Using Log Analytics to Generate Alerts for Each New Intune Device Enrollment

This is part 1 in the scenario Perform Automation Based on Device Enrollment in Microsoft Intune.

This post describes how to trigger an Azure Monitor alert based on a Device Enrollment event in Microsoft Intune.

Why would I want to do such a thing?

Oh, let me count the reasons! Event-triggered actions are very powerful. Typically when you think of an ‘alert’, it’s probably because something bad happened (think of a monitoring alert for low disk space, for example). For this post, we’re going to create an alert based on the desired event, device enrollment. There are many scenarios where an IT admin wants to know when a device is actually enrolled in order to follow up with the user, mark a request as complete, or just ensure that devices are being properly managed.

Here’s an image of what we will accomplish in this post:

Figure 1 – From Device Enrollment to Azure Alert

So to break down these steps:

  1. User enrolls device
  2. Device registers with Azure AD and Intune
  3. Intune sends “OperationalLogs” message to Log Analytics
  4. Log Analytics query criteria are met and send an event to Azure Alerts

And that’s the logical process in a nutshell! Now, let’s get into the details for HOW to make that happen.

Prerequisites

To perform the configuration steps, you must have a Microsoft Intune Environment and a Log Analytics workspace in Azure. And to test, you’ll need a device to enroll.

Configure Intune Diagnostic Settings

  1. In the Azure portal, navigate to Microsoft Intune.
  2. In the Monitoring section, select Diagnostic Settings and then select Add diagnostic setting (Figure 2).
  3. In the Diagnostic Settings dialog, enter a descriptive Diagnostic settings name, and select OperationalLogs (Figure 3).
  4. Under Destination details, select Send to Log Analytics. Choose your desired subscription and workspace (Figure 3).
  5. Click to Save the Diagnostics settings.
Figure 2 – Add diagnostic settings
Figure 3 – Configure diagnostic settings

Operational logs (OperationalLogs) show the success or failure of users and devices that enroll in Intune, as well as details on non-compliant devices. For our scenario, we will filter the Operational Logs for device enrollment.

Test Diagnostics Sent to Log Analytics!

To test:

  1. Enroll a fresh device to Intune.
  2. Verify the device is visible in the All Devices node in Intune.
  3. Once the node is visible, launch Log Analytics and open the workspace selected in Figure 3.
  4. Search Tables for IntuneOperationalLogs (Figure 4) and then double-click it so that it appears in the query frame.
  5. Select IntuneOperationalLogs and then click Run.
Figure 4 – Run Log Analytics query to show results from IntuneOperationalLogs

Sometimes it may take up to ten minutes from the time you see the device in Intune until the time you will see it in Log Analytics, but in general, this happens fairly fast.

Expand the result, and expand the Properties section to view device-specific details, as shown in Figure 5.

Figure 5 – Log Analytics search results for IntuneOperationalLogs

As you can see in Figure 5, we can see this is an enrollment message. Scroll down the page to see the additional properties, as shown in Figure 6.

Figure 6 – Additional properties for the query IntuneOperationalLogs

Create an Azure Alert

Now that we have the data in Log Analytics, we can easily generate an alert. We’re going to create an alert rule so that any time a new record appears that meets our criteria, an alert will be triggered.

First, update the Log Analytics query criteria in Figure 4.0 to the following:

IntuneOperationalLogs | where OperationName == 'ESPEnrollment' and Category == 'OperationalLogs'

This query will help us filter so that we only generate alerts for device enrollment. Go ahead and Run the query to verify the results.

Figure 7 – Run sample query with filtered criteria

Highlight the query and select New alert rule as shown in Figure 7.

Figure 8 – Creating a monitoring alert rule in Azure

From Figure 8, you can see the connected Log Analytics instance, as well as other configuration information. Notice that the Condition requires additional information. Click on the highlighted text that reads ‘Whenever the custom log search is greater than…..’ and review the following settings, as shown in Figure 9.

  1. Add the following Search query:
IntuneOperationalLogs | where OperationName == 'ESPEnrollment' and Category == 'OperationalLogs'
  1. Under Alert logic, configure as shown in Figure 9.
  2. Under Evaluated based on, configure as shown in Figure 9. This sets the rule to evaluate every five minutes, based on the last five minutes.
  3. Verify settings and click Done.
Figure 9 – Configuring the Condition for the Alert Rule

To complete the Alert Rule, add an Alert rule name called New Device Enrolled and set the Severity to Sev 4, as shown in Figure 10. Then click Create alert rule.

Figure 10 – Creating the Alert Rule

Congratulations! You have successfully created an alert rule based on a filter in Log Analytics! Please proceed to Create a Webhook from Azure Alerts to a Logic App.

Review the Scenario: Perform Automation Based on Device Enrollment in Microsoft Intune

Greg

About Greg Ramsey
Greg Ramsey, Enterprise Mobility MVP, is a Senior Enterprise Architect at Dell Technologies. He has a B.S. in Computer Sciences and Engineering from Ohio State University and has co-authored many books over the years. Greg is an international speaker, a board member of the Northwest System Center User Group, and the Director of Communications for the Midwest Management Summit.

3 Responses to Using Log Analytics to Generate Alerts for Each New Intune Device Enrollment

  1. Pingback: Scenario: Perform Automation Based on Device Enrollment in Microsoft Intune | Greg's Systems Management Blog

  2. Pingback: Create a Webhook from Azure Alerts to a Logic App | Greg's Systems Management Blog

  3. Pingback: Processing an Azure Alert with a Logic App | Greg's Systems Management Blog

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

%d bloggers like this: