|---|
| TEAMS | SLACK |
Enable Logic App
Once the steps above are completed you can now Enable the logic app from its main page.
Alert Examples
Teams notification example for EPM elevation requests
Slack notification example for EPM elevation requests
Thanks for reading and I hope these logic apps can help you monitor your EPM elevation requests.
Comments