How To: Use Logic Apps to Query Intune for Device Information

April 7, 2020 1 Comment

This article will show you how to query device information from Intune using Logic Apps. This is a foundational article and will be used in several other scenarios going forward.

Why?

Why would we want to do this? The simple (and vague) answer is ‘for many types of process automation.” I’m currently building a scenario to show you how to use this process to create/update an asset record in CMDB. In a few weeks, we’ll dive into other scenarios where we also need device information from Intune.

Following are the basic steps for this article:

  1. Create an Application Registration and grant read-only access.
  2. Build a sample Logic App to query Intune (via Graph) and send an email with the details.

This article will lay the groundwork-You’ll see this better in action when we incorporate it into the scenarios mentioned above.

Prerequisites

In order to accomplish this task, you must have Intune with managed devices, as well as access to Azure AD to grant rights.

Create an Azure Application Registration

In order for Logic Apps to query Graph, we must register an application and grant read rights to Intune.

Registering an Application in Azure

  1. In the Azure portal, navigate to Azure Active Directory and select App Registrations.
  2. Select New registration.
  3. Enter the Name as Intune Get Device
  4. Review the settings shown in Figure 1 and click Register.
Figure 1 – Registering a new application
  1. After clicking Register, you should now see a page similar to Figure 2, which shows the details of your new application registration. Copy the Application (client) ID and the Directory (tenant) ID, as you will need them when we create the Logic App.
Figure 2 – The Application registration properties page

Congrats! you’ve registered a pretty boring application (so far). Now we need to grant API Permissions:

Granting Read Rights to Intune

  1. Click on View API permissions
  2. Click Add a permission
  3. Select Microsoft Graph as shown in Figure 3.
Figure 3 – Adding Microsoft Graph
  1. After selecting Microsoft Graph, you are prompted for the type of permissions your application requires. Select Application Permissions as shown in Figure 4.
  2. Type DeviceManagement in the text box to filter the list, then choose DeviceManagementManagedDevices.Read.All as shown in Figure 4, then click Add permissions.
Figure 4 – Configuring the API permissions
  1. Next, you (as an administrator) must grant consent for the specified rights. Click the Grant admin consent for … button as shown in Figure 5.
Figure 5 – Granting admin consent
  1. Click Yes in the confirmation dialog to grant consent. The result should be similar to Figure 6.
Figure 6 – Consent Granted
  1. Next, click on Certificates & secrets and click New client secret.
  2. Enter a clever description and set the secret expiration time as shown in Figure 7, and then click Add.
Figure 7 – Adding a client secret
  1. Under Client secrets, you should see the description and the secret value as shown in Figure 8. Copy this secret value and store it securely for use in your Logic App.
Figure 8 – The client secret

Create a Test Logic App

Finally, we are ready to roll from an application registration perspective. Next, we create a test logic App to verify that all is well.

  1. From the Azure Portal select Logic Apps, then Add.
  2. Choose your desired Resource Group, enter the name “Test-GetIntuneDevice”, and choose a location.
  3. Click Review + Create, and then Create.
  4. Once created, go to your new Logic Apps resource.
  5. For this test, select Recurrence as the common trigger as shown in Figure 9.
Figure 9 – Choose Recurrent for the test Logic App
  1. Set the Interval to 3 and the Frequency to “Month”, so that this runs every three months (once we’ve tested, we’ll delete this test Logic App).
  2. Create a new step and search for “initialize”, then choose Initialize variable as shown in Figure 10.
Figure 10 – Choosing the action Initialize variable
  1. Enter “ComputerName” for Name, set the Type as “String” and for the value, set it to an existing computer name in Intune as shown in Figure 11.
Figure 11 – Initialize The ComputerName
  1. Next, create a new step, then search for and choose HTTP as shown in Figure 12.
Figure 12 – Choosing the HTTP action
  1. Choose Get for the type
  2. For the URI, enter the following: https:// graph.microsoft.com/v1.0/deviceManagement/managedDevices?$filter=startswith(deviceName,””) Next, insert your cursor between the single quotes near the end of the line and select the ComputerName variable under Dynamic content as shown in Figure 13. Also please note that you may need to remove a space between https:// and graph in that url, due to formatting issues.

This step uses the Get managedDevice API from Graph. For this example, we configured the API call to filter based on the deviceName.

Figure 13 – Setting the ComputerName variable
  1. For Headers add “Content-Type” as “application/json” as shown in Figure 14.
  2. Click Add new parameter, select Authentication, and then click off of the dialog to add the Authentication Type to the step.
  3. Select Active Directory OAuth for the Authentication type.
  4. Add your Tenant, Client ID and Secret (the ones you copied earlier while creating the App registration).
  5. For Audience, enter https://graph.microsoft.com.
  6. Review settings and compare them to Figure 14.
Figure 14 – Configuring the HTTP action

Most importantly, click Save and ensure the Logic App successfully saved.

Run a Test

You should be set to just click Run on the Logic App, and give it a few minutes to complete. After completion, you should see green checkboxes across all three steps as shown in Figure 15.

Figure 15 – A successful run of the Logic App

Finish the Logic App

Now that we’ve performed a successful run, we need to complete our Logic App.

  1. Expand the HTTP step to view the output.
  2. Copy the contents of the Body as shown in Figure 16. We will use this information to provide the schema to parse the JSON.
Figure 16 – Copy the Body of the JSON
  1. Next, Edit the Logic App and click New step.
  2. Type “Parse JSON” into the search bar and select Data Operations->Parse JSON.
  3. For Content, select the dynamic content of the Body from the HTTP step.
  4. Click Use sample payload to generate schema, paste the body that you copied in Step 2 of this section and click Done so that the Parse JSON step looks similar to Figure 17.
Figure 17 – The Parse JSON step
  1. Click New step and find the Send an Email(V2) step for Outlook.
  2. Enter the desired To email address, and a catchy Subject line.
  3. In the Body, Type “Device Name:” and then expand the Parse JSON dynamic content (as shown in Figure 18) and then select deviceName.
Figure 18 – Choosing the deviceName variable
  1. Note that as soon as you select deviceName, the Logic App Designer realized that this is an array (based on the schema from the Parse JSON step) and automatically created a For each loop. Expand the Send and email (V2) step and populate the Body as shown in Figure 19.
Figure 19 – Populating the email Body
  1. Save your work!

Perform a Full test

At this point, you should be ready for a full test. Click Run in the Logic Apps Designer and wait a few minutes to (hopefully) receive an email. You should also see the completed steps appear in the Logic Apps Designer as shown in Figure 20.

Figure 20 – A successful run of our Logic App

And if all worked out as planned, you also have an email in your inbox that looks similar to Figure 21.

Figure 21 – Test email success!

Congrats! This is a huge step in preparing for future automation. Hopefully, this article has laid the groundwork for you to learn more about extracting data from Intune using Graph. Stay tuned for scenarios that leverage this functionality.

When finished, remove the test Logic App, but be sure to capture the secret and other information so that you can use it for future automation.

Greg

Filed under Intune, Logic Apps Tagged with ,

Create a Webhook from Azure Alerts to a Logic App

March 26, 2020 3 Comments

This is part 2 in the scenario Perform Automation Based on Device Enrollment in Microsoft Intune.

This post describes how to take the Azure Alert configured in Using Log Analytics to Generate Alerts for Each New Intune Device Enrollment, and send it to a webhook-enabled Logic App.

Remind me, Greg, why would I want to do such a thing?

This all goes back to the scenario, and our goal to create/update an asset record in ServiceNow based on a new device enrollment in Intune. For this post, we have an alert from part 1, so now we need to take that alert and generate a webhook to a Logic App.

Figure 1 – Creating a webhook from Azure Alerts to a Logic App

And that’s the high-level description. Now let’s get into the details for HOW to make this happen.

Prerequisites

To perform the steps in this post, complete all the steps and prerequisites in part 1, Using Log Analytics to Generate Alerts for Each New Intune Device Enrollment.

Create a Logic App with Webhook

First, we create the Logic App so that we can configure the Azure alert to call the webhook.

  1. In the Azure portal, navigate to Logic Apps and click Add.
  2. Select the desired Resource group (use the same one as in part 1!), Location, and enter a Logic App name of DeviceEnrollment as shown in Figure 2.
  3. Select Review + Create and then Create.
Figure 2 – Create a new Logic App
  1. Within a few seconds, you’ll receive the message that Your deployment is complete, then select Go to resource.
  2. The Logic Apps Designer page will appear with an option to Start with a common trigger. Choose the option When a HTTP request is received, as shown in Figure 3.
Figure 3 – Create a Logic App using the HTTP trigger
  1. The Logic Apps Designer will appear as shown in Figure 4. Leave it just as it is and click Save. You’ll notice that the text in the gray box will change to a real URL once you save the Logic App. (For this process, there’s no need to copy the URL, because this integrates nicely with Azure Monitor).
Figure 4 – Logic App with Webhook

Congrats! You created a Logic App! Granted, it’s pretty basic, but we’ll be building on it very soon.

Configure Azure Alert with HTTP Trigger

Now we’re going to configure the Azure Alert to call this webhook for the alert created in part 1.

  1. In the Azure portal, navigate to Alerts.
  2. Click Manage Alert Rules as shown in Figure 5
Figure 5 – Manage alert rules
  1. Locate the rule created in part 1 (we called it New Device Enrolled).
  2. In the ACTION GROUPS section, click Create as shown in Figure 6.
Figure 6 – Create a new action
  1. In the Add action group pane, enter an Action group name, Short name, Resource group (the same one used earlier) and enter DeviceEnroll for the action name, as shown in Figure 7.
Figure 7 – Add action group
  1. Next, select the drop-down for Action type and choose LogicApp.
  2. In the small frame, select the Resource group (the same one used earlier).
  3. In the Select a logic app option, choose the Logic App created earlier (we called it DeviceEnrollment).
  4. Select Yes for Enable the common alert schema. Click the link to Learn more about the common alert schema – we’ll need that information for the Logic App webhook integration.
  5. Verify settings as shown in Figure 8 and select OK.
  6. Click OK to save settings on the Add action group pane.
Figure 8 – Configure the Action Type

Congratulations! You now have an alert that will make a call to a Logic App! You have now configured everything in the blue box shown in Figure 9.

Figure 9 – Progress in the scenario to update ServiceNow based on Intune Device Enrollment

Continue the scenario here: Processing an Azure Alert with a Logic App.

Greg

Filed under Automation, Intune Tagged with ,

Older posts

Newer posts