Microsoft Azure Active Directory (Azure AD) and Microsoft Intune
  • 30 Nov 2022
  • 11 Minutes to read
  • Dark
    Light
  • PDF

Microsoft Azure Active Directory (Azure AD) and Microsoft Intune

  • Dark
    Light
  • PDF

This article covers the details for connecting Microsoft Azure Active Directory (Azure AD)
For Microsoft Azure, refer to Microsoft Azure.

This article includes:

Microsoft Azure Active Directory (Azure AD)
1. Microsoft Azure Active Directory (Azure AD) is Microsoft's multi-tenant, cloud-based directory, and identity management service.
2. Microsoft Intune is a cloud-based service in the enterprise mobility management (EMM) space that integrates closely with Azure Active Directory (Azure AD) for identity and access control and Azure Information Protection for data protection.

Types of Assets Fetched

These adapters fetch the following types of assets:

  • Devices
  • Users

About Microsoft Azure Active Directory (Azure AD)

Azure Active Directory is an Identity and Access Management Service hosted within Microsoft’s Azure public cloud. It allows administrators to manage the provisioning of users, enterprise applications, and devices.

Use cases the adapter solves

Connecting Azure AD to Axonius allows you to gain visibility into all registered devices and users that are a part of your Azure AD tenant. With this information you can evaluate devices that may be missing agents required for monitoring, devices missing from vulnerability assessment scopes, or evaluate permissions for your users, groups, or registered azure applications.

Data retrieved by Azure AD
The Azure AD adapter is able to fetch a wide variety of user and device data, including usernames, group membership details, device ownership, user license details, login activity/risky user assessments, O365 activity, and more.

Enforcements
Axonius has a built-in enforcement for adding selected users/devices to an Azure AD group for further processing by administrators. Axonius users can also take advantage of on-premises Active Directory enforcements if they are running in a hybrid deployment model.


Parameters

Microsoft Azure AD

The Microsoft Azure Active Directory AD (Azure AD) adapter fetches devices from the Microsoft Azure Cloud Environment.

To connect to Microsoft Azure AD, you need to create a Designated Axonius application in the Microsoft Azure Portal and grant it read-only permissions. All required credentials will be given once an application is created. For details, see Creating an application in the Microsoft Azure Portal.

  1. Azure Client ID (required) - The Application ID of the Axonius application.

  2. Azure Client Secret (required) - Specify a non-expired key generated from the new client secret.

  3. Azure Tenant ID (required) - Microsoft Azure Active Directory ID.

  4. Cloud Environment (required) - Select your Microsoft Azure or Microsoft Azure AD cloud environment type.

  5. Azure Stack Hub Management URL and Azure Stack Hub Resource String (optional, default: empty, relevant only for Microsoft Azure) - Specify the hostname or IP address of the Microsoft Azure Stack Hub server (a Microsoft Azure on-premise server) and the URL for the Azure Stack Hub Resource String.

    • If specified, Axonius will authenticate to the Microsoft Azure cloud server, and will fetch asset data from the Microsoft Azure Stack Hub server. Axonius will not fetch any asset data from Microsoft Azure cloud server.
    • If left blank, Axonius will authenticate to the Microsoft Azure cloud server, and will fetch asset data from the Microsoft Azure cloud server. Axonius will not fetch any asset data from Microsoft Azure Stack Hub server.
  6. Azure Oauth Authorization Code (optional, default: empty, relevant only for Microsoft Intune) - The authorization code to connect to Microsoft Intune. This is a legacy option to allow Oauth delegated authentication.

  7. Is Azure AD B2C

    • If selected, Axonius will considered this Microsoft Azure AD adapter connection is configured as B2C.
    • If cleared, Axonius will not considered this Microsoft Azure AD adapter connection is configured as B2C.
  8. Account Tag (optional) - Tag for the Azure Cloud instance ("nickname").

    • If specified, Axonius will tag all devices fetched from this adapter connection.
    • If left blank, Axonius will not tag any of the devices fetched from this adapter connection.
  9. Device groups blocklist (optional) - Enter a group or groups whose devices will be ignored and not fetched. If you want to enter more than one group, separate with commas.

  10. Verify SSL (required, default: true) - Select to verify the SSL certificate offered by the selected Microsoft Azure / Azure AD cloud environment. For more details, see SSL Trust & CA Settings.

  11. HTTPS Proxy (optional) - A proxy to use when connecting to the selected Microsoft Azure / Azure AD cloud environment.

  12. HTTPS Proxy User Name (optional) - The user name to use when connecting to the selected Microsoft Azure / Azure AD cloud environment via the value supplied in HTTPS Proxy.

  13. HTTPS Proxy Password (optional) - The password to use when connecting to the selected Microsoft Azure / Azure AD cloud environment via the value supplied in HTTPS Proxy.

  14. To learn more about common adapter connection parameters and buttons, see Adding a New Adapter Connection.

AzureADN.png

Microsoft Azure AD - Advanced Settings

Note:

From Version 4.6, Advanced settings can either apply for all connections for this adapter, or you can set different advanced settings and/or different scheduling for a specific connection, refer to ​Advanced Configuration for Adapters.

  1. Fields to exclude (optional) - Specify a comma-separated list of fields to be excluded from the fetched data.
    • If supplied, all connections for this adapter will exclude the listed fields from the raw and parsed data. For example, if this field value is "emailAddress, phoneNumber", both fields will be excluded from the raw and parsed data from all connections for this adapter.
    • If not supplied, all connections for this adapter will fetch all the assets data.
  2. Allow use of BETA API endpoints - Select whether Axonius will use BETA API.
    • If enabled, all connections for this adapter will use BETA API to fetch information about users' last log-on.
    • If disabled, all connections for this adapter will not use BETA API to fetch additional information about users.
    Note:

    This setting requires enabling the following application permissions to view the last sign-in audit log information:

    • AuditLog.Read.All
    • Directory.Read.All
      As of April 6, 2022, Microsoft reports a known issue. As a workaround, it is highly recommended to add the Directory.Read.All permission. For more information, see License check errors for Azure AD activity reports.
  1. Do not fail if Intune token has expired - Select whether to fail all the connections for this adapter if the Intune token expires.

    • If enabled, all connections for this adapter will not fail if the Intune token expires. Instead, the connection will work in a "regular" mode (non-Intune).
    • If disabled, all connections for this adapter will fail if the Intune token expires.
    Note:

    Axonius will create a daily system notification, starting 14 days before the Intune token is about to expire.

  2. Number of parallel requests (optional, default: 10) - Specify the maximum number of parallel requests to obtain paged data from the Microsoft Azure AD cloud server.

  3. Max retry count for parallel requests (optional, default: 3) - Specify how many times all connections for this adapter will retry a parallel request when the Microsoft Azure AD cloud server returns a response with an error.

    • If not supplied, Axonius will use the default value.
  4. Time in seconds to wait between retries of parallel requests (optional, default: 3) - Specify how many seconds all connections for this adapter will wait in between each retry when a parallel request to the Microsoft Azure AD cloud server returns a response with an error.

    • If not supplied, Axonius will use the default value.
  5. Fetch email activity from Office 365 in the last X days (required, default: 0) - Specify the number of days to fetch email activity per each user. The email activities include:

    • Deleted users
    • Dates of account deletion of users
    • Number of times an email send action was recorded
    • Number of times an email received action was recorded
    • Number of times an email read action was recorded
    • Last time any user performed a read or send email activity
    • Report period
    • Products that are assigned to the users
    Note:

    In order to use this field the application permissions in Microsoft Azure Portal must include the following permissions:

    • reports.Read.All
  6. Exclude Azure AD joined devices - Select whether to fetch Azure AD joined devices.

    • If enabled, all connections for this adapter will not fetch Azure AD joined devices.
    • If disabled, all connections for this adapter will fetch Azure AD joined devices.
  7. Fetch "Guest" users (required, default: true) - Select whether to fetch external users.

    • If enabled, all connections for this adapter will fetch external users from Azure AD.
    • If disabled, all connections for this adapter will not fetch external users from Azure AD.
  8. Fetch risky users information - Select whether to fetch infomation about risky users. Information includes:

    • If the user was deleted
    • Is processing
    • Date the user last updated
    • Risk level
    • Risk state
    • Risk details

    Risky users are defined in riskyUser resource type and in What is risk?.

  9. Fetch user groups (required, default: true) - Select whether to fetch information on every group a user is a member.

    • If enabled, all connections for this adapter will fetch user groups information.
    • If disabled, all connections for this adapter will not fetch user groups information.
  10. Fetch user app roles - Select whether to retrieve the app roles that are assigned to a user.

    Note:

    If selected, you must have either the Directory.Read.All or AppRoleAssignment.ReadWrite.All permission.

  11. User groups exclude list (optional) - When Fetch user groups is selected, users who have groups listed in this field will not be added to Axonius. If Fetch user groups is not selected, this field has no effect. The contents of this field is comma-separated strings, which are case and spaces sensitive.

    • If supplied and Fetch user groups is selected, all connections for this adapter will not fetch users who have groups listed in this field.
    • If not supplied and Fetch user groups is selected, all connections for this adapter will fetch users regardless of their groups.
  12. Fetch software information from Intune (required, default: true) - Select whether to fetch installed software from Intune.

    • If enabled, all connections for this adapter will fetch installed software from Intune.
    • If disabled, all connections for this adapter will not fetch installed software from Intune.
  13. Fetch Intune software information in the background -

    • When enabled, Installed software fetch is conducted in a background thread and the information retrieved will be assigned to its “originating” device on the next device fetch. Background thread re-fetches information every 5 hours, similar to having a fetch cycle only for this information once every 5 hours.
    • When disabled Installed Intune software information is fetched as part of the device fetch as defined in “Fetch software information from Intune”.
  14. Fetch nested groups - Select to fetch groups that belong to other groups.

  15. Fetch user groups in the background - Select whether to cache user group records to MEM DB and store them in the background until the end of the fetch and within the same fetch thread. If cleared, user group information is fetched as part of the device fetch as defined in Fetch User groups.

  16. Fetch users authentication methods (required, default: true) - Select to fetch data from the users authentication_methods endpoint. When this is cleared data is not fetched from the authentication_methods endpoint.

  17. Fetch mobile devices (required, default: true) - Select whether to fetch mobile devices.

    • If enabled, all connections for this adapter will fetch also mobile devices.
    • If disabled, all connections for this adapter will not fetch mobile devices.
  18. Fetch Windows Defender Compliance state - Select whether to collect “Windows10CompliancePolicy.DefenderEnabled” Compliance state for any Intune device to the ”Windows 10 Defender Enabled State” field of the adapter.

    • When enabled, all connections for this adapter will collect the 'Windows10CompliancePolicy.DefenderEnabled' Compliance state.
    • When disabled, all connections for this adapter will not collect the 'Windows10CompliancePolicy.DefenderEnabled' Compliance state.
  19. Fetch Device Owner - Select whether to fetch device ownership (username and email) information on all connections for this adapter.

  20. Avoid duplications in names - Select whether to create only one device when you fetch entities from Azure AD that contain the same name multiple times. In this case create only one device in Axonius using the name with the most recent last seen properties.

  21. Fetch device groups - Select whether to fetch information on every Azure AD group for every device.

  22. Fetch Users managers - Select whether to fetch information about managers of Azure AD users.

  23. Fetch users license details - Select whether to fetch the license details for users.

  24. Use Beta API in Intune - Select to use the beta API to fetch Intune devices. If option is cleared, the regular API is used.

  25. Intune OS filter - Select whether to filter the Intune devices fetched by Operating System. The default value is All. You can choose to only fetch Windows devices.

  26. Customer filter expression for fetching devices (optional) - Enter a filter expression to exclude Azure Active Directory devices from the fetch. For more information, see Operators and Functions Supported in $filter Expressions and Device Properties.

  27. Customer filter expression for fetching Intune devices (optional) - Enter a filter expression to exclude Intune devices from the fetch. For more information, see Operators and Functions Supported in $filter Expressions and Intune Managed Device Properties.

  28. Populate Cloud Provider Account Name aggregated field (required, default: true) - When this parameter is not set, the "Cloud Provider Account Name" aggregated field will not be populated for devices for Azure AD.

  29. Do not fetch devices if Device Disabled field equals Yes (optional) - Select to exclude disabled devices from the fetch.

  30. Pre-fetch of logins activity (optional, default: true) - Select to fetch login activities of all users and match their records to improve performance during the fetch process.
    Note: This option is only effective if the Use Beta API in Intune option is selected.

Note:

For details on general advanced settings under the Adapter Configuration tab, see Adapter Advanced Settings.

Creating an application in the Microsoft Azure Portal

For details, see Creating an application in the Microsoft Azure Portal.


Table of Azure Permissions

Click to view Table of Azure Permissions


This table summarizes permissions that Axonius requires to fetch various Azure resources.
Use this information both to enable required permissions, and to only apply necessary permissions.

Azure Service Permissions
Fetch Office365 activity endpoints AuditLog.Read.all
Last sign-in audit log information AuditLogs.Read.All
Device.Read.all
Azure AD Intune DeviceManagementApps.Read.All
DeviceManagementConfiguration.Read.All
DeviceManagementManagedDevices.Read.All
DeviceManagementRBAC.Read.All
DeviceManagementServiceConfig.Read.All
directory.read.all
Fetch Risky Users information IdentityRiskyUser.Read.All
Allow fetching MFA enrollment status for users setting reports.Read.all
Application / Delegated permissions user.read.all
Fetch authentication method (if the Allow use of Beta API endpoints setting is enabled) UserAuthenticationMethod.Read.All
Security alerts SecurityEvents.Read.All


Changing your password will log you out immediately. Use the new password to log back in.
First name must have atleast 2 characters. Numbers and special characters are not allowed.
Last name must have atleast 1 characters. Numbers and special characters are not allowed.
Enter a valid email
Enter a valid password
Your profile has been successfully updated.