Azure AD and Intune Adapter - Breaking down Permissions and Data

In this post we're going to dive a bit deeper on what exactly the Axonius Azure Active Directory and Intune adapter can collect as far as registered devices, users, and assets registered through Intune. Some customers will ask why Intune is not its own individual adapter, and this is because all of the data is collected from the same Graph API within Azure. If you want to understand more about what types of data is collected from the Graph API versus Management API (used for Azure Public Cloud assets like VMs, Storage Accounts, etc), check out this article on Understanding Azure vs AAD.

Let's break down these permissions

There is a handy table within our Azure Active Directory adapter documentation called Table of Azure Permissions that shows all of the individual Graph API permissions that are required with a brief description of what they do, but let's go a bit further.

The primary permissions required for Azure AD are Directory.Read.All and User.Read.All. These permissions give our application the ability to pull almost everything we would need with only minimal advanced setting set within your Axonius platform. This will allow you to pull anything regarding registered AD registered devices, users, groups, and AD registered apps. If you want to enable any advanced settings for intune or for login/risky user details you will need to add further permissions.

Intune Permissions and Data

If you want to pull MDM data from Intune, we need the following additional permissions: 

DeviceManagementApps.Read.All
DeviceManagementConfiguration.Read.All
DeviceManagementManagedDevices.Read.All
DeviceManagementRBAC.Read.All
DeviceManagementServiceConfig.Read.All

Additionally you will need to select advanced setting for Fetch Software Information from Intune found under Adapters -> Microsoft Azure Active Directory (Azure AD) and Microsoft Intune -> Advanced Configuration.

Graph breaks down all of the Intune components into these 5 categories with the DeviceManagement prefix. Two of the most important are Apps and Configuration. Apps allows us to discover applications that are installed across all Intune enrolled devices, and this will also populate the Installed Software tab of the asset record for you. Configuration will give us most details about the device itself, whether or not it is compliant, how it was enrolled and other useful details.

Depending on your implementation, not all devices that are registered in Azure AD will also be registered in Intune and vice-versa. If you have a device that is registered in both Azure AD and Intune you should see both data sources listed when viewing the asset, or you can check the Azure AD fields to see if the device is listed as managed. Here is a comparison between a device that is registered in Intune versus not:

Or you can run a search and simply look for some combination of where an Azure AD ID exists or Intune ID exists. For example, this query could be used to find devices registered in AAD, but not managed by Intune:

 

1

Comments

0 comments

Please sign in to leave a comment.

Didn't find what you were looking for?

New post