Microsoft Entra ID (Azure AD) and Microsoft Intune
  • 11 Dec 2024
  • 26 Minutes to read
  • Dark
    Light
  • PDF

Microsoft Entra ID (Azure AD) and Microsoft Intune

  • Dark
    Light
  • PDF

Article summary

This article covers the details for connecting Microsoft Entra ID (formerly Azure Active Directory), Microsoft Intune, and Microsoft 365. For Microsoft Azure, refer to Microsoft Azure.

  • Entra ID is Microsoft's multi-tenant, cloud-based directory, and Identity and Access management service hosted within Microsoft’s Azure public cloud. It allows administrators to manage the provisioning of users, enterprise applications, and devices.

  • Microsoft Intune is a cloud-based service in the enterprise mobility management (EMM) space that integrates closely with Entra ID for identity and access control and Azure Information Protection for data protection.

  • Microsoft 365, formerly Office 365, is a cloud-based suite of productivity apps offered by Microsoft like Outlook, Word, PowerPoint, and more.

Attributes

Cybersecurity Asset Management

SaaS Management

Service Account Required?

Yes

Yes

Service Account Permissions 

To fetch devices, the service account must at least have access to the Device.Read.All permission

To fetch users, the service account must at least have access to the User.Read.All permission. For more information, see the Set Permissions section.

To fetch SaaS Data, the service account must at least have access to the one of the following permissions: AuditLog.Read.All, Directory.Read.All, Application.Read.All, Application.ReadWrite.OwnedBy, Application.ReadWrite.All, or Directory.Read.All For more information, see the Set Permissions section.

Required Adapter Fields

Azure Client ID, Azure Client Secret

Azure Tenant ID

Azure Client ID, Azure Client Secret,

Azure Tenant ID, Username, Password, Account Sub Domain, 2FA Secret Key

About the Adapter

Use cases the adapter solves

Connecting Microsoft Entra ID to Axonius allows you to gain visibility into all registered devices and users that are a part of your Entra ID tenant. With this information you can evaluate devices that may be missing agents required for monitoring, devices missing from vulnerability assessment scopes, or evaluate permissions for your users, groups, or registered azure applications.

Enforcements Axonius has a built-in enforcement for adding selected users/devices to an Entra ID group for further processing by administrators. Axonius users can also take advantage of on-premises Active Directory enforcements if they are running in a hybrid deployment model.

Related Enforcement Actions:

Types of Assets Fetched

This adapter fetches the following types of assets:

  • Devices

  • Users

  • Software

  • Application Extensions

  • Roles

  • Groups

  • Licenses

  • Application Settings  (To fetch this information you need to configure the User name and Password fields. If 2FA is required for this application, the 2FA key must be provided.)

  • User Extensions

  • Activities

  • SaaS Applications

  • Organizational Units

  • Accounts

  • Secrets

  • Certificates

  • Permissions

  • Configurations

Optimize an Existing Adapter Configuration to Fetch SaaS Data

If the adapter has already been setup and you want to configure it to fetch SaaS data, you will need to complete the following steps:

Note

Some of the initial configurations on Entra ID need to be performed by a user with administrator level privileges.

  1. Create a User Account

  2. Enable or Exclude Multi-Factor Authentication

  3. Enable the Advanced Settings for SaaS Management

  4. Set Permissions - Add permissions for fetching SaaS data.

  5. Connect the adapter

The following Connection Parameters, Advanced Settings, and Permissions are required for fetching SaaS data with this adapter.

Asset Type

Connection Parameters

Advanced Config

Permissions

User and Application Extensions

Username, Password,

2FA Secret Key (if required for this application)

Fetch user extensions

No specific permission required

Licenses

Username, Password,

2FA Secret Key (if required for this application)

Fetch users license details and Fetch Application Settings

Global.Read

Application Settings

Username, Password,

2FA Secret Key (if required for this application)

Fetch Application Settings

Global.Read

SaaS Applications

Username, Password,

2FA Secret Key (if required for this application)

No specific setting required

No specific permission required

Accounts

Account Sub Domain

No specific setting required

No specific permission required

Set Up the Adapter

To successfully connect this adapter, you need to complete the following steps.
Accounts with only Cybersecurity Asset Management:

  1. Create an Application Key

  2. Set Permissions

Accounts with SaaS Management Capabilities:

  1. Create an Application Key

  2. Set Permissions

  3. Create a User Account

  4. Enable or Exclude Multi-Factor Authentication

Create an Application Key

  1. Navigate to Microsoft Azure Admin Center > Microsoft Entra ID > Enterprise Applications.

  2. Click New application.

  3. From the Entra ID gallery, Click Create your own application.

  4. In the Create your own application panel:

    1. Enter a What’s the name of your app of your choice (e.g. Axonius app).

    2. Select Register an application to integrate with ID.

      NewApplication

    • Click Create.

    • Enter a user-facing display name of your choice for this application (for example, "Axonius app display").

    • Select Accounts in this organizational directory only.

    • Click Register.

  5. Go to Microsoft Azure admin center > Microsoft Entra ID > Enterprise applications.

  6. From the All Applications page, click the application registrations link.

    ApplicationRegistrations

  7. Select the newly created application.

  8. Hover over the Application (client) ID field and click CopyButton3 to copy the ID.

  9. In Axonius, paste the copied ID in the Azure Client ID field in the Adapter setup.

  10. Hover over the Directory (tenant) ID field and click CopyButton3 to copy the ID.
    Azure_Client_Tenant_ID

  11. In Axonius, paste the copied ID in the Azure Tenant ID field in the Adapter setup.

  12. Back in Azure, from the Manage left-menu, select Certificates & secrets.

  13. Under Client Secrets, click New client secret.

  14. In the Create secret panel, set the expiration time to the furthest possible date (24 months or higher).

  15. Click Add.

  16. Paste the copied secret into the Azure Client Secret field in Axonius.

Set Permissions

This section details how you can set permissions for the user you created that allow the adapter to import and sync data with Entra ID, Microsoft 365 and Intune.

  1. In the Azure portal, search for “App registrations”.

  2. In the Applications list, click the application that you previously created.

  3. From the Manage left-menu, select API Permissions.

  4. From the API permissions page, click Add a permission.

    1. In the Request API permissions window, under the Microsoft APIs tab, click Microsoft Graph.

    2. Select Application permissions. If you configure Entra ID using OAuth, then select Delegated permissions.
      ApplicationPermissions

    • Use the search bar to locate and select the permissions. See Required Permissions for the full list of relevant permissions and what they are each needed for.

    • Click Add permissions.

  5. From the API permissions page, click Grant admin consent for Default Directory, and approve the request.
    GrantPermissions

Required Permissions

This table summarizes permissions that Axonius requires to fetch various Entra ID resources. Use this information both to enable required permissions, and to only apply necessary permissions.

Note:

You need to set the desired permissions as application permissions.

If you configure Entra ID using OAuth, then you need to set the permissions as Delegated for all the assets (users, devices, groups, local credentials, etc.) that you want to retrieve, instead of the application permissions.

Azure Service

Permissions

Last sign-in audit log information

AuditLog.Read.All Device.Read.all

Entra ID Intune

DeviceManagementApps.Read.All DeviceManagementConfiguration.Read.All DeviceManagementManagedDevices.Read.All DeviceManagementServiceConfig.Read.All Directory.read.all (also for SaaS data)

Allow for enriching Intune devices with their Security Baseline states

DeviceManagementConfiguration.ReadWrite.All

Fetch Risky Users information

IdentityRiskyUser.Read.All

Fetch extra custom user flow attributes to be added dynamically to the User’s assets data

IdentityUserFlow.Read.All

Application/Delegated permissions

User.read.all

Fetch authentication method (if the Allow use of Beta API endpoints setting is enabled)

UserAuthenticationMethod.Read.All

MCAS data

SecurityEvents.Read.All SecurityEvents.ReadWrite.All

Investigation.Read

Group app roles

Directory.Read.All or AppRoleAssignment.ReadWrite.All

Role data

Directory.read.all RoleManagement.Read.All

User Contacts data

Contacts.Read

Fetch password validity data

Domain.Read.All

Fetch Device Information Protection - Bitlocker Recovery Key

Delegated permissions - BitlockerKey.ReadBasic.All

Fetch mailbox settings for users

Application permission: MailboxSettings.Read

The following permissions are only for Axonius accounts with the SaaS Management module:

Allow fetching email activity

Reports.Read.All

Fetch Office365 activity endpoints (and SaaS data)

AuditLog.Read.All

Allow fetching licenses and application settings

Global.Read

Enforcement Action Permissions

In order to use the Entra ID Enforcement Actions the following permissions are required:

Microsoft Entra ID - Add or Remove Assets in Group:

Supported Resource

Delegated

Application

device

GroupMember.ReadWrite.All and Device.ReadWrite.All

GroupMember.ReadWrite.All and Device.ReadWrite.All

group

GroupMember.ReadWrite.All and Group.ReadWrite.All

GroupMember.ReadWrite.All and Group.ReadWrite.All

orgContact

GroupMember.ReadWrite.All and OrgContact.Read.All

GroupMember.ReadWrite.All and Group.ReadWrite.All

group

GroupMember.ReadWrite.All and Group.ReadWrite.All

GroupMember.ReadWrite.All and OrgContact.Read.All

servicePrincipal

GroupMember.ReadWrite.All and Application.ReadWrite.All

GroupMember.ReadWrite.All and Application.ReadWrite.All

user

GroupMember.ReadWrite.All and User.ReadWrite.All

GroupMember.ReadWrite.All and User.ReadWrite.All

Microsoft Entra ID - Add or Remove Members from Administrative Unit:

  • Application - AdministrativeUnit.ReadWrite.All

Microsoft Entra ID - Delete Assets:

  • Delegated/Application - User.ReadWrite.All

Microsoft Entra ID - Revoke User Sessions:

  • Application - User.ReadWrite.All

Microsoft Entra ID - Role Assignment Actions:

  • Delegated/Application - RoleManagement.ReadWrite.Directory

Microsoft Entra ID - Create Role:

  • Application - RoleManagement.ReadWrite.Directory

Microsoft Entra ID - Update Role:

  • Application - RoleManagement.ReadWrite.Directory

Microsoft Entra ID - Delete Role:

  • Application - RoleManagement.ReadWrite.Directory

Microsoft Entra ID (formerly Azure AD) - Add or Remove License to/from Users:

  • User.ReadWrite.All

Microsoft Entra ID (formerly Azure AD) - Add or Remove Licenses to/from Groups

  • LicenseAssignment.ReadWrite.All

Create a User Account

You can create a new user account for fetching SaaS data.

Note:

The user account is only relevant for fetching SaaS data.

The Username and Password that you create should be used for the optional Username and Password connection parameters.

  1. Go to Microsoft 365 admin center > Users > Active users.

  2. Click Add a user.
    AddUser2

  3. Enter a Display name of your choice.

  4. Enter a Username of your choice (for example: usr_axonius).

  5. Back in Axonius, in the User Name field, enter the user name and domain name using the format 'username@domainname'. For example: sr_axonius@axoniusonmicrosoft.com.

  6. In the Admin Center, enter a strong password.

NOTE

It's best practice for the password to contain 32 characters.

MSUserNamePassword

  1. Copy the password and, back in Axonius, paste it in the Password field.

  2. In the Microsoft 365 Admin Center, clear the Require this user to change their password when they first sign in checkbox.

  3. Click Next.

  4. Select Create user without product license.

  5. Click Next.
    CreateUserWithoutProduct

  6. Click Roles, then select Admin center access.

  7. Select Global reader.

  8. Click Next.
    GlobalReader

  9. Click Finish adding.

  10. Click Close.

  11. Log into this account from https://login.microsoftonline.com

Generate the OAuth Authorization Code

If you are authenticating with OAuth, you’ll need to generate an OAuth Authorization Code for this adapter setup.

Note:

You should only perform this procedure if you are authenticating this application with OAuth.

Generate the OAuth Authorization Code

  1. Get the redirect URL:

    1. In Microsoft Azure, Navigate to App Registrations and select your application for this integration.

    2. On the left-panel, navigate to Manage > Authentication.

    3. In the Web area, copy the redirect URL. The recommended values is http://localhost:8080.

      RedirectURI(1)

    4. Back in Axonius, paste the copied Redirect URI into the Azure OAuth - Redirect URI/Reply URL field.

  2. Copy and Paste the following URL into a browser window. Make sure to add the Tenant ID, Client ID and Redirect URI that you used earlier in this setup and save the URL for later use:
    https://login.microsoftonline.com/[TENANT]/oauth2/v2.0/authorize?client_id=[CLIENT_ID]&scope=https://graph.microsoft.com/.default&redirect_uri=[REDIRECT_URL]&response_mode=query&response_type=code

  3. Authorize, if required.

  4. Copy the value for the code parameter in the changed URL. This is the entire string in the URL between code= and &session_state and it can be quite long.

    AuthorizationCodeParameter

  5. Back in Axonius, paste the copied code into the Azure OAuth Authorization Code field.

Enable or Exclude Multi-Factor Authentication

Depending on your organization's security policies or exclude the user from the MFA policy.

This section is only relevant for accounts with SaaS Management capability.

Note:

You should perform only one of the processes in this section.

Enable MFA for the User Account

  1. Enable MFA for newly created user account:

    1. Navigate to Microsoft 365 Admin Center > Users > Active users and click Multi-Factor Authentication.
      MFAButton

    2. Open the service settings tab.
      Service Settings

    3. Under the Methods available to users setting, select the Verification code from mobile app or hardware token option.

    4. Click Save.
      MethodsAvailable

    5. Navigate to the users tab.

    6. Select the newly created user and in the Quick Steps section on the right, click Enable.
      MFAEnable

    7. When prompted, select enable multi factor auth.

  2. Configure the conditional access authentication strength. See Overview of Microsoft Entra Authentication strength for more information.

    Note

    The MFA authentication must allow the ‘Password + Software OATH token’ option.

    AuthenticationStrength


  3. Configure the Authenticator app and generate the secret key:

    1. Log into Microsoft 365 with the newly created user account.

    2. Click the account profile avatar and select View account.

    3. From the left menu, select Security Info.

    4. Click Add sign-in method and select Authenticator app.

    5. Click Add.

    6. In the Microsoft Authenticator page, click I want to use a different authenticator app.
      Microsoft_UseDifferentAuthenticator

    7. Click Next until a QR code is displayed.

    8. Click Can't scan image?.

    9. Click MSCopyButton to copy the Secret key.
      Microsoft_SecretKey

    10. Back in Axonius, paste the copied code in the 2fa Secret Key field.

  4. Generate the verification code:

    1. Back in the Azure MFA Configuration panel, click Scan QR Code to display the QR Code again.

    2. On your personal mobile device, download and open the Google Authenticator and click +.

    3. Scan the QR code. Google Authenticator displays a verification code.

    4. Copy the verification code that appears in the field below.

    5. Enter the verification code in Azure MFA Configuration and click Verify.

Exclude the User Account from Multi-Factor Authentication

If your organization's security policy allows it, you can exclude the user you created from the MFA policy by excluding a designated IP range. After you exclude the account from MFA, follow these steps to set up exclusions from conditional access policies.

NOTE

Before performing this procedure, contact Axonius support for the list of IP ranges to exclude.

  1. In Axonius, ensure that the Enable 2FA checkbox is cleared.

  2. Go to Microsoft Azure admin center > Entra ID > Security > Named locations.

  3. Click Configure multifactor authentication trusted IPs.

    Configure_MFA_IP

  4. Add the Axonius IP ranges.

  5. Click Save.

Exclude from Conditional Access Policies

  1. Navigate to Microsoft Azure admin center > Entra ID > Security > Conditional Access.

  2. Click a policy.

    ConditionalAccess

  3. Open the Users or workload identities.

  4. Under the What does this policy apply to? section, select Users and groups.

  5. Click Exclude.

  6. Select the Users and groups checkbox.

  7. Open the Select excluded users and search for the newly created user account. Click the account and then click Select.

  8. Click Save.

    UsersAndGroups

  9. Repeat the process for each policy on the Conditional Access page.

Parameters

The parameters that you need to fill out will differ based on the capabilities in your Axonius platform. 'General' pertains to users with Cybersecurity Asset Management and/or SaaS Management capabilities.

To learn more about common adapter connection parameters and buttons, see Adding a New Adapter Connection.

EntraID_Connection

General

To connect to Microsoft Entra ID, you need to create a Designated Axonius application in the Microsoft Azure Portal and grant it read-only permissions. All required credentials will be given once an application is created. For details, see Creating an application in the Microsoft Azure Portal.

  • Azure Client ID (required) -The Application ID of the Axonius application.

  • Azure Client Secret (required) - Specify a non-expired key generated from the new client secret.

  • Azure Tenant ID (required) - The ID for Microsoft Entra ID.

  • Verify SSL - Select whether to verify the SSL certificate of the server against the CA database inside of Axonius. For more details, see SSL Trust & CA Settings.

  • SSO Provider - If your organization uses Microsoft Entra ID for SSO, you can select this check box. For more information, see Connecting your SSO Solution Provider Adapter.

  • Cloud Environment - Select your Microsoft Azure or Microsoft Entra ID cloud environment type.

  • Azure Oauth Authorization Code (optional) - The authorization code to connect to Microsoft Intune. For more information see Generate the OAuth Authorization Code.

  • Azure OAuth - Redirect URI/Reply URL - The location where the authorization server sends the user once the Azure has been successfully authorized and granted an authorization code or an access token. For more information, see Redirect URI (reply URL) restrictions and limitations.

  • Is Azure AD B2C - Select this option to cause Axonius to consider that this Microsoft Entra ID adapter connection is configured as B2C.

  • Account Tag (optional) - Specify a tag for Axonius to tag all devices fetched from this adapter for the Azure Cloud instance ("nickname").

  • Device Groups Blocklist (optional) - Enter a group or groups whose devices will be ignored and not fetched. If you want to enter more than one group, separate with commas.

  • HTTPS Proxy (optional) - A proxy to use when connecting to the selected Microsoft Azure/Entra ID cloud environment.

  • HTTPS Proxy User Name and Password (optional) - The user name and password to use when connecting to the selected Microsoft Azure / Azure AD cloud environment via the value supplied in HTTPS Proxy.

SaaS Management

  • Account Sub Domain - The Microsoft account's sub domain (<sub_domain>.onmicrosoft.com).

  • User Name and Password - The credentials for a user account that has the permissions needed to fetch SaaS data.

  • 2FA Secret Key - The secret generated in Microsoft Entra ID for setting up 2-factor authentication for the Microsoft user. For more information, see Enable or Exclude Multi-Factor Authentication.

Connect Adapter

  1. Once you have set up this configuration, click Save, before you select Save and Fetch, to verify the status of the adapter.

Microsoft Entra ID - Advanced Settings

Note:

Advanced settings can either apply for all connections for this adapter, or you can set different advanced settings and/or different scheduling for a specific connection, refer to ​Advanced Configuration for Adapters.

General

  • Fields to exclude (optional) - Specify a comma-separated list of fields to be excluded from the fetched data. This causes the adapter to exclude the listed fields from the raw and parsed data. For example, if this field value is "emailAddress, phoneNumber", both fields will be excluded from the raw and parsed data fetched by this adapter.

  • Allow use of BETA API endpoints - Select whether Axonius will use Beta API as the default source of data.

Note:

This setting requires enabling the following application permissions to view the last sign-in audit log information:

  • AuditLog.Read.All

  • Directory.Read.All

  • Number of parallel requests (optional, default: 100) - Specify the maximum number of parallel requests to obtain paged data from the Microsoft Entra ID cloud server.

  • Max retry count for parallel requests (optional, default: 3) - Specify how many times this adapter will retry a parallel request when the Microsoft Entra ID cloud server returns a response with an error. If not supplied, Axonius will use the default value.

  • Time in seconds to wait between retries of parallel requests (optional, default: 3) - Specify how many seconds this adapter will wait in between each retry when a parallel request to the Microsoft Entra ID cloud server returns a response with an error. If not supplied, Axonius will use the default value.

  • Fetch email activity from Office 365 in the last X days (required, default: 0) - Specify the number of days to fetch email activity per each user. The email activities include:

    • Deleted users

    • Dates of account deletion of users

    • Number of times an email send action was recorded

    • Number of times an email received action was recorded

    • Number of times an email read action was recorded

    • Last time any user performed a read or send email activity

    • Report period

    • Products that are assigned to the users

    Note:

    In order to use this field the application permissions in Microsoft Azure Portal must include the following permissions:

    • Reports.Read.All - To unhide user-level information within O365, a global administrator needs to make that change in the Microsoft 365 admin center.

    • In the admin center, go to the Settings > Org Settings > Services page.

    • Select Reports.

    • Clear the statement Display concealed user, group, and site names in all reports, and then save the changes. Refer to Microsoft Documentation - Show User Details in the Reports

  • Exclude Azure AD joined devices - Select this option to exclude Entra ID joined devices from data fetched by this adapter.

  • Fetch custom user flow attributes (Requires IdentityUserFlow.Read.All permission) - Select this option to fetch extra custom user flow attributes to be added dynamically to the User’s assets data.

  • Fetch "Guest" users (required, default: true) - Select this option to fetch external users from Entra ID.

  • Fetch sponsors for “Guest” users - Select this option to fetch sponsor for Guest users using this endpoint and to display the relationship between sponsors and Guest users in the Asset Graph.

  • Fetch deleted users - Select this option to also fetch users that were deleted in Entra ID.

  • Fetch only devices - Select this option to only fetch devices and not fetch users. Only Device.Read.All permissions are required here, and the permission “Directory.Read.All” is not required.

  • Fetch only users- elect this option to only fetch users and not fetch data relating to other assets.

  • Skip devices fetch - Select this option to only fetch users, and disable fetching of devices.

  • Fetch only users with account enabled (optional) - Select to fetch only users with an account enabled in the Entra ID.

  • Fetch users images - Select this option to fetch the user’s image.

  • Disable Fetch of Groups - Select this option to prevent the adapter from fetching all groups.

  • List of groups not to fetch - Enter a comma separated list of common group names to filter out of the fetch.

  • Fetch risky users information - Select whether to fetch information about risky users. Information includes:

    • If the user was deleted

    • Is processing

    • Date the user last updated

    • Risk level

    • Risk state

    • Risk details

    Risky users are defined in risky User resource type and in What is risk?

  • Fetch risky users information with selected Level (required, default High)- Select levels of risky users' information to fetch. Otherwise all levels are fetched

  • Fetch risky users information with selected 'State' (required, Default - At Risk, Confirmed Compromised.) - Select states of risky users' information to fetch. Otherwise all states are fetched.

  • User groups exclude list (optional) - When Fetch user groups is selected, users who have groups listed in this field will not be added to Axonius. If Fetch user groups is not selected, this field has no effect. The contents of this field are comma-separated strings, which are case and space sensitive.

  • Fetch software information from Intune (required, default: Disabled) - Select whether to fetch installed software from Intune.

    • When set to 'Disabled', no installed software is fetched from Intune.

    • 'Enabled in Normal Fetch' fetches installed software from Intune during the regular fetch time.

    • 'Enabled in Background' schedules the fetch of installed software from Intune outside the regular fetch time.

  • Fetch devices from Intune (required, default: true) - Select whether to fetch devices from Intune. Enabling this option will create two adapter connections, one for the Azure AD record and one for the Intune record.

  • Enrich Intune devices with enrollment profile information - Select this option to fetch the enrollment profile information for Intune devices.

  • Fetch autopilot device identities from Intune - Select whether to fetch autopilot device identities from Intune.

  • Fetch user groups (required, default: true) - Select this option to fetch information on every group a user is a member.

  • Fetch user app roles - Select whether to retrieve the app roles that are assigned to a user.

    Note:

    When this setting is selected, you must have either the Directory.Read.All or AppRoleAssignment.ReadWrite.All permission.

  • Fetch user contacts (Permissions required Contacts.Read) - Select to fetch all Outlook contact information for each user.

  • Fetch user assigned roles (Permissions required Directory.Read.All or RoleManagement.Read.Directory) (optional) - Select whether to fetch the assigned roles of a user. When Allow use of BETA API endpoints is also selected, then transitive assigned roles are also fetched.

  • Fetch nested groups - Select to fetch groups that belong to other groups.

  • Fetch users Last Sign-In - How to fetch (required, default Disabled) - Define how to fetch the data about the users Last Sign-in.

    • When set to 'Disabled' no data about users last sign in is fetched.

    • 'Enabled in Normal Fetch' fetches the information during the regular fetch time.

    • 'Enabled in Background' schedules the fetch of this information outside the regular fetch time.

  • Fetch users authentication methods (required, default: true) - Select to fetch data from the users authentication_methods endpoint. When this is cleared data is not fetched from the authentication_methods endpoint.

  • Fetch user Last Sign-In -API to use (required, default Disabled) - Select the type of API the adapter uses to fetch information when 'Fetch users Last Sign-In - How to fetch' is not set to 'Disabled'.

    • 'Use Regular API' - fetches only 30 days of users Sign-In in activity, with geolocation and device data. Requires normal license

    • 'Use BETA API' - fetches all the possible users last Sign-In activity, with no geo and device data. Requires BETA license.

    • 'Use Both APIs' - fetch all data from both APIs

    Note:

    • If the ‘Use Beta API’ is selected, Axonius considers the following values in fetching last sign-in data:

      lastSignInData > beta > signInActivity > lastSignInDateTime

      lastSignInData > beta > signInActivity > lastNonInteractiveSignInDateTime

    • If ‘Use Regular API’ is selected, Axonius considers the value of lastSignInData > regular > createdDateTime

    • If ‘Use Both APIs’ is selected, Axonius considers all of the above values. Axonius always takes the most recent value.

  • Fetch mobile devices (required, default: true) - Select whether to fetch iOS and Android devices.

  • Avoid duplications in names - Select whether to create only one device when you fetch entities from Entra ID that contain the same name multiple times. In this case create only one device in Axonius using the name with the most recent last seen properties.

  • Fetch Windows Defender Compliance state - Select this option to collect “Windows10CompliancePolicy.DefenderEnabled” Compliance state for any Intune device to the ”Windows 10 Defender Enabled State” field of the adapter.

  • Fetch device owner - Select this option to fetch device ownership (username and email) information for this adapter.

  • Fetch device groups - Select this option to fetch information on every Entra ID group for every device.

  • Fetch Users managers - Select this option to fetch information about managers of Entra ID users.

Note:

Configure the fetch duration of Microsoft 365 email activity via Fetch email activity from Office 365 in the last X days.

  • Use Beta API in Intune - Select to use the beta API to fetch Intune devices and additional data. If this option is cleared, the regular API is used.

  • Enrich Intune devices with hardware information - Select to enrich Intune devices with their hardware information.

  • Intune OS filter - Select this option to filter the Intune devices fetched by Operating System. The default value is All. You can choose to only fetch Windows devices.

  • Custom filter expression for fetching devices (optional) - Enter a filter expression to exclude Entra ID devices from the fetch.
    For example, you could enter (operatingSystem ne ‘Windows’). For more information, see Operators and Functions Supported in $filter Expressions, Advanced query capabilities on Microsoft Entra ID objects, and Device Properties.

  • Custom filter expression for fetching Intune devices (optional) - Enter a filter expression to exclude Intune devices from the fetch. For more information, see Operators and Functions Supported in $filter Expressions, Advanced query capabilities on Microsoft Entra ID objects, and Intune Managed Device Properties.

  • Populate Cloud Provider Account Name aggregated field (required, default: true) - When this parameter is not set, the "Cloud Provider Account Name" aggregated field is not populated for devices for Entra ID.

  • Do not fetch devices if Device Disabled field equals Yes (optional) - Select this option to exclude disabled devices from the fetch.

  • Fetch only devices with last seen - Select this option to only fetch devices which have last seen.

  • Fetch service principal as Users (default false) - Select this option to fetch service principals.

    Note

    When this setting is enabled, the adapters also fetch certificates from the service principals.

  • Fetch applications that do not require assignment - Select this option to fetch applications that are available for all the users in your Entra ID.

    Note

    When this setting is enabled, the adapters also fetch certificates from the service principals.

  • Fetch Encryption Details from BETA Intune API (required, default false) - Select this option to fetch more detailed data about the encryption state of devices (states that indicate if a device is encrypted, if it has encryption policies, etc.) from the Managed Device Encryption State endpoint.

    • To fetch this data, your user account must include Beta and Intune licenses.

    • The Azure account must be granted ‘DeviceManagementConfiguration’ permissions.

    • The ‘Fetch devices from Intune’ must be enabled.

  • Fetch Windows Endpoint Protection Configuration from BETA Intune API - Select this option to fetch Windows Endpoint Protection Configuration.

  • Fetch Device Compliance Policies Details (required, default false) - Select this option to fetch information about the states of the compliance policies (Requires Intune License).

  • Fetch Conditional Access Policies - Select this option to fetch the conditions created or enforced by the Entra ID configuration.

Note:

When this setting is enabled, you must have the Policy.Read.All permission.

  • Fetch Device Local Credentials (LAPS) from BETA Graph API - Select this option to fetch information about the local administrator credential information for all device objects that are enabled with Local Admin Password Solution (LAPS).

  • Fetch Device Information Protection - Bitlocker Recovery Key - Select this option to fetch information about Bitlocker Recovery Key for all device objects that have a stored Bitlocker key. This setting only works with OAuth authentication and a delegated permission for all the assets that you want to retrieve. For more information, see Microsoft identity platform and OAuth 2.0 authorization code flow.

  • Fetch Security Baseline Device States - Select this option to allow for enriching Intune devices with their Security Baseline states.

    Note:

    When this setting is enabled, you must have the DeviceManagementConfiguration.Read.All and the DeviceManagementConfiguration.ReadWrite.All permissions.

  • Custom filter expression for fetching users (optional) - Enter a filter expression to exclude Entra ID users from the fetch. For more information, see Use the Filter Query Parameter, Advanced query capabilities on Microsoft Entra ID objects, and User resource type.

  • Fetch managed app registrations from MAM - Select this option to fetch managed app registrations from MAM.

  • Fetch all directory roles - Select this option to fetch all directory roles.

  • Fetch all role definitions - Select this option to fetch all the available roles in Entra ID, even those that are not in use.

  • Use asset name as hostname if hostname undefined - Select this option so that if the hostname value is not defined, the hostname for each device will take the asset name as its value.

  • Fetch Device Configuration Statuses - Select this option to fetch all configurations for the devices and whether the devices are compliant with the configurations.

  • Fetch administrative units - From version 6.1.19.3 this setting is no longer available. Administrative Units are fetched as groups and as Organizational Units by default.

  • Fetch group app roles (Permissions required Directory.Read.All or AppRoleAssignment.ReadWrite.All) (default: False) - Set this option to fetch group app.roles and present the applications that are being used as an asset of the type Group. Refer to List appRoleAssignments granted to a group for further information.

  • Fetch users license details - Select whether to fetch the licenses assigned to a given user.

  • Fetch user assigned eligibility schedules - Select this option to fetch role eligibility schedule instances of groups.

    Note

    When this setting is enabled, you must have the RoleEligibilitySchedule.Read.Directory permission and either the

    PrivilegedEligibilitySchedule.Read.AzureADGroup or the PrivilegedAccess.Read.AzureADGroup permission.

  • Fetch Office 365 Litigation Hold information - Select this option to enable this adapter to fetch legal hold information as accounts.

    Note

    When this setting is enabled, you must have the eDiscovery.Read.All Delegated permission.

  • Fetch group extra attributes - Add any of the following additional group attributes that you want the adapter to fetch:

    • allowExternalSenders

    • autoSubscribeNewMembers

    • hideFromAddressLists

    • hideFromOutlookClients

    • isSubscribedByMail

    • unseenCount

  • Fetch mailbox settings for users - Enter the names of the mailbox settings for users that you want to fetch and populate the field 'Has Mailbox' and 'Mailbox Settings' under Users assets in Entra ID. Values you can enter include: Fetch mailbox Settings, Fetch Inbox Message Rules, and Fetch Mailbox Delegation Info (for accounts with SaaS Management capabilities).

    Note

    Your content goes here

  • Application permission: MailboxSettings.Read  is required.

Note:

For details on general advanced settings under the Adapter Configuration tab, see Adapter Advanced Settings.

Cybersecurity Asset Management

  • Fetch Apple enrolled devices - Select this option to fetch enrolled Apple devices from the BETA API endpoint.

  • Fetch Device Configuration Policy Settings for Bitlocker - Select this option to fetch device configuration policy settings for Bitlocker and save them as configurations in Axonius.

  • Fetch extension attributes for device owner - Select this option to fetch additional extension attributes for the device owner user. This setting requires the ‘Fetch device owner’ setting to be enabled as well.

  • Enrich mobile devices from Intune with application data - Select this option to enrich mobile devices from Intune with application data.

  • Fetch mailbox usage information from Office 365 in the last X days (optional, default: 0) - Specify the number of days to fetch mailbox usage information per each user.

SaaS Management

  • Fetch audit logs - Select this option to fetch audit logs. You need to enable this option in order to populate fields such as the Assigned Application: Last Access', ‘Inactive operational users’ and other fields that will show you information about SaaS application usage.

  • Fetch user extensions - Select this option to fetch user extension and app roles. When you select this option you will see information from this adapter about extensions that Entra ID is granted permissions to.

    Note

    When this setting is enabled, the adapter also fetches group app roles as well as certificates from the service principals.

  • Fetch Application Settings - Select this option to fetch general Entra ID license information and admin application settings, such as authentication policy settings or notification settings.  (To fetch this information you need to configure the User name and Password fields. If 2FA is required for this application, the 2FA key must be provided.)

    Note

    To fetch this setting you also need to enable the Global.Read permission enabled in Entra ID. See Required Permissions for more information.

SaaS Management Best Practices

In order to fetch SaaS Management data set the following:

  • Fetch all role definitions

  • Fetch user application role details

  • Fetch audit logs

  • Fetch user extensions (service principal


Was this article helpful?