Microsoft Azure Active Directory (Azure AD) and Microsoft Intune

This article covers the details for connecting Microsoft Azure Active Directory (Azure AD)
For Microsoft Azure, refer to Microsoft Azure.

This article includes:

Microsoft Azure Active Directory (Azure AD)
1. Microsoft Azure Active Directory (Azure AD) is Microsoft's multi-tenant, cloud-based directory, and identity management service.
2. Microsoft Intune is a cloud-based service in the enterprise mobility management (EMM) space that integrates closely with Azure Active Directory (Azure AD) for identity and access control and Azure Information Protection for data protection.

Types of Assets Fetched

These adapters fetch the following types of assets:

• Devices
• Users

About Microsoft Azure Active Directory (Azure AD)

Azure Active Directory is an Identity and Access Management Service hosted within Microsoft’s Azure public cloud. It allows administrators to manage the provisioning of users, enterprise applications, and devices.

Use cases the adapter solves

Connecting Azure AD to Axonius allows you to gain visibility into all registered devices and users that are a part of your Azure AD tenant. With this information you can evaluate devices that may be missing agents required for monitoring, devices missing from vulnerability assessment scopes, or evaluate permissions for your users, groups, or registered azure applications.

Data retrieved by Azure AD
The Azure AD adapter is able to fetch a wide variety of user and device data, including usernames, group membership details, device ownership, user license details, login activity/risky user assessments, O365 activity, and more.

Enforcements
Axonius has a built-in enforcement for adding selected users/devices to an Azure AD group for further processing by administrators. Axonius users can also take advantage of on-premises Active Directory enforcements if they are running in a hybrid deployment model.

Related Enforcement Actions:

• Microsoft Azure (Azure AD) - Add or Remove Assets in Group
• Microsoft Azure (Azure AD) - Delete Assets
• Microsoft Azure (Azure AD) - Enable Assets
• Microsoft Azure (Azure AD) - Disable Assets

Parameters

Microsoft Azure AD

The Microsoft Azure Active Directory AD (Azure AD) adapter fetches devices from the Microsoft Azure Cloud Environment.

To connect to Microsoft Azure AD, you need to create a Designated Axonius application in the Microsoft Azure Portal and grant it read-only permissions. All required credentials will be given once an application is created. For details, see Creating an application in the Microsoft Azure Portal.

1. Azure Client ID (required) - The Application ID of the Axonius application.

2. Azure Client Secret (required) - Specify a non-expired key generated from the new client secret.

3. Azure Tenant ID (required) - Microsoft Azure Active Directory ID.

4. Cloud Environment (required) - Select your Microsoft Azure or Microsoft Azure AD cloud environment type.

5. Azure Stack Hub Management URL and Azure Stack Hub Resource String (optional, default: empty, relevant only for Microsoft Azure) - Specify the hostname or IP address of the Microsoft Azure Stack Hub server (a Microsoft Azure on-premise server) and the URL for the Azure Stack Hub Resource String.

   • If specified, Axonius will authenticate to the Microsoft Azure cloud server, and will fetch asset data from the Microsoft Azure Stack Hub server. Axonius will not fetch any asset data from Microsoft Azure cloud server.
   • If left blank, Axonius will authenticate to the Microsoft Azure cloud server, and will fetch asset data from the Microsoft Azure cloud server. Axonius will not fetch any asset data from Microsoft Azure Stack Hub server.

6. Azure Oauth Authorization Code (optional, default: empty, relevant only for Microsoft Intune) - The authorization code to connect to Microsoft Intune. This is a legacy option to allow Oauth delegated authentication.

7. Is Azure AD B2C

   • If selected, Axonius will considered this Microsoft Azure AD adapter connection is configured as B2C.
   • If cleared, Axonius will not considered this Microsoft Azure AD adapter connection is configured as B2C.

8. Account Tag (optional) - Tag for the Azure Cloud instance ("nickname").

   • If specified, Axonius will tag all devices fetched from this adapter connection.
   • If left blank, Axonius will not tag any of the devices fetched from this adapter connection.

9. Device groups blocklist (optional) - Enter a group or groups whose devices will be ignored and not fetched. If you want to enter more than one group, separate with commas.

10. Verify SSL (required, default: true) - Select to verify the SSL certificate offered by the selected Microsoft Azure / Azure AD cloud environment. For more details, see SSL Trust & CA Settings.

11. HTTPS Proxy (optional) - A proxy to use when connecting to the selected Microsoft Azure / Azure AD cloud environment.

12. HTTPS Proxy User Name (optional) - The user name to use when connecting to the selected Microsoft Azure / Azure AD cloud environment via the value supplied in HTTPS Proxy.

13. HTTPS Proxy Password (optional) - The password to use when connecting to the selected Microsoft Azure / Azure AD cloud environment via the value supplied in HTTPS Proxy.

14. To learn more about common adapter connection parameters and buttons, see Adding a New Adapter Connection.
    
    

Microsoft Azure AD - Advanced Settings

1. Fields to exclude (optional) - Specify a comma-separated list of fields to be excluded from the fetched data.
   • If supplied, all connections for this adapter will exclude the listed fields from the raw and parsed data. For example, if this field value is "emailAddress, phoneNumber", both fields will be excluded from the raw and parsed data from all connections for this adapter.
   • If not supplied, all connections for this adapter will fetch all the assets data.
2. Allow use of BETA API endpoints - Select whether Axonius will use the Beta API to fetch users' last log-in.
   Note:

   This setting requires enabling the following application permissions to view the last sign-in audit log information:

   • AuditLog.Read.All
   • Directory.Read.All
     As of April 6, 2022, Microsoft reports a known issue. As a workaround, it is highly recommended to add the Directory.Read.All permission. For more information, see License check errors for Azure AD activity reports.

3. Do not fail if iTune Token is expired (deprecated) - this setting was removed as it iis no longer required. Instead a warning is displayed on the Adapter Fetch Events page.

4. Number of parallel requests (optional, default: 10) - Specify the maximum number of parallel requests to obtain paged data from the Microsoft Azure AD cloud server.

5. Max retry count for parallel requests (optional, default: 3) - Specify how many times all connections for this adapter will retry a parallel request when the Microsoft Azure AD cloud server returns a response with an error.

   • If not supplied, Axonius will use the default value.

6. Time in seconds to wait between retries of parallel requests (optional, default: 3) - Specify how many seconds all connections for this adapter will wait in between each retry when a parallel request to the Microsoft Azure AD cloud server returns a response with an error.

   • If not supplied, Axonius will use the default value.

7. Fetch email activity from Office 365 in the last X days (required, default: 0) - Specify the number of days to fetch email activity per each user. The email activities include:

   • Deleted users
   • Dates of account deletion of users
   • Number of times an email send action was recorded
   • Number of times an email received action was recorded
   • Number of times an email read action was recorded
   • Last time any user performed a read or send email activity
   • Report period
   • Products that are assigned to the users
   Note:

   In order to use this field the application permissions in Microsoft Azure Portal must include the following permissions:

   • reports.Read.All

8. Exclude Azure AD joined devices - Select whether to fetch Azure AD joined devices.

   • If enabled, all connections for this adapter will not fetch Azure AD joined devices.
   • If disabled, all connections for this adapter will fetch Azure AD joined devices.

9. Fetch only devices - Select this option to only fetch devices and not fetch users. Only Device.Read.All permissions are required here, and the permission “Directory.Read.All” is not required.

10. Fetch "Guest" users (required, default: true) - Select whether to fetch external users.

    • If enabled, all connections for this adapter will fetch external users from Azure AD.
    • If disabled, all connections for this adapter will not fetch external users from Azure AD.

11. Fetch only users with account enabled (optional) - Select to fetch only users with an account enabled in the Azure AD.

12. Fetch risky users information - Select whether to fetch infomation about risky users. Information includes:

    • If the user was deleted
    • Is processing
    • Date the user last updated
    • Risk level
    • Risk state
    • Risk details

    Risky users are defined in riskyUser resource type and in What is risk?.

13. Fetch risky users information with selected 'Level' (required, default High)- Select levels of risky users' information to fetch. Otherwise all levels are fetched

14. Fetch risky users information with selected 'State' (required, Default - At Risk, Confirmed Compromised.) - Select states of risky users' information to fetch. Otherwise all states are fetched.

15. User groups exclude list (optional) - When Fetch user groups is selected, users who have groups listed in this field will not be added to Axonius. If Fetch user groups is not selected, this field has no effect. The contents of this field is comma-separated strings, which are case and spaces sensitive.
    * If supplied and Fetch user groups is selected, all connections for this adapter will not fetch users who have groups listed in this field.
    * If not supplied and Fetch user groups is selected, all connections for this adapter will fetch users regardless of their groups.

16. Fetch software information from Intune (required, default: Disabled) - Select whether to fetch installed software from Intune.

    • If enabled, all connections for this adapter will fetch installed software from Intune.
    • If disabled, all connections for this adapter will not fetch installed software from Intune.

17. Fetch devices from Intune (required, default: true) - Select whether to fetch devices from Intune.

18. Fetch the device's total memory from Intune (default, false) - Select this option to fetch the total size of the RAM of the device from the Intune BETA API. In order to use this option, you need to enable Fetch devices from Intune.

19. Fetch user groups (required, default: true) - Select whether to fetch information on every group a user is a member.

    • If enabled, all connections for this adapter will fetch user groups information.
    • If disabled, all connections for this adapter will not fetch user groups information.

20. Fetch user app roles - Select whether to retrieve the app roles that are assigned to a user.

    Note:

    If selected, you must have either the Directory.Read.All or AppRoleAssignment.ReadWrite.All permission.

21. Fetch user assigned roles (Permissions required Directory.Read.All or RoleManagement.Read.Directory) (optional) - Select whether to fetch the assigned roles of a user. When Allow use of BETA API endpoints is also selected, then transitive assigned roles are also fetched.

22. Fetch nested groups - Select to fetch groups that belong to other groups.

23. Fetch users Last Sign-In - How to fetch (required, default Disabled) - Define how to fetch the data about the users Last Sign-in. Use this setting together with ‘Fetch users Last Sign-In - API to use’.

    • When set to 'Disabled' no data about users last sign in is fetched, and the ‘Fetch users Last Sign-In - API to use’. Setting will also be disabled.
    • 'Enabled in Normal Fetch' fetches the information during the regular fetch time.
    • 'Enabled in Background' schedules the fetch of this information outside the regular fetch time.

24. Fetch user Last Sign-In - API to use (required, default Disabled) - Select the type of API the adapter uses to fetch information when 'Fetch users Last Sign-In - How to fetch' is not set to 'Disabled'.

    • 'Use Regular API' - fetches only 30 days of users Sign-In in activity, with geolocation and device data. Requires normal license
    • 'Use BETA API' - fetches all the possible users last Sign-In activity, with no geo and device data. Requires BETA license.
    • 'Use Both APIs' - fetch all data from both APIs

25. Fetch users authentication methods (required, default: true) - Select to fetch data from the users authentication_methods endpoint. When this is cleared data is not fetched from the authentication_methods endpoint.

26. Fetch Intune software information in the background -

    • When enabled, Installed software fetch is conducted in a background thread and the information retrieved will be assigned to its “originating” device on the next device fetch. Background thread re-fetches information every 5 hours, similar to having a fetch cycle only for this information once every 5 hours.
    • When disabled Installed Intune software information is fetched as part of the device fetch as defined in “Fetch software information from Intune”.

27. Fetch user groups in the background - Select whether to cache user group records to MEM DB and store them in the background until the end of the fetch and within the same fetch thread. If cleared, user group information is fetched as part of the device fetch as defined in Fetch User groups.

28. Fetch mobile devices (required, default: true) - Select whether to fetch iOS and Android devices.

29. Avoid duplications in names - Select whether to create only one device when you fetch entities from Azure AD that contain the same name multiple times. In this case create only one device in Axonius using the name with the most recent last seen properties.

30. Fetch Windows Defender Compliance state - Select whether to collect “Windows10CompliancePolicy.DefenderEnabled” Compliance state for any Intune device to the ”Windows 10 Defender Enabled State” field of the adapter.

    • When enabled, all connections for this adapter will collect the 'Windows10CompliancePolicy.DefenderEnabled' Compliance state.
    • When disabled, all connections for this adapter will not collect the 'Windows10CompliancePolicy.DefenderEnabled' Compliance state.

31. Fetch device owner - Select whether to fetch device ownership (username and email) information on all connections for this adapter.

32. Fetch device groups - Select whether to fetch information on every Azure AD group for every device.

33. Fetch Users managers - Select whether to fetch information about managers of Azure AD users.

34. Fetch users license details - Select whether to fetch the licenses assigned to a given user.

35. Use Beta API in Intune - Select to use the beta API to fetch Intune devices. If option is cleared, the regular API is used.

36. Intune OS filter - Select whether to filter the Intune devices fetched by Operating System. The default value is All. You can choose to only fetch Windows devices.

37. Custom filter expression for fetching devices (optional) - Enter a filter expression to exclude Azure Active Directory devices from the fetch. For more information, see Operators and Functions Supported in $filter Expressions and Device Properties.

38. Custom filter expression for fetching Intune devices (optional) - Enter a filter expression to exclude Intune devices from the fetch. For more information, see Operators and Functions Supported in $filter Expressions and Intune Managed Device Properties.

39. Populate Cloud Provider Account Name aggregated field (required, default: true) - When this parameter is not set, the "Cloud Provider Account Name" aggregated field will not be populated for devices for Azure AD.

40. Do not fetch devices if Device Disabled field equals Yes (optional) - Select to exclude disabled devices from the fetch.

41. Fetch only devices with last seen - select this option to only fetch devices which have last seen.

42. Pre-fetch of logins activity (optional, default: true) - Select to fetch login activities of all users and match their records to improve performance during the fetch process.
    Note: This option is only effective if the Use Beta API in Intune option is selected.

43. Fetch service principal (default false) - Select this option to fetch service principals.

44. Fetch Encryption Details from BETA Intune API (required, default false) - Select this option to fetch more detailed data about the encryption state of devices (requires Beta and Intune licenses)

45. Fetch Windows Endpoint Protection Configuration from BETA Intune (default: false) - Select this option to fetch information about Windows 10 Endpoint Protection Configurations configured for the Intune devices. You have to enable ** Fetch devices from Intune** to use this option.

46. Fetch Device Compliance Policies Details (required, default false) - select this option to fetch information about the states of the compliance policies (Requires Intune License)

Creating an application in the Microsoft Azure Portal

For details, see Creating an application in the Microsoft Azure Portal.

Table of Azure Permissions