# Microsoft Intune

Connecting Microsoft Intune gives SureCloud read access to your Intune tenant's managed device inventory, device compliance policy results, configuration profile assignments, and application protection policy configuration. SureCloud monitors MDM enrolment coverage to identify devices that have dropped out of management, reads per-device compliance state against your defined compliance policies, verifies that configuration profiles are assigned to all expected device groups, and tracks devices that are non-compliant or have not checked in recently. This provides continuous evidence that your Windows, iOS, iPadOS, and Android device estates are enrolled and meeting your security baseline requirements.

{% hint style="info" %}
Microsoft Intune data is collected via the Microsoft Graph API using the same Azure app registration used for the Microsoft Azure or Microsoft 365 integrations. If you have already connected either of those integrations, you can extend the existing app registration with the additional permissions required for Intune rather than creating a new one.
{% endhint %}

## Authentication and setup

{% stepper %}
{% step %}

#### Use or create an Azure app registration

If you have an existing SureCloud app registration from the Microsoft Azure or Microsoft 365 integration, open it in **Azure Portal → Microsoft Entra ID → App registrations → SureCloud CCM** (or equivalent). If you are connecting Intune standalone, create a new app registration following the same steps described in the [Microsoft Azure authentication guide](broken://pages/e017127527026b2c8c8c0eb1b4e2dc2447d7c7ca).

Note the **Tenant ID**, **Application (client) ID**, and an active **Client Secret**.
{% endstep %}

{% step %}

#### Grant Microsoft Graph Intune permissions

In the app registration, navigate to **API permissions → Add a permission → Microsoft Graph → Application permissions** and add:

| Permission                                | Purpose                                                        |
| ----------------------------------------- | -------------------------------------------------------------- |
| `DeviceManagementManagedDevices.Read.All` | Read managed device inventory and compliance state             |
| `DeviceManagementConfiguration.Read.All`  | Read device configuration profiles and their assignment status |
| `DeviceManagementApps.Read.All`           | Read application protection policies and app deployment status |
| `DeviceManagementRBAC.Read.All`           | Read Intune role assignments and RBAC configuration            |
| `DeviceManagementServiceConfig.Read.All`  | Read Intune service configuration and enrolment restrictions   |

Click **Grant admin consent**. A Global Administrator must approve this step.
{% endstep %}

{% step %}

#### Enter credentials in SureCloud

In SureCloud, navigate to **Integrations → Microsoft Intune → Connect** and provide:

* **Tenant ID**
* **Client (Application) ID**
* **Client Secret**

If you are reusing an existing app registration that is already connected to a Microsoft Azure or Microsoft 365 integration in SureCloud, click **Link to existing connection** and select the relevant connection rather than entering credentials again.

Click **Test Connection**, then **Save**.
{% endstep %}
{% endstepper %}

## Endpoints

| API Call                                                                  | Use Case                                                                                 |
| ------------------------------------------------------------------------- | ---------------------------------------------------------------------------------------- |
| `GET /v1.0/deviceManagement/managedDevices`                               | Enumerate all managed devices with enrolment state, OS version, and last check-in time   |
| `GET /v1.0/deviceManagement/managedDevices/{id}`                          | Read full device record including compliance state, ownership type, and management agent |
| `GET /v1.0/deviceManagement/deviceCompliancePolicies`                     | List all compliance policies and their platform scope                                    |
| `GET /v1.0/deviceManagement/deviceCompliancePolicies/{id}/deviceStatuses` | Read per-device compliance state for each policy                                         |
| `GET /v1.0/deviceManagement/deviceConfigurations`                         | Enumerate configuration profiles                                                         |
| `GET /v1.0/deviceManagement/deviceConfigurations/{id}/assignments`        | Read assignment targets for each configuration profile                                   |
| `GET /v1.0/deviceManagement/managedAppPolicies`                           | Read application protection policies for iOS and Android                                 |
| `GET /v1.0/deviceManagement/deviceEnrollmentConfigurations`               | Read enrolment restriction configurations                                                |
| `GET /v1.0/deviceManagement/roleAssignments`                              | Read Intune RBAC role assignments                                                        |

## Pagination

The Microsoft Graph API uses `@odata.nextLink` cursor-based pagination for Intune endpoints. SureCloud follows each `@odata.nextLink` URL until no further token is present.

```json
{
  "@odata.context": "https://graph.microsoft.com/v1.0/$metadata#deviceManagement/managedDevices",
  "@odata.nextLink": "https://graph.microsoft.com/v1.0/deviceManagement/managedDevices?$skiptoken=W3sidG9rZW4i...",
  "value": [
    {
      "id": "abc123",
      "deviceName": "DESKTOP-XYZ01",
      "complianceState": "compliant",
      "lastSyncDateTime": "2025-06-01T08:30:00Z",
      "operatingSystem": "Windows",
      "osVersion": "10.0.22631.3737"
    }
  ]
}
```

## Required permissions

All permissions listed in the setup steps are Microsoft Graph **Application** permissions requiring admin consent. No Intune-specific RBAC roles need to be assigned to the app registration — the Graph application permissions operate independently of Intune RBAC.

## Polling frequency

| Data type                                     | Collection interval |
| --------------------------------------------- | ------------------- |
| Managed device inventory and compliance state | 24 hours            |
| Configuration profile assignments             | 24 hours            |
| Application protection policies               | 24 hours            |
| Enrolment restriction configuration           | 24 hours            |
| RBAC role assignments                         | 24 hours            |

## Troubleshooting

<details>

<summary>Managed devices are returning but compliance state shows as "unknown" for all devices</summary>

A compliance state of `unknown` in Intune indicates the device has not yet been evaluated against a compliance policy, or the compliance policy has not been assigned to the device's group. SureCloud reports the compliance state as returned by Intune — it does not infer compliance from configuration data.

In **Intune → Devices → Compliance policies**, confirm that at least one compliance policy is assigned to a group containing the affected devices. Devices added to Intune after a compliance policy is assigned may show `unknown` for up to 24 hours while the policy evaluation runs.

</details>

<details>

<summary>Configuration profile assignments are not appearing</summary>

Configuration profile assignments require the `DeviceManagementConfiguration.Read.All` permission with admin consent. If assignment data is missing, confirm admin consent has been granted for this permission in **Azure Portal → App registrations → \[App] → API permissions**.

</details>

<details>

<summary>iOS and Android app protection policies are not appearing</summary>

App protection policies are read via the `managedAppPolicies` endpoint, which requires `DeviceManagementApps.Read.All`. If policies are missing, confirm this permission is granted and has admin consent.

App protection policies in Intune apply to unmanaged (BYOD) devices and may exist independently of device enrolment. If no app protection policies have been created in Intune, the endpoint will return an empty list.

</details>

<details>

<summary>Some devices that appear in Intune are not appearing in SureCloud</summary>

Devices in a `retired`, `wiped`, or `deleted` state are excluded from SureCloud's active device inventory. SureCloud collects devices with enrolment states of `enrolled`, `pendingReset`, and `notContacted` (devices that have not checked in recently but are still enrolled).

If a specific enrolled device is consistently missing, confirm its enrolment state in **Intune → Devices → All devices** and that the device has at least one successful check-in recorded.

</details>

<a href="https://learn.microsoft.com/en-us/graph/api/resources/intune-devices-manageddevice" class="button secondary">Microsoft Graph Intune device API reference</a> <a href="https://learn.microsoft.com/en-us/mem/intune/fundamentals/graph-apis-used-by-intune" class="button secondary">Graph APIs used by Intune</a>


---

# Agent Instructions: Querying This Documentation

If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter:

```
GET https://surecloud.gitbook.io/surecloud-docs/integrations/ccm-and-evidence-collection-integrations/microsoft-intune.md?ask=<question>
```

The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.