Setting Up Discovery of Azure RM and Intune

Comments Off on Setting Up Discovery of Azure RM and Intune

This integration is used for retrieving several Azure resources. The Azure AD, Office 365 and Intune needs the Microsoft Graph API permissions. Additional resources such as app services, storages and VMs require subscription access.

Adding Azure RM

In order to inventory your Azure Resource Manager environment, vScope needs read permissions to your subscription(s). In this guide we will create a vScope application in Azure, generate a key and apply these to the Azure RM credential in vScope. Before getting started, make sure your role has the right permissions for setting up this application. Read more about roles and permissions here.

1. Create the application

1.1 Log in to Azure Resource Manager (https://portal.azure.com/), type “App registrations” in the search bar and click on the icon that appears.

1.2 Click the “+ New registration” button to create the vScope application.

1.3 Name the application with something easy to remember, such as “vScope”. Under “Supported account types”, choose “Accounts in this organizational directory only” and click “Register”.

2. Add API permissions for Microsoft Graph

2.1 Go to the API permission section and click the “+Add a permission” button.

2.2 In the “Microsft APIs” tab, select “Microsoft Graph”.

2.3 Now select “Application permissions”

2.4 Select the following permissions and click “Add permissions”:

  • AuditLog – AuditLog.Read.All (Read all audit log data)
  • DeviceManagementConfiguration – DeviceManagementConfiguration.Read.All (Read Microsoft Intune device configuration and policies)
  • DeviceManagementManagedDevices – DeviceManagementManagedDevices.Read.All (Read Microsoft Intune devices)
  • Discovery – Directory.Read.All (Read directory data)
  • Reports – Reports.Read.All (Read all usage reports)

2.5 Now you need to grant these permissions:

3. Grant access to subscriptions

3.1 If you have Azure resources to inventory (such as “App services”, storage accounts etc.) you need to grant acces to your subscription(s). In the search bar, type “Subscriptions” and click on the yellow key that appears.

3.2 Click on the subscription name

3.3 Go to the Access control (IAM) section and click on “Add role assignment”.

3.4 In the “Role” tab, select “Reader” under “Name”.

3.5 Move on to the “Members” tab, make sure it says “Reader” as “Selected role”, and click on “+ Select members”

3.6 In the search bar, type in the name of the Application that we created in step 2 (in this example: vScope) and click “Select”.

3.7 Click “Review + assign”.

4. Set up the Azure RM probe in vScope

4.1 Now that we have the permissions we need, we only have to add the credentials in Azure RM probe to start the inventory. In the “Overview” section, Copy the Application (client) ID.

4.2 Open up a new tab and go to the Discovery Manager in vScope, create an Azure probe (+ Credential) and paste the “Application (client) ID” in the “Application ID” bar.

4.3 Go back to the App registration in Azure Portal, enter “Certificates & secrets” and create a “New client secret”:

4.4 Add a description, i.e. vScope, then choose expiry date and click “add”.

4.5 Copy the value from the client secret (the value will only appear once and will later be encrypted so it’s important not to miss this step).

4.6 Paste it to the “Key” bar in the Azure RM probe in vScope. Before saving, you can click on “Test Credential” to make sure the credentials are correct (it should turn green).

Now we have set up a discovery of Azure and Intune!

In this example, we toggled off “Microsoft 365 Defender” as we didn’t want to inventory it at this point. If you wish to inventory Microsoft 365 Defender, please read the guide “How to add Microsoft 365 Defender to vScope”.