Tech Community Live: Endpoint Manager edition
Jul 21 2022, 08:00 AM - 12:00 PM (PDT)

How the MEM @ Microsoft team combines various technologies to build automation.

Published Feb 22 2022 01:27 PM 2,120 Views
Microsoft

Overview: 

This is the high-level view of the various components and features we often combine to help automate maintenance of Microsoft’s internal Intune environment. Below I will describe the key tools we use and where we integrate them together. This document is mostly meant to be a high-level overview/starting point. If there is interest, please add a comment and we can provide deeper dives into a particular area. 

Starting point: Build a scheduler and gather data 

A common starting place for us to build automation is to set up a Flow. Documentation for setting one up can be found here. A flow would normally include the following items: 

  1. Recurrence: A schedule for how often the automation should run. 
  1. Query: This will require a connection to a data source (e.g., Azure Data Explorer). 
  1. Condition: Based on the query results… 
  1. Trigger a job: Trigger the automation to run. 

Automation: PowerShell Runbooks 

Our automation makes use of an automation account to execute runbooks. It takes in data from Flow in the form of a webhook. This automation account is the workspace used to create/manage runbooks for various automation scenarios. The runbook scripts hold the main application logic. 

To expand the capability of the automation you can add additional modules to the automation account. By adding additional modules, you can add capability to connect to Azure AD, Graph, or other external resources. 

Integrations: Other APIs 

In certain scenarios we need to interface with partner resources. We prefer to use managed identity as the mechanism for automation for access to these resources/data sets. These managed identities eliminate the need for developers to manage credentials (like you would with registered applications). These managed identities can be given specific role assignments or graph permissions where they can only access the resources specified. 

Reporting: App Insights 

We use the App Insights workspace to collect all the logging for azure runbook processing. This workspace allows you to monitor Pass/Fail results, Availability, and other metrics. 

Summary: 

This covers the basics of what tools our team uses to build automation. Depending on interest, we can take a deeper walkthrough into how we build up any of the resources mentioned above. Please add a comment if you would like more information on a particular area. Based on interest, we could add some code examples to our open source GitHub repository. 

5 Comments
%3CLINGO-SUB%20id%3D%22lingo-sub-3201097%22%20slang%3D%22en-US%22%3EHow%20the%20MEM%20%40%20Microsoft%20team%20combines%20various%20technologies%20to%20build%20automation.%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-3201097%22%20slang%3D%22en-US%22%3E%3CP%3EOverview%3A%26nbsp%3B%3C%2FP%3E%3CP%3EThis%20is%20the%20high-level%20view%20of%20the%20various%20components%20and%20features%20we%20often%20combine%20to%20help%20automate%20maintenance%20of%20Microsoft%E2%80%99s%20internal%20Intune%20environment.%20Below%20I%20will%20describe%20the%20key%20tools%20we%20use%20and%20where%20we%20integrate%20them%20together.%20This%20document%20is%20mostly%20meant%20to%20be%20a%20high-level%20overview%2Fstarting%20point.%20If%20there%20is%20interest%2C%20please%20add%20a%20comment%20and%20we%20can%20provide%20deeper%20dives%20into%20a%20particular%20area.%26nbsp%3B%3C%2FP%3E%3CP%3EStarting%20point%3A%20Build%20a%20scheduler%20and%20gather%20data%26nbsp%3B%3C%2FP%3E%3CP%3EA%20common%20starting%20place%20for%20us%20to%20build%20automation%20is%20to%20set%20up%20a%20%3CA%20href%3D%22https%3A%2F%2Fflow.microsoft.com%2F%22%20rel%3D%22noopener%20noreferrer%22%20target%3D%22_blank%22%3EFlow%3C%2FA%3E.%20Documentation%20for%20setting%20one%20up%20can%20be%20found%20%3CA%20href%3D%22https%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fpower-automate%2Fgetting-started%23create-your-first-flow%22%20rel%3D%22noopener%20noreferrer%22%20target%3D%22_blank%22%3Ehere%3C%2FA%3E.%20A%20flow%20would%20normally%20include%20the%20following%20items%3A%26nbsp%3B%3C%2FP%3ERecurrence%3A%20A%20schedule%20for%20how%20often%20the%20automation%20should%20run.%26nbsp%3B%20Query%3A%20This%20will%20require%20a%20%3CA%20href%3D%22https%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fconnectors%2F%22%20rel%3D%22noopener%20noreferrer%22%20target%3D%22_blank%22%3Econnection%3C%2FA%3E%20to%20a%20data%20source%20(e.g.%2C%20%3CA%20href%3D%22https%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fconnectors%2Fkusto%2F%22%20rel%3D%22noopener%20noreferrer%22%20target%3D%22_blank%22%3EAzure%20Data%20Explorer%3C%2FA%3E).%26nbsp%3B%20Condition%3A%20Based%20on%20the%20query%20results%E2%80%A6%26nbsp%3B%20Trigger%20a%20job%3A%20Trigger%20the%20automation%20to%20run.%26nbsp%3B%3CP%3EAutomation%3A%20PowerShell%20Runbooks%26nbsp%3B%3C%2FP%3E%3CP%3EOur%20automation%20makes%20use%20of%20an%20%3CA%20href%3D%22https%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fazure%2Fautomation%2Fautomation-quickstart-create-account%22%20rel%3D%22noopener%20noreferrer%22%20target%3D%22_blank%22%3Eautomation%20account%3C%2FA%3E%20to%20execute%20%3CA%20href%3D%22https%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fazure%2Fautomation%2Fautomation-quickstart-create-runbook%22%20rel%3D%22noopener%20noreferrer%22%20target%3D%22_blank%22%3Erunbooks%3C%2FA%3E.%20It%20takes%20in%20data%20from%20Flow%20in%20the%20form%20of%20a%20%3CA%20href%3D%22https%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fazure%2Fautomation%2Fautomation-webhooks%22%20rel%3D%22noopener%20noreferrer%22%20target%3D%22_blank%22%3Ewebhook%3C%2FA%3E.%20This%20automation%20account%20is%20the%20workspace%20used%20to%20create%2Fmanage%20runbooks%20for%20various%20automation%20scenarios.%20The%20runbook%20scripts%20hold%20the%20main%20application%20logic.%26nbsp%3B%3C%2FP%3E%3CP%3ETo%20expand%20the%20capability%20of%20the%20automation%20you%20can%20add%20additional%20%3CA%20href%3D%22https%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fazure%2Fautomation%2Fshared-resources%2Fmodules%22%20rel%3D%22noopener%20noreferrer%22%20target%3D%22_blank%22%3Emodules%3C%2FA%3E%20to%20the%20automation%20account.%20By%20adding%20additional%20modules%2C%20you%20can%20add%20capability%20to%20connect%20to%20Azure%20AD%2C%20Graph%2C%20or%20other%20external%20resources.%26nbsp%3B%3C%2FP%3E%3CP%3EIntegrations%3A%20Other%20APIs%26nbsp%3B%3C%2FP%3E%3CP%3EIn%20certain%20scenarios%20we%20need%20to%20interface%20with%20partner%20resources.%20We%20prefer%20to%20use%20%3CA%20href%3D%22https%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fazure%2Factive-directory%2Fmanaged-identities-azure-resources%2F%22%20rel%3D%22noopener%20noreferrer%22%20target%3D%22_blank%22%3Emanaged%20identity%3C%2FA%3E%20as%20the%20mechanism%20for%20automation%20for%20access%20to%20these%20resources%2Fdata%20sets.%20These%20managed%20identities%20eliminate%20the%20need%20for%20developers%20to%20manage%20credentials%20(like%20you%20would%20with%20registered%20applications).%20These%20managed%20identities%20can%20be%20given%20specific%20%3CA%20href%3D%22https%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fazure%2Factive-directory%2Fmanaged-identities-azure-resources%2Fhowto-assign-access-portal%22%20rel%3D%22noopener%20noreferrer%22%20target%3D%22_blank%22%3Erole%20assignments%3C%2FA%3E%20or%20graph%20%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fintegrations-on-azure-blog%2Fgrant-graph-api-permission-to-managed-identity-object%2Fba-p%2F2792127%22%20target%3D%22_blank%22%3Epermissions%3C%2FA%3E%20where%20they%20can%20only%20access%20the%20resources%20specified.%26nbsp%3B%3C%2FP%3E%3CP%3EReporting%3A%20App%20Insights%26nbsp%3B%3C%2FP%3E%3CP%3EWe%20use%20the%20%3CA%20href%3D%22https%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fazure%2Fazure-monitor%2Fapp%2Fapp-insights-overview%22%20rel%3D%22noopener%20noreferrer%22%20target%3D%22_blank%22%3EApp%20Insights%3C%2FA%3E%20workspace%20to%20collect%20all%20the%20logging%20for%20azure%20runbook%20processing.%20This%20workspace%20allows%20you%20to%20monitor%20Pass%2FFail%20results%2C%20Availability%2C%20and%20other%20metrics.%26nbsp%3B%3C%2FP%3E%3CP%3ESummary%3A%26nbsp%3B%3C%2FP%3E%3CP%3EThis%20covers%20the%20basics%20of%20what%20tools%20our%20team%20uses%20to%20build%20automation.%20Depending%20on%20interest%2C%20we%20can%20take%20a%20deeper%20walkthrough%20into%20how%20we%20build%20up%20any%20of%20the%20resources%20mentioned%20above.%20Please%20add%20a%20comment%20if%20you%20would%20like%20more%20information%20on%20a%20particular%20area.%20Based%20on%20interest%2C%20we%20could%20add%20some%20code%20examples%20to%20our%20open%20source%20GitHub%20%3CA%20href%3D%22https%3A%2F%2Fgithub.com%2Fmicrosoft%2FIntune-DeviceAdmins%22%20rel%3D%22noopener%20noreferrer%22%20target%3D%22_blank%22%3Erepository%3C%2FA%3E.%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-TEASER%20id%3D%22lingo-teaser-3201097%22%20slang%3D%22en-US%22%3E%3CP%3EThis%20is%20the%20high-level%20view%20of%20the%20various%20components%20and%20features%20we%20often%20combine%20to%20help%20automate%20maintenance%20of%20Microsoft%E2%80%99s%20internal%20Intune%20environment.%3C%2FP%3E%3C%2FLINGO-TEASER%3E%3CLINGO-SUB%20id%3D%22lingo-sub-3203837%22%20slang%3D%22en-US%22%3ERe%3A%20How%20the%20MEM%20%40%20Microsoft%20team%20combines%20various%20technologies%20to%20build%20automation.%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-3203837%22%20slang%3D%22en-US%22%3E%3CP%3EWhat%20things%20do%20you%20automate%20and%20why%3F%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-3216959%22%20slang%3D%22en-US%22%3ERe%3A%20How%20the%20MEM%20%40%20Microsoft%20team%20combines%20various%20technologies%20to%20build%20automation.%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-3216959%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F343747%22%20target%3D%22_blank%22%3E%40trevorjones%3C%2FA%3E%26nbsp%3B%2C%20here%20are%20some%20examples%20of%20what%20we%20automate%3A%26nbsp%3B%3C%2FP%3E%0A%3CP%3E-Pre%20and%20Post%20upgrade%20QC%20for%20SCCM.%20Code%20examples%20can%20be%20found%20in%20our%20public%20GitHub%20repo%2C%20linked%20in%20post.%3C%2FP%3E%0A%3CP%3E-Auto%20scaling%20of%20virtual%20machines.%20Also%20has%20code%20examples%20in%20our%20GitHub%20repo.%3C%2FP%3E%0A%3CP%3E-Intune%20and%20SCCM%20policy%20and%20app%20deployment%20requests.%3C%2FP%3E%0A%3CP%3E-Autopilot%20device%20records%20maintenance.%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EOur%20team%20manages%20the%20Intune%20and%20SCCM%20environments%20for%20Microsoft%2C%20so%20our%20automation%20is%20focused%20on%20toil%20reduction%20and%20maintenance%20of%20those%20environments.%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-3241861%22%20slang%3D%22en-US%22%3ERe%3A%20How%20the%20MEM%20%40%20Microsoft%20team%20combines%20various%20technologies%20to%20build%20automation.%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-3241861%22%20slang%3D%22en-US%22%3E%3CP%3EHello%26nbsp%3B%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F956818%22%20target%3D%22_blank%22%3E%40James_Liu%3C%2FA%3E%3A%3C%2FP%3E%3CP%3Ereading%20%60%3CSPAN%3EAutopilot%20device%20records%20maintenance.'%20you%20had%20me.%20Unfortunately%20for%20this%20nothing%20is%20in%20the%20linked%20GitHub%20repo.%3C%2FSPAN%3E%3C%2FP%3E%3CP%3E%3CSPAN%3ECan%20you%20please%20share%20more%20details%20on%20it%20%3F%3C%2FSPAN%3E%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-3250965%22%20slang%3D%22en-US%22%3ERe%3A%20How%20the%20MEM%20%40%20Microsoft%20team%20combines%20various%20technologies%20to%20build%20automation.%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-3250965%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F38408%22%20target%3D%22_blank%22%3E%40sfarnik%3C%2FA%3E%26nbsp%3BOur%20current%20Autopilot%20device%20record%20maintenance%20automation%20requires%20specific%20Intune%20graph%20API%20permissions.%20I%20can%20look%20at%20what%20parts%20of%20that%20automation%20could%20be%20shareable%2C%20or%20at%20the%20very%20least%20provide%20some%20examples%20for%20external%20customers%20to%20build%20a%20similar%20solution.%20Because%20we%20are%20the%20internal%20team%20that%20manages%20Intune%20for%20Microsoft%2C%20we%20are%20often%20working%20on%20things%20alongside%20development%20teams%20to%20handle%20scenarios%20differently%20than%20normal%20customers.%26nbsp%3BWe%20work%20with%20internal%20development%20teams%20to%20replace%20those%20kinds%20of%20scenarios%20with%20in-product%20solutions%20when%20appropriate%20for%20external%20customers%2C%20so%20some%20of%20the%20things%20we%20automate%20might%20be%20coming%20to%20the%20product%20eventually.%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-3311969%22%20slang%3D%22en-US%22%3ERe%3A%20How%20the%20MEM%20%40%20Microsoft%20team%20combines%20various%20technologies%20to%20build%20automation.%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-3311969%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F38408%22%20target%3D%22_blank%22%3E%40sfarnik%3C%2FA%3E%26nbsp%3B%2C%20our%20Autopilot%20device%20records%20automation%20example%20should%20now%20be%20up%20on%20the%20GitHub%20repository%20linked%20in%20this%20post.%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-BODY%3E
Co-Authors
Version history
Last update:
‎Feb 22 2022 01:26 PM
Updated by: