Blog Post

Device Management in Microsoft
2 MIN READ

How the MEM @ Microsoft team combines various technologies to build automation.

james_lieurance's avatar
Feb 22, 2022

Overview: 

This is the high-level view of the various components and features we often combine to help automate maintenance of Microsoft’s internal Intune environment. Below I will describe the key tools we use and where we integrate them together. This document is mostly meant to be a high-level overview/starting point. If there is interest, please add a comment and we can provide deeper dives into a particular area. 

Starting point: Build a scheduler and gather data 

A common starting place for us to build automation is to set up a Flow. Documentation for setting one up can be found here. A flow would normally include the following items: 

  1. Recurrence: A schedule for how often the automation should run. 
  1. Query: This will require a connection to a data source (e.g., Azure Data Explorer). 
  1. Condition: Based on the query results… 
  1. Trigger a job: Trigger the automation to run. 

Automation: PowerShell Runbooks 

Our automation makes use of an automation account to execute runbooks. It takes in data from Flow in the form of a webhook. This automation account is the workspace used to create/manage runbooks for various automation scenarios. The runbook scripts hold the main application logic. 

To expand the capability of the automation you can add additional modules to the automation account. By adding additional modules, you can add capability to connect to Azure AD, Graph, or other external resources. 

Integrations: Other APIs 

In certain scenarios we need to interface with partner resources. We prefer to use managed identity as the mechanism for automation for access to these resources/data sets. These managed identities eliminate the need for developers to manage credentials (like you would with registered applications). These managed identities can be given specific role assignments or graph permissions where they can only access the resources specified. 

Reporting: App Insights 

We use the App Insights workspace to collect all the logging for azure runbook processing. This workspace allows you to monitor Pass/Fail results, Availability, and other metrics. 

Summary: 

This covers the basics of what tools our team uses to build automation. Depending on interest, we can take a deeper walkthrough into how we build up any of the resources mentioned above. Please add a comment if you would like more information on a particular area. Based on interest, we could add some code examples to our open source GitHub repository. 

Updated Feb 22, 2022
Version 1.0

5 Comments

  • sfarnik Our current Autopilot device record maintenance automation requires specific Intune graph API permissions. I can look at what parts of that automation could be shareable, or at the very least provide some examples for external customers to build a similar solution. Because we are the internal team that manages Intune for Microsoft, we are often working on things alongside development teams to handle scenarios differently than normal customers. We work with internal development teams to replace those kinds of scenarios with in-product solutions when appropriate for external customers, so some of the things we automate might be coming to the product eventually.

  • sfarnik's avatar
    sfarnik
    Copper Contributor

    Hello James_Liu:

    reading `Autopilot device records maintenance.' you had me. Unfortunately for this nothing is in the linked GitHub repo.

    Can you please share more details on it ?

  • trevorjones , here are some examples of what we automate: 

    -Pre and Post upgrade QC for SCCM. Code examples can be found in our public GitHub repo, linked in post.

    -Auto scaling of virtual machines. Also has code examples in our GitHub repo.

    -Intune and SCCM policy and app deployment requests.

    -Autopilot device records maintenance.

     

    Our team manages the Intune and SCCM environments for Microsoft, so our automation is focused on toil reduction and maintenance of those environments.