Using Log Analytics to Generate Alerts for Each New Intune Device Enrollment

This is part 1 in the scenario Perform Automation Based on Device Enrollment in Microsoft Intune.

This post describes how to trigger an Azure Monitor alert based on a Device Enrollment event in Microsoft Intune.

Why would I want to do such a thing?

Oh, let me count the reasons! Event-triggered actions are very powerful. Typically when you think of an ‘alert’, it’s probably because something bad happened (think of a monitoring alert for low disk space, for example). For this post, we’re going to create an alert based on the desired event, device enrollment. There are many scenarios where an IT admin wants to know when a device is actually enrolled in order to follow up with the user, mark a request as complete, or just ensure that devices are being properly managed.

Here’s an image of what we will accomplish in this post:

Figure 1 – From Device Enrollment to Azure Alert

So to break down these steps:

  1. User enrolls device
  2. Device registers with Azure AD and Intune
  3. Intune sends “OperationalLogs” message to Log Analytics
  4. Log Analytics query criteria are met and send an event to Azure Alerts

And that’s the logical process in a nutshell! Now, let’s get into the details for HOW to make that happen.

Prerequisites

To perform the configuration steps, you must have a Microsoft Intune Environment and a Log Analytics workspace in Azure. And to test, you’ll need a device to enroll.

Configure Intune Diagnostic Settings

  1. In the Azure portal, navigate to Microsoft Intune.
  2. In the Monitoring section, select Diagnostic Settings and then select Add diagnostic setting (Figure 2).
  3. In the Diagnostic Settings dialog, enter a descriptive Diagnostic settings name, and select OperationalLogs (Figure 3).
  4. Under Destination details, select Send to Log Analytics. Choose your desired subscription and workspace (Figure 3).
  5. Click to Save the Diagnostics settings.
Figure 2 – Add diagnostic settings
Figure 3 – Configure diagnostic settings

Operational logs (OperationalLogs) show the success or failure of users and devices that enroll in Intune, as well as details on non-compliant devices. For our scenario, we will filter the Operational Logs for device enrollment.

Test Diagnostics Sent to Log Analytics!

To test:

  1. Enroll a fresh device to Intune.
  2. Verify the device is visible in the All Devices node in Intune.
  3. Once the node is visible, launch Log Analytics and open the workspace selected in Figure 3.
  4. Search Tables for IntuneOperationalLogs (Figure 4) and then double-click it so that it appears in the query frame.
  5. Select IntuneOperationalLogs and then click Run.
Figure 4 – Run Log Analytics query to show results from IntuneOperationalLogs

Sometimes it may take up to ten minutes from the time you see the device in Intune until the time you will see it in Log Analytics, but in general, this happens fairly fast.

Expand the result, and expand the Properties section to view device-specific details, as shown in Figure 5.

Figure 5 – Log Analytics search results for IntuneOperationalLogs

As you can see in Figure 5, we can see this is an enrollment message. Scroll down the page to see the additional properties, as shown in Figure 6.

Figure 6 – Additional properties for the query IntuneOperationalLogs

Create an Azure Alert

Now that we have the data in Log Analytics, we can easily generate an alert. We’re going to create an alert rule so that any time a new record appears that meets our criteria, an alert will be triggered.

First, update the Log Analytics query criteria in Figure 4.0 to the following:

IntuneOperationalLogs | where OperationName == 'ESPEnrollment' and Category == 'OperationalLogs'

This query will help us filter so that we only generate alerts for device enrollment. Go ahead and Run the query to verify the results.

Figure 7 – Run sample query with filtered criteria

Highlight the query and select New alert rule as shown in Figure 7.

Figure 8 – Creating a monitoring alert rule in Azure

From Figure 8, you can see the connected Log Analytics instance, as well as other configuration information. Notice that the Condition requires additional information. Click on the highlighted text that reads ‘Whenever the custom log search is greater than…..’ and review the following settings, as shown in Figure 9.

  1. Add the following Search query:
IntuneOperationalLogs | where OperationName == 'ESPEnrollment' and Category == 'OperationalLogs'
  1. Under Alert logic, configure as shown in Figure 9.
  2. Under Evaluated based on, configure as shown in Figure 9. This sets the rule to evaluate every five minutes, based on the last five minutes.
  3. Verify settings and click Done.
Figure 9 – Configuring the Condition for the Alert Rule

To complete the Alert Rule, add an Alert rule name called New Device Enrolled and set the Severity to Sev 4, as shown in Figure 10. Then click Create alert rule.

Figure 10 – Creating the Alert Rule

Congratulations! You have successfully created an alert rule based on a filter in Log Analytics! Please proceed to Create a Webhook from Azure Alerts to a Logic App.

Review the Scenario: Perform Automation Based on Device Enrollment in Microsoft Intune

Greg

Scenario: Perform Automation Based on Device Enrollment in Microsoft Intune

Greetings, fellow systems management admins! I spend a lot of my time these days building solutions that tie together multiple products, especially integrations in and out of ServiceNow. So, given my bridged knowledge of Intune, ConfigMgr, and ServiceNow, I think this is a great scenario to share.

Here’s what I want to achieve (in feature form):

As an admin, I need to track Intune device enrollment in ServiceNow, so that I can perform hardware asset management in my enterprise.

There’s a lot more to hardware asset management, but having an authoritative source of information is critical, and that’s the focus of this series. In everything I do, a guiding principle is to remove any opportunity for humans to make an error. Don’t get me wrong, I love humans, but we’re bad at repetitive work. I would much rather hand off this monotonous, repetitive work to the machine so that I know it will be handled quickly and consistently (and probably have happier employees too).

Be forewarned! There are a lot of moving parts here, but we’re going to break them down into consumable chunks. If you have more efficient methods of achieving the same result, send me some info in the comments, and I’ll give you full credit!

The Design

We are going to build event-based process automation so that every time a device is enrolled in Intune, we launch automation to make updates in the ServiceNow Asset Management table. This automation must be event-based to scale to large environments.

IntuneMagicServiceNow

Figure 1 – Devices enroll, and magic happens to create/update assets in ServiceNow.

So, as you can see from Figure 1, it’s all about the magic. There are several steps involved in that magic. Figure 2 gives you a better idea of the steps and technologies involved:

Device Enrollment Trigger Automation Flow

Figure 2 – Actions and Technologies Required for this scenario.

So that’s the high-level to the scenario. Join me over the next week or two as I step you through each of the processes mentioned above. As I post each blog, I’ll update the list below with a hyperlink to the post:

  1. Using Log Analytics to Generate Alerts for Each New Intune Device Enrollment
  2. Create a Webhook from Azure Alerts to a Logic App
  3. Processing an Azure Alert with a Logic App
  4. Updating ServiceNow with Hardware Asset Data using Logic Apps

And of course, device enrollment is only part of the asset management journey. We’ll walk through a separate series to launch automation based on device un-enrollment soon.

Stay tuned!

Greg