Microsoft Azure Active Directory (Azure AD) and Microsoft Intune
  • 09 May 2022
  • 10 Minutes to read
  • Dark
    Light
  • PDF

Microsoft Azure Active Directory (Azure AD) and Microsoft Intune

  • Dark
    Light
  • PDF

This article covers the details for connecting Microsoft Azure Active Directory (Azure AD)
For Microsoft Azure refer to Microsoft Azure

This article includes:

Microsoft Azure Active Directory (Azure AD)
1. Microsoft Azure Active Directory (Azure AD) is Microsoft's multi-tenant, cloud-based directory, and identity management service.
2. Microsoft Intune is a cloud-based service in the enterprise mobility management (EMM) space that integrates closely with Azure Active Directory (Azure AD) for identity and access control and Azure Information Protection for data protection.


The Microsoft Azure Active Directory AD (Azure AD) adapter fetches devices from the Microsoft Azure Cloud Environment.

To connect to Microsoft Azure AD, you need to create a Designated Axonius application in the Microsoft Azure Portal and grant it read-only permissions. All required credentials will be given once an application is created. For details, see Creating an application in the Microsoft Azure Portal.

Parameters

Microsoft Azure AD

  1. Azure Client ID (required) - The Application ID of the Axonius application.

  2. Azure Client Secret (required) - Specify a non-expired key generated from the new client secret.

  3. Azure Tenant ID (required) - Microsoft Azure Active Directory ID.

  4. Cloud Environment (required) - Select your Microsoft Azure or Microsoft Azure AD cloud environment type.

  5. Azure Stack Hub Management URL and Azure Stack Hub Resource String (optional, default: empty, relevant only for Microsoft Azure) - Specify the hostname or IP address of the Microsoft Azure Stack Hub server (a Microsoft Azure on-premise server) and the URL for the Azure Stack Hub Resource String.

    • If specified, Axonius will authenticate to the Microsoft Azure cloud server, and will fetch asset data from the Microsoft Azure Stack Hub server. Axonius will not fetch any asset data from Microsoft Azure cloud server.
    • If left blank, Axonius will authenticate to the Microsoft Azure cloud server, and will fetch asset data from the Microsoft Azure cloud server. Axonius will not fetch any asset data from Microsoft Azure Stack Hub server.
  6. Azure Oauth Authorization Code (optional, default: empty, relevant only for Microsoft Intune) - The authorization code to connect to Microsoft Intune. This is a legacy option to allow Oauth delegated authentication.

  7. Is Azure AD B2C (required, default: False)

    • If selected, Axonius will considered this Microsoft Azure AD adapter connection is configured as B2C.
    • If cleared, Axonius will not considered this Microsoft Azure AD adapter connection is configured as B2C.
  8. Account Tag (optional, default: empty) - Optional tag for the Azure Cloud instance ("nickname").

    • If specified, Axonius will tag all devices fetched from this adapter connection.
    • If left blank, Axonius will not tag any of the devices fetched from this adapter connection.
  9. Device groups blocklist (optional, default: empty) - Enter a group or groups whose devices will be ignored and not fetched. If you want to enter more than one group, separate with commas.

  10. Verify SSL (required, default: true) - Select to verify the SSL certificate offered by the selected Microsoft Azure / Azure AD cloud environment. For more details, see SSL Trust & CA Settings.

  11. HTTPS Proxy (optional, default: empty) - A proxy to use when connecting to the selected Microsoft Azure / Azure AD cloud environment.

    • If specified, Axonius will utilize the proxy when connecting to the selected Microsoft Azure / Azure AD cloud environment.
    • If left empty, Axonius will connect directly to the selected Microsoft Azure / Azure AD cloud environment.
  12. HTTPS Proxy User Name (optional, default: empty) - The user name to use when connecting to the selected Microsoft Azure / Azure AD cloud environment via the value supplied in HTTPS Proxy.

    • If specified, Axonius will authenticate with this value when connecting to the value supplied in HTTPS Proxy.
    • If left empty, Axonius will not perform authentication when connecting to the value supplied in HTTPS Proxy.
  13. HTTPS Proxy Password (optional, default: empty) - The password to use when connecting to the selected Microsoft Azure / Azure AD cloud environment via the value supplied in HTTPS Proxy.

    • If specified, Axonius will authenticate with this value when connecting to the value supplied in HTTPS Proxy.
    • If left empty, Axonius will not perform authentication when connecting to the value supplied in HTTPS Proxy.
  14. To learn more about common adapter connection parameters and buttons, see Adding a New Adapter Connection.

AzureADN.png

Microsoft Azure AD - Advanced Settings

Note:

Advanced settings can either apply for all connections for this adapter, or you can set different advanced settings and/or different scheduling for a specific connection, refer to ​Advanced Configuration for Adapters

  1. Fields to exclude (optional, default: empty) - Specify a comma-separated list of fields to be excluded from the fetched data.
    • If supplied, all connections for this adapter will exclude the listed fields from the raw and parsed data. For example, if this field value is "emailAddress, phoneNumber", both fields will be excluded from the raw and parsed data from all connections for this adapter.
    • If not supplied, all connections for this adapter will fetch all the assets data.
  2. Allow use of BETA API endpoints (required, default: False) - Select whether Axonius will use BETA API.
    • If enabled, all connections for this adapter will use BETA API to fetch information about users' last log-on.
    • If disabled, all connections for this adapter will not use BETA API to fetch additional information about users.
    Note:

    This setting requires enabling the following application permissions to view the last sign-in audit log information:

    • AuditLog.Read.All
    • Directory.Read.All
      As of April 6, 2022, Microsoft reports a known issue. As a workaround, it is highly recommended to add the Directory.Read.All permission. For more information, see License check errors for Azure AD activity reports.
  1. Do not fail if Intune token has expired (required, default: False) - Select whether to fail all the connections for this adapter if the Intune token expires.

    • If enabled, all connections for this adapter will not fail if the Intune token expires. Instead, the connection will work in a "regular" mode (non-Intune).
    • If disabled, all connections for this adapter will fail if the Intune token expires.
    NOTE

    Axonius will create a daily system notification, starting 14 days before the Intune token is about to expire.

  2. Number of parallel requests (optional, default: 10) - Specify the maximum parallel request all connections for this adapter will create when connecting to the Microsoft Azure AD cloud server.

    • If not supplied, Axonius will use the default value.
  3. Max retry count for parallel requests (optional, default: 3) - Specify how many times all connections for this adapter will retry a parallel request when the Microsoft Azure AD cloud server returns a response with an error.

    • If not supplied, Axonius will use the default value.
  4. Time in seconds to wait between retries of parallel requests (optional, default: 3) - Specify how many seconds all connections for this adapter will wait in between each retry when a parallel request to the Microsoft Azure AD cloud server returns a response with an error.

    • If not supplied, Axonius will use the default value.
  5. Fetch email activity from Office 365 in the last X days (required, default: 0) - Specify the number of days to fetch email activity per each user.

    NOTE

    In order to use this new field the application permissions in Microsoft Azure Portal must include the following permissions:

    • reports.Read.All
  6. Exclude Azure AD joined devices (required, default: False) - Select whether to fetch Azure AD joined devices.

    • If enabled, all connections for this adapter will not fetch Azure AD joined devices.
    • If disabled, all connections for this adapter will fetch Azure AD joined devices.
  7. Fetch "Guest" users (required, default: True) - Select whether to fetch external users.

    • If enabled, all connections for this adapter will fetch external users from Azure AD.
    • If disabled, all connections for this adapter will not fetch external users from Azure AD.
  8. Fetch risky users information - Select whether to fetch infomation about risky users. Risky users are defined in riskyUser resource type.

  9. Fetch user groups (required, default: True) - Select whether to fetch information on every group a user is a member of.

    • If enabled, all connections for this adapter will fetch user groups information.
    • If disabled, all connections for this adapter will not fetch user groups information.
  10. User groups exclude list (optional, default: Empty) - When Fetch user groups is selected, users who have groups listed in this field will not be added to Axonius. If Fetch user groups is not selected, this field has no effect. The contents of this field is comma-separated strings, which are case and spaces sensitive.

    • If supplied and 'Fetch user groups' is selected, all connections for this adapter will not fetch users who have groups listed in this field.
    • If not supplied and 'Fetch user groups' is selected, all connections for this adapter will fetch users regardless of their groups.
  11. Fetch software information from Intune (required, default: True) - Select whether to fetch installed software from Intune.

    • If enabled, all connections for this adapter will fetch installed software from Intune.
    • If disabled, all connections for this adapter will not fetch installed software from Intune.
  12. Fetch Intune software information in the background (required, default: False) -

    • When enabled, Installed software fetch is conducted in a background thread and the information retrieved will be assigned to its “originating” device on the next device fetch. Background thread re-fetches information every 5 hours, similar to having a fetch cycle only for this information once every 5 hours.
    • When disabled Installed Intune software information is fetched as part of the device fetch as defined in “Fetch software information from Intune”.
  13. Fetch nested groups - Select to fetch groups that belong to other groups.

  14. Fetch user groups in the background (required, default: False) -

    • When enabled, information about user groups is fetched in a background thread and the information retrieved is assigned to its “originating” device on the next device fetch. Background thread re-fetches information every 5 hours, similar to having a fetch cycle only for this information once every 5 hours.
    • When disabled user group information is fetched as part of the device fetch as defined in “Fetch User groups”.
  15. Fetch users authentication methods (required, default: True) - Select to fetch data from the users authentication_methods endpoint. When this is cleared data is not fetched from the authentication_methods endpoint.

  16. Fetch mobile devices (required, default: True) - Select whether to fetch mobile devices.

    • If enabled, all connections for this adapter will fetch also mobile devices.
    • If disabled, all connections for this adapter will not fetch mobile devices.
  17. Fetch Windows Defender Compliance state (required, default: False) - Select whether to collect “Windows10CompliancePolicy.DefenderEnabled” Compliance state for any Intune device to the ”Windows 10 Defender Enabled State” Field of the adapter.

    • When enabled, all connections for this adapter will collect the 'Windows10CompliancePolicy.DefenderEnabled' Compliance state.
    • When disabled, all connections for this adapter will not collect the 'Windows10CompliancePolicy.DefenderEnabled' Compliance state.
  18. Fetch Device Owner (required, default: False) - Select whether to fetch device ownership (username and email) information on all connections for this adapter.

  19. Avoid duplications in names (required, default: False) - Select whether to create only one adapter when you fetch entities from Azure AD that contain the same name multiple times. In this case create only one adapter in Axonius using the name with the most recent last seen properties.

  20. Fetch device groups - Select whether to fetch information on every Azure AD group for every device.

  21. Fetch Users managers - Select whether to fetch information about managers of Azure AD users.

  22. Fetch users license details - Select whether to fetch the license details for users.

  23. Use Beta API in Intune - Select to use the beta API to fetch Intune devices. If option is cleared, the regular API is used.

  24. Intune OS filter - Select whether to filter the Intune devices fetched by Operating System. The default value is All. You can choose to only fetch Windows devices.

  25. Populate Cloud Provider Account Name aggregated field (required, default: True) - When this parameter is not set, the "Cloud Provider Account Name" aggregated field will not be populated for devices for Azure AD.

  26. Do not fetch devices if Device Disabled field equals Yes (optional, default: False) - Select to exclude disabled devices from the fetch.

  27. Pre-fetch of logins activity (optional, default: True) - Select to fetch login activities of all users and match their records to improve performance during the fetch process.
    Note: This option is only effective if the Use Beta API in Intune option is selected.

Note:

For details on general advanced settings under the Adapter Configuration tab, see Adapter Advanced Settings.

Creating an application in the Microsoft Azure Portal

For details, see Creating an application in the Microsoft Azure Portal.



First name must have atleast 2 characters. Numbers and special characters are not allowed.
Last name must have atleast 1 characters. Numbers and special characters are not allowed.
Enter a valid email
Enter a valid password
Your profile has been successfully updated.