Sam360 integrates with Intune to enable comprehensive inventory scans of all your Intune-managed Windows devices. The Management Point uses Intune’s Graph API to register a PowerShell script to run daily, weekly, or monthly on each device. This script
- Retrieves the web scan tool from the Sam360 portal
- Conducts a thorough inventory scan of the device
- Uploads the generated inventory file to Sam360
To manage the Intune PowerShell script, Sam360 creates an App Principal in the target Azure AD environment. The App Principal is configured with the following permissions
- Microsoft Graph -> Organization.Read.All
- Microsoft Graph -> Directory.Read.All
- Microsoft Graph -> Group.ReadWrite.All
- Microsoft Graph -> DeviceManagementConfiguration.ReadWrite.All
- Microsoft Graph -> DeviceManagementManagedDevices.ReadWrite.All
- Microsoft Graph -> DeviceManagementApps.Read.All
The App Principal key is stored securely locally on the Management Point device. It is never transmitted to Sam360 servers. The App principal can be disabled or deleted at any time in the target Azure AD environment.
To configure Intune integration…
- Ensure that the required PowerShell modules are installed. Instructions here.
- Ensure that the Management Point user account can access the following URLs
- Start the Management Point configuration tool. Instructions here.
- Click ‘Tasks’
- Click ‘Add Task’, ‘Cloud Service’, then ‘Intune’
- Click ‘Set Up Intune Integration’
- A PowerShell script will execute in the background to create the App Principal. The script will prompt for the credentials on an Microsoft 365 Tenant Administrator account twice The same account details should be used each time. These account details are not stored.
- Click ‘Test Settings’ to verify that the integration has been configured correctly.
- Click OK. The Management Point will connect to the Microsoft 365 service using the specified credentials and schedule the scan script to run on all Intune managed Windows devices.