- 21 Sep 2023
- 21 Minutes to read
Microsoft Azure Active Directory (Azure AD) and Microsoft Intune
- Updated on 21 Sep 2023
- 21 Minutes to read
This article covers the details for connecting Microsoft Azure Active Directory (Azure AD) and Microsoft 365
For Microsoft Azure, refer to Microsoft Azure.
- Microsoft Azure Active Directory (Azure AD) is Microsoft's multi-tenant, cloud-based directory, and identity management service.
- Microsoft Intune is a cloud-based service in the enterprise mobility management (EMM) space that integrates closely with Azure Active Directory (Azure AD) for identity and access control and Azure Information Protection for data protection.
- Microsoft 365, formerly Office 365, is a cloud-based suite of productivity apps offered by Microsoft like Outlook, Word, PowerPoint, and more.
About Microsoft Azure Active Directory (Azure AD)
Azure Active Directory is an Identity and Access Management Service hosted within Microsoft’s Azure public cloud. It allows administrators to manage the provisioning of users, enterprise applications, and devices.
Use cases the adapter solves
Connecting Azure AD to Axonius allows you to gain visibility into all registered devices and users that are a part of your Azure AD tenant. With this information you can evaluate devices that may be missing agents required for monitoring, devices missing from vulnerability assessment scopes, or evaluate permissions for your users, groups, or registered azure applications.
Data retrieved by Azure AD
The Azure AD adapter is able to fetch a wide variety of user and device data, including usernames, group membership details, device ownership, user license details, login activity/risky user assessments, O365 activity, and more.
Axonius has a built-in enforcement for adding selected users/devices to an Azure AD group for further processing by administrators. Axonius users can also take advantage of on-premises Active Directory enforcements if they are running in a hybrid deployment model.
Related Enforcement Actions:
- Microsoft Azure (Azure AD) - Add or Remove Assets in Group
- Microsoft Azure (Azure AD) - Delete Assets
- Microsoft Azure (Azure AD) - Enable Assets
- Microsoft Azure (Azure AD) - Disable Assets
Types of Assets Fetched
This adapter fetches the following types of assets:
- SaaS data
The Microsoft Azure Active Directory AD (Azure AD) adapter fetches devices from the Microsoft Azure Cloud Environment.
To connect to Microsoft Azure AD, you need to create a Designated Axonius application in the Microsoft Azure Portal and grant it read-only permissions. All required credentials will be given once an application is created. For details, see Creating an application in the Microsoft Azure Portal.
- Azure Client ID (required) -The Application ID of the Axonius application.
- Azure Client Secret (required) - Specify a non-expired key generated from the new client secret.
- Azure Tenant ID (required) - Microsoft Azure Active Directory ID.
- Verify SSL - (required, default: False) - Verify the SSL certificate offered by the value supplied in Microsoft Azure Active Directory. For more details, see SSL Trust & CA Settings.
- If enabled, the SSL certificate offered by the value supplied in Microsoft Azure Active Directory will be verified against the CA database inside of Axonius. If the SSL certificate can not be validated against the CA database inside of Axonius, the connection will fail with an error.
- If disabled, the SSL certificate offered by the value supplied in Microsoft Azure Active Directory will not be verified against the CA database inside of Axonius.
- Account Sub Domain (Only for accounts with SaaS Management capability) - The Microsoft account's sub domain (<sub_domain>.onmicrosoft.com).
- User Name and Password (optional) (Only for accounts with SaaS Management capability) - The credentials for a user account that has the permissions needed to fetch SaaS data.
- 2FA Secret Key (optional) (Only for accounts with SaaS Management capability) - The secret generated in Microsoft Azure Active Directory for setting up 2-factor authentication for the Microsoft user.
- SSO Provider - If your organization uses Microsoft Azure Active Directory for SSO, you can select this check box.
For more information, see Connecting your SSO Solution Provider Adapter.
- Cloud Environment - Select your Microsoft Azure or Microsoft Azure AD cloud environment type.
- Azure Oauth Authorization Code (optional) - The authorization code to connect to Microsoft Intune. This is a legacy option to allow Oauth delegated authentication.
- Azure OAuth - Redirect URI/Reply URL - The location where the authorization server sends the user once the Azure has been successfully authorized and granted an authorization code or an access token. For more information, see Redirect URI (reply URL) restrictions and limitations.
- Is Azure AD B2C -
- If selected, Axonius will consider that this Microsoft Azure AD adapter connection is configured as B2C.
- If cleared, Axonius will not consider that this Microsoft Azure AD adapter connection is configured as B2C.
- Account Tag (optional) - Tag for the Azure Cloud instance ("nickname").
- If specified, Axonius will tag all devices fetched from this adapter connection.
- If left blank, Axonius will not tag any of the devices fetched from this adapter connection.
- Device Groups Blocklist (optional) - Enter a group or groups whose devices will be ignored and not fetched. If you want to enter more than one group, separate with commas.
- HTTPS Proxy (optional) - A proxy to use when connecting to the selected Microsoft Azure / Azure AD cloud environment.
- HTTPS Proxy User Name and Password (optional) - The user name and password to use when connecting to the selected Microsoft Azure / Azure AD cloud environment via the value supplied in HTTPS Proxy.
To learn more about common adapter connection parameters and buttons, see Adding a New Adapter Connection.
Microsoft Azure AD - Advanced Settings
Advanced settings can either apply for all connections for this adapter, or you can set different advanced settings and/or different scheduling for a specific connection, refer to Advanced Configuration for Adapters.
Fields to exclude (optional) - Specify a comma-separated list of fields to be excluded from the fetched data.
- If supplied, all connections for this adapter will exclude the listed fields from the raw and parsed data. For example, if this field value is "emailAddress, phoneNumber", both fields will be excluded from the raw and parsed data from all connections for this adapter.
- If not supplied, all connections for this adapter will fetch all the assets data.
Allow use of BETA API endpoints - Select whether Axonius will use the Beta API to fetch users' last log-in.Note:
This setting requires enabling the following application permissions to view the last sign-in audit log information:
As of April 6, 2022, Microsoft reports a known issue. As a workaround, it is highly recommended to add the Directory.Read.All permission. For more information, see License check errors for Azure AD activity reports.
Number of parallel requests (optional, default: 100) - Specify the maximum number of parallel requests to obtain paged data from the Microsoft Azure AD cloud server.
Max retry count for parallel requests (optional, default: 3) - Specify how many times all connections for this adapter will retry a parallel request when the Microsoft Azure AD cloud server returns a response with an error.
- If not supplied, Axonius will use the default value.
Time in seconds to wait between retries of parallel requests (optional, default: 3) - Specify how many seconds all connections for this adapter will wait in between each retry when a parallel request to the Microsoft Azure AD cloud server returns a response with an error.
- If not supplied, Axonius will use the default value.
Fetch email activity from Office 365 in the last X days (required, default: 0) - Specify the number of days to fetch email activity per each user. The email activities include:
- Deleted users
- Dates of account deletion of users
- Number of times an email send action was recorded
- Number of times an email received action was recorded
- Number of times an email read action was recorded
- Last time any user performed a read or send email activity
- Report period
- Products that are assigned to the users
In order to use this field the application permissions in Microsoft Azure Portal must include the following permissions:
To unhide user-level information within O365, a global administrator needs to make that change in the Microsoft 365 admin center.
In the admin center, go to the Settings > Org Settings > Services page.
Clear the statement Display concealed user, group, and site names in all reports, and then save the changes. Refer to Microsoft Documentation - Show User Details in the Reports
Exclude Azure AD joined devices - Select whether to fetch Azure AD joined devices.
- If enabled, all connections for this adapter will not fetch Azure AD joined devices.
- If disabled, all connections for this adapter will fetch Azure AD joined devices.
Fetch custom user flow attributes (Requires IdentityUserFlow.Read.All permission) - Select this option to fetch extra custom user flow attributes to be added dynamically to the User’s assets data.
Fetch "Guest" users (required, default: true) - Select whether to fetch external users.
- If enabled, all connections for this adapter will fetch external users from Azure AD.
- If disabled, all connections for this adapter will not fetch external users from Azure AD.
Fetch only devices - Select this option to only fetch devices and not fetch users. Only Device.Read.All permissions are required here, and the permission “Directory.Read.All” is not required.
Fetch only users with account enabled (optional) - Select to fetch only users with an account enabled in the Azure AD.
Fetch risky users information - Select whether to fetch information about risky users. Information includes:
- If the user was deleted
- Is processing
- Date the user last updated
- Risk level
- Risk state
- Risk details
Fetch risky users information with selected Level (required, default High)- Select levels of risky users' information to fetch. Otherwise all levels are fetched
Fetch risky users information with selected 'State' (required, Default - At Risk, Confirmed Compromised.) - Select states of risky users' information to fetch. Otherwise all states are fetched.
User groups exclude list (optional) - When Fetch user groups is selected, users who have groups listed in this field will not be added to Axonius. If Fetch user groups is not selected, this field has no effect. The contents of this field are comma-separated strings, which are case and space sensitive.
- If supplied and Fetch user groups is selected, all connections for this adapter will not fetch users who have groups listed in this field.
- If not supplied and Fetch user groups is selected, all connections for this adapter will fetch users regardless of their groups.
Fetch software information from Intune (required, default: Disabled) - Select whether to fetch installed software from Intune.
- When set to 'Disabled', no installed software is fetched from Intune.
- 'Enabled in Normal Fetch' fetches installed software from Intune during the regular fetch time.
- 'Enabled in Background' schedules the fetch of installed software from Intune outside the regular fetch time.
Fetch devices from Intune (required, default: true) - Select whether to fetch devices from Intune.
Fetch the device's total memory from Intune (default, false) - Select this option to fetch the total size of the RAM of the device from the Intune BETA API. In order to use this option, you need to enable Fetch devices from Intune.
Fetch user groups (required, default: true) - Select whether to fetch information on every group a user is a member.
- If enabled, all connections for this adapter will fetch user groups information.
- If disabled, all connections for this adapter will not fetch user groups information.
Fetch user app roles - Select whether to retrieve the app roles that are assigned to a user.Note:
If selected, you must have either the Directory.Read.All or AppRoleAssignment.ReadWrite.All permission.
Fetch group app roles (Permissions required Directory.Read.All or AppRoleAssignment.ReadWrite.All) (default: False) - Set this option to fetch group app. roles and present the applications that are being used as an asset of the type Group. Refer to List appRoleAssignments granted to a group for further information.
Fetch user assigned roles (Permissions required Directory.Read.All or RoleManagement.Read.Directory) (optional) - Select whether to fetch the assigned roles of a user. When Allow use of BETA API endpoints is also selected, then transitive assigned roles are also fetched.
Fetch nested groups - Select to fetch groups that belong to other groups.
Fetch users Last Sign-In - How to fetch (required, default Disabled) - Define how to fetch the data about the users Last Sign-in. Use this setting together with ‘Fetch users Last Sign-In - API to use’.
- When set to 'Disabled' no data about users last sign in is fetched, and the ‘Fetch users Last Sign-In - API to use’. Setting will also be disabled.
- 'Enabled in Normal Fetch' fetches the information during the regular fetch time.
- 'Enabled in Background' schedules the fetch of this information outside the regular fetch time.
Fetch users authentication methods (required, default: true) - Select to fetch data from the users authentication_methods endpoint. When this is cleared data is not fetched from the authentication_methods endpoint.
Fetch user Last Sign-In - API to use (required, default Disabled) - Select the type of API the adapter uses to fetch information when 'Fetch users Last Sign-In - How to fetch' is not set to 'Disabled'.
- 'Use Regular API' - fetches only 30 days of users Sign-In in activity, with geolocation and device data. Requires normal license
- 'Use BETA API' - fetches all the possible users last Sign-In activity, with no geo and device data. Requires BETA license.
- 'Use Both APIs' - fetch all data from both APIs
Fetch mobile devices (required, default: true) - Select whether to fetch iOS and Android devices.
Avoid duplications in names - Select whether to create only one device when you fetch entities from Azure AD that contain the same name multiple times. In this case create only one device in Axonius using the name with the most recent last seen properties.
Fetch Windows Defender Compliance state - Select whether to collect “Windows10CompliancePolicy.DefenderEnabled” Compliance state for any Intune device to the ”Windows 10 Defender Enabled State” field of the adapter.
- When enabled, all connections for this adapter will collect the 'Windows10CompliancePolicy.DefenderEnabled' Compliance state.
- When disabled, all connections for this adapter will not collect the 'Windows10CompliancePolicy.DefenderEnabled' Compliance state.
Fetch device owner - Select whether to fetch device ownership (username and email) information on all connections for this adapter.
Fetch device groups - Select whether to fetch information on every Azure AD group for every device.
Fetch Users managers - Select whether to fetch information about managers of Azure AD users.
Fetch users license details - Select whether to fetch the licenses assigned to a given user.
Configure the fetch duration of Microsoft 365 email activity via Fetch email activity from Office 365 in the last X days.
- Use Beta API in Intune - Select to use the beta API to fetch Intune devices. If this option is cleared, the regular API is used.
- Intune OS filter - Select whether to filter the Intune devices fetched by Operating System. The default value is All. You can choose to only fetch Windows devices.
- Custom filter expression for fetching devices (optional) - Enter a filter expression to exclude Azure Active Directory devices from the fetch. For more information, see Operators and Functions Supported in $filter Expressions and Device Properties.
- Custom filter expression for fetching Intune devices (optional) - Enter a filter expression to exclude Intune devices from the fetch. For more information, see Operators and Functions Supported in $filter Expressions and Intune Managed Device Properties.
- Populate Cloud Provider Account Name aggregated field (required, default: true) - When this parameter is not set, the "Cloud Provider Account Name" aggregated field is not populated for devices for Azure AD.
- Do not fetch devices if Device Disabled field equals Yes (optional) - Select to exclude disabled devices from the fetch.
- Fetch only devices with last seen - Select this option to only fetch devices which have last seen.
- Fetch service principal as Users (default false) - Select this option to fetch service principals.
- Fetch Encryption Details from BETA Intune API (required, default false) - Select this option to fetch more detailed data about the encryption state of devices (requires Beta and Intune licenses).
- Fetch Windows Endpoint Protection Configuration from BETA Intune API - Select this option to fetch Windows Endpoint Protection Configuration.
- Fetch Device Compliance Policies Details (required, default false) - Select this option to fetch information about the states of the compliance policies (Requires Intune License).
- Fetch Device Local Credentials (LAPS) from BETA Graph API - Select this option to fetch information about the local administrator credential information for all device objects that are enabled with Local Admin Password Solution (LAPS).
- Fetch Device Information Protection - Bitlocker Recovery Key - Select this option to fetch information about Bitlocker Recovery Key for all device objects that have a stored Bitlocker key.
This setting only works with OAuth authentication and a delegated permission for all the assets that you want to retrieve. For more information, see Microsoft identity platform and OAuth 2.0 authorization code flow.
- Custom filter expression for fetching users (optional) - Enter a filter expression to exclude Azure Active Directory users from the fetch. For more information, see Use the Filter Query Parameter, Advanced query capabilities on Azure AD objects and User resource type.
- Fetch audit activities (Only for accounts with SaaS Management capability) - Select this option to fetch audit activities.
- Fetch user extensions (service principal) (Only for accounts with SaaS Management capability)- Select this option to fetch user extensions.
- Fetch user assigned eligibility schedule - Select this option to fetch role eligibility schedule instances of groups.
- Fetch managed app registrations from MAM - Select this option to fetch managed app registrations from MAM.
- Fetch all directory roles - Select this option to fetch all directory roles.
- Use asset name as hostname if hostname undefined - Select this option so if the hostname value is not defined, the hostname for each device will take the asset name as its value.
For details on general advanced settings under the Adapter Configuration tab, see Adapter Advanced Settings.
Axonius must be able to communicate with the value supplied in DC Address via the following ports:
- TCP/UDP port 389.
- TCP port 636 - if the Use SSL for connection checkbox is enabled.
- TCP port 3268 - if the Connect to Global Catalog (GC) checkbox is enabled.
- TCP port 3269 - if both Use SSL for connection and Connect to Global Catalog (GC) checkboxes are enabled.
- Custom Port - If you set a custom port in DC Address, this must be available.
Create an Application Key
Navigate to Microsoft Azure Admin Center > Azure Active Directory > Applications > Enterprise Applications.
Click New application.
From the Azure AD gallery, Click Create your own application.
In the Create your own application panel:
- Enter a What’s the name of your app of your choice (e.g. Axonius app).
- Select Register an application to integrate with Azure AD.
- Click Create.
- Enter a user-facing display name of your choice for this application (for example, "Axonius app display").
- Select Accounts in this organizational directory only.
- Click Register.
Go to Microsoft Azure admin center > Azure Active Directory > Enterprise applications.
From the All Applications page, click the application registrations link.
Select the newly created application.
Hover over the Application (client) ID field and click to copy the ID.
In Axonius, paste the copied ID in the Azure Client ID field in the Adapter setup.
Hover over the Directory (tenant) ID field and click to copy the ID.
In Axonius, paste the copied ID in the Azure Tenant ID field in the Adapter setup.
Back in Azure, from the Manage left-menu, select Certificates & secrets.
Under Client Secrets, click New client secret.
In the Create secret panel, set the expiration time to the furthest possible date (24 months or higher).
Paste the copied secret into the Azure Client Secret field in Axonius.
This section details how you can set permissions for the user you created that allow the adapter to import and sync data with Azure AD, Microsoft 365 and Intune.
From the Manage left-menu, select API Permissions.
From the API permissions page, click Add a permission.
- In the Request API permissions window, under the Microsoft APIs tab, click Microsoft Graph.
- Select Application permissions.
- Use the search bar to locate and select the permissions. See Required Permissions for the full list of relevant permissions and what they are each needed for.
- Click Add permissions.
From the API permissions page, click Grant admin consent for Default Directory, and approve the request.
This table summarizes permissions that Axonius requires to fetch various Azure resources.
Use this information both to enable required permissions, and to only apply necessary permissions.
You need to set the desired permissions as both delegated and application permissions.
If you configure AzureAD using OAuth, then you also need to set delegated permissions for all the assets (users, devices, groups, local credentials, etc.) that you want to retrieve.
|Fetch Office365 activity endpoints (and SaaS data)||AuditLog.Read.all|
|Last sign-in audit log information||AuditLog.Read.All|
|Azure AD Intune||DeviceManagementApps.Read.All |
Directory.read.all (also for SaaS data)
|Fetch Risky Users information||IdentityRiskyUser.Read.All|
|Allow fetching MFA enrollment status for users setting||Reports.Read.all|
|Application / Delegated permissions||User.read.all|
|Fetch authentication method (if the Allow use of Beta API endpoints setting is enabled)||UserAuthenticationMethod.Read.All|
|MCAS data||Discovery.read |
|Group app roles||Directory.Read.All or |
Additional permissions may be required to use Enforcement Actions. For more information see the relevant EC action documentation.
Create a User Account
You can create a new user account for fetching SaaS data.
The user account is only relevant for fetching SaaS data.
The Username and Password that you create should be used for the optional UserName and Password connection parameters.
Go to Microsoft 365 admin center > Users > Active users.
Click Add a user.
Enter a Display name of your choice.
Enter a Username of your choice (for example: usr_axonius).
Back in Axonius, in the User Name field, enter the user name and domain name using the format 'username@domainname'.
For example: email@example.com.
In the Admin Center, enter a strong password.
It's best practice for the password to contain 32 characters.
Copy the password and, back in Axonius, paste it in the Password field.
In the Microsoft 365 Admin Center, clear the Require this user to change their password when they first sign in checkbox.
Select Create user without product license.
Click Roles, then select Admin center access.
Select Global reader.
Click Finish adding.
Enable or Exclude Multi-Factor Authentication
Depending on your organization's security policies or exclude the user from the MFA policy.
This section is only relevant for accounts with SaaS Management capability.
You should perform only one of the processes in this section.
Enable MFA for the User Account
Enable MFA for newly created user account:
- Navigate to Microsoft 365 Admin Center > Users > Active users and click Multi-Factor Authentication.
- Open the service settings tab.
- Under the Methods available to users setting, select the Verification code from mobile app or hardware token option.
- Click Save.
- Navigate to the users tab.
- Select the newly created user and in the Quick Steps section on the right, click Enable.
- When prompted, select enable multi factor auth.
- Navigate to Microsoft 365 Admin Center > Users > Active users and click Multi-Factor Authentication.
Configure the Authenticator app and generate the secret key:
a. Log into Microsoft 365 with the newly created user account.
b. Click the account profile avatar and select View account.
c. From the left menu, select Security Info.
d. Click Add sign-in method and select Authenticator app.
f. Click Add.
g. In the Microsoft Authenticator page, click I want to use a different authenticator app.
h. Click Next until a QR code is displayed.
i. Click Can't scan image?.
j. Click to copy the Secret key.
k. Back in Axonius, paste the copied code in the 2fa Secret Key field.
Generate the verification code:
- Back in the Azure MFA Configuration panel, click Scan QR Code to display the QR Code again.
- Open the Google Authenticator on your device and click +.
- Scan the QR code. Google Authenticator displays a verification code.
- Copy the verification code that appears in the field below.
- Enter the verification code in Azure MFA Configuration and click Verify.
Exclude the User Account from Multi-Factor Authentication
If your organization's security policy allows it, you can exclude the user you created from the MFA policy by excluding a designated IP range. After you exclude the account from MFA, follow these steps to set up exclusions from conditional access policies.
Before performing this procedure, contact Axonius support for the list of IP ranges to exclude.
In Axonius, ensure that the Enable 2FA checkbox is cleared.
Go to Microsoft Azure admin center > Azure Active Directory > Security > Named locations.
Click Configure multifactor authentication trusted IPs.
Add the Axonius IP ranges.
Exclude from Conditional Access Policies
Navigate to Microsoft Azure admin center > Azure Active Directory > Security > Conditional Access.
Click a policy.
Open the Users or workload identities.
Under the What does this policy apply to? section, select Users and groups.
Select the Users and groups checkbox.
Open the Select excluded users and search for the newly created user account. Click the account and then click Select.
Repeat the process for each policy on the Conditional Access page.