# Microsoft Intune (cloud) The NetSPI Platform has a broad integration with Microsoft Intune. This integration supports the Microsoft Intune product, which must be properly licensed in order for the integration to work. The Microsoft Intune license provides more data for systems even if Intune policies are not selected. Similar to our other integrations, the Microsoft Intune integration is read-only and does not perform actions to configure systems or otherwise change anything about your Microsoft Intune system. ## Supported asset types The Microsoft Intune integration provides the NetSPI Platform visibility into the following asset types: - Applications - Systems - Users ## Data run frequency The Microsoft Intune integration pulls data every six hours. ## Endpoints used This integration needs access to the following API endpoints: - [https://graph.microsoft.com/v1.0/deviceManagement/managedDevices](https://graph.microsoft.com/v1.0/deviceManagement/managedDevices) - [https://graph.microsoft.com/v1.0/deviceManagement/detectedApps/](https://graph.microsoft.com/v1.0/deviceManagement/detectedApps/) - [https://graph.microsoft.com/v1.0/deviceManagement/detectedApps/{app['id']}/managedDevices/](https://graph.microsoft.com/v1.0/deviceManagement/detectedApps/{app['id']}/managedDevices/) - [https://graph.microsoft.com/v1.0/deviceManagement/deviceCompliancePolicies/{policy}/assignments](https://graph.microsoft.com/v1.0/deviceManagement/deviceCompliancePolicies/{policy}/assignments) - [https://graph.microsoft.com/v1.0/groups/{group_id}/members](https://graph.microsoft.com/v1.0/groups/{group_id}/members) - [https://graph.microsoft.com/beta/deviceManagement/managedDevices/{system['id']}](https://graph.microsoft.com/beta/deviceManagement/managedDevices/{system['id']}) ## Required permissions This integration needs an API key with the following access permissions: - DeviceManagementConfiguration.Read.All - DeviceManagementManagedDevices.Read.All - DeviceManagementApps.Read.All - GroupMember.Read.All ## Configuration steps Use the section below for configuring Microsoft Intune to integrate with the NetSPI Platform. ### Step one: Microsoft Intune system configuration 1. Sign in to the Microsoft Entra ID portal ([https://portal.azure.com/](https://portal.azure.com/)), and select *Microsoft Entra ID* in the left navigation. ![MS Graph Config Step 1](/static/caasm/ms_intune_1.png) 2. Select *App registrations* in the left navigation. ![MS Graph Config Step 2](/static/caasm/ms_intune_2.png) 3. Select New registration along the top row of tabs. ![MS Graph Config Step 3](/static/caasm/ms_intune_3.png) 4. Provide a descriptive name for the registration and select **Register** at the bottom. ![MS Graph Config Step 4](/static/caasm/ms_intune_4.png) 5. Copy the values for Application (client) ID as they it be needed when configuring the integration in the NetSPI Platform. ![MS Graph Config Step 5](/static/caasm/ms_intune_5.png) 6. Once copied, select *Certificates & secrets* in the left navigation, then select the Client secrets tab, and select *New client secret* to display the *Add a client secret* dialog box. ![MS Graph Config Step 6](/static/caasm/ms_intune_6.png) 7. Select an appropriate expiration period for the client secret and then select the **Add** button. 8. Once the client secret has been created, select the Copy icon to the right of the *Value* field and record the value as it will be needed when configuring the integration in the NetSPI Platform. ![MS Graph Config Step 8](/static/caasm/ms_intune_8.png) 9. Select *API Permissions* in the left navigation to display the API permissions page, and select Microsoft Graph to display the *Request API permissions* dialog box. ![MS Graph Config Step 9](/static/caasm/ms_intune_9.png) 10. Select the Application Permissions option to display the Request API Permissions page, and enter the permissions listed in the [Required Permissions](#required-permissions) section above one at a time in the *Select permissions* field, to locate them and add them. ![MS Graph Config Step 10](/static/caasm/ms_intune_10.png) 11. When complete, the permissions list should look like the following: ![MS Graph Config Step 11](/static/caasm/ms_intune_11.png) 12. Select the Grant admin consent for \ button and then select **Yes**. ![MS Graph Config Step 12](/static/caasm/ms_intune_12.png) ### Step two: NetSPI Platform CAASM module configuration Use the steps below to configure the Microsoft Intune Integration in the NetSPI Platform. 1. Log into the NetSPI Platform as a Client Admin user. 2. Navigate to *Settings -> CAASM Integrations* to display the Integrations page. ![Platform Integrations page](/static/caasm/integrations/integrations_landing.png "Platform Integrations page") 3. Select the *Integration Library tab -> Integration Categories / Unified Endpoint Management (UEM) -> Microsoft Intune Integration*. ![Integration Library tab](/static/caasm/integrations/select_integration_intune.png "Integration Library tab") This brings the Microsoft Intune integration card into focus. !!!Note You can also locate the integration card by: - Scrolling down the page on the *Integration Library* tab - Filter the integration options displayed by selecting any of the other left navigation choices besides *Integration Categories*, e.g., by *Modules* or *Integration Scopes* (cloud or on premise) - Enter the integration name in the Search integration bar !!! 4. Select the **Add** button on the Microsoft Intune card to display the Microsoft Intune integration configuration page. ![MS Intune integration page](/static/caasm/integrations/integrations_intune.png "MS Intune integration page") 5. Select and enter values for the following fields. 1. Select the integration type from the *Integration* drop-down list. In this case, *Microsoft Intune Integration*, which is already selected by default. 2. Select the integration scope from the *Scope* drop-down list. The Microsoft Intune integration can only run on a cloud scope, which was configured by NetSPI and *Cloud* displays as the default value. 3. Enter an integration name and description in the *Integration Name* and *Description* fields. 4. Select the *Enabled* slider button to display as either on (blue) or off (light gray). 5. In the *Microsoft Intune Parameters* field group, enter or select the following in the corresponding fields: | Field | Value | | :--- | :--- | | *Tenant ID* | The Directory (tenant) ID from step 5 in the [section above](#step-one-microsoft-intune-system-configuration) | | *Client ID* | the Application (client) ID from step 5 in the [section above](#step-one-microsoft-intune-system-configuration) | | *OAuth2 Secret* | The client secret generated in step 8 in the [section above](#step-one-microsoft-intune-system-configuration) | | *Type of Data to ingest* drop-down list | Select the type of data you want the CAASM module in the NetSPI Platform to ingest from your Microsoft Intune instance. *Device and Users*, *Applications*, and *Intune Compliance* are the three available options. | 6. In the *Intune Policy ID(s)* field group, enter an optional policy ID in the *Policy ID* field. Specifying one or more Microsoft Intune Policy ID's to check for asset compliance will cause any assets that are non-compliant with one or more of the specified policies to be automatically tagged by the NetSPI Platform as non-compliant. Likewise, any assets that are in full compliance with all the policy ID’s specified will be tagged as compliant. Once the desired policy ID's have been specified, ensure that the optional Intune Compliance checkbox is selected. 6. Select **Create** to create the integration. The new integration now displays on the Applied Integrations tab with its statuses: current and last run, last run time, and status (enabled/disabled).