Using Power Automate to notify admins on Intune Connector health
Published Apr 15 2021 12:15 PM 26.5K Views

By Mark Hopper – Program Manager II | Microsoft Endpoint Manager – Intune

 

Microsoft Intune has the capability to integrate and connect with numerous external services. These connectors can include Microsoft services such as Microsoft Defender for Endpoint, third-party services such as Apple Business Manager, on-premises integrations such as the Certificate Connector for Intune, and many more.

 

Monitoring the health of an Intune environment is often a common focus for Microsoft Endpoint Manager customers. Today, admins can check their Intune tenant’s connector health using the Tenant Status page in the Microsoft Endpoint Manager admin center. However, many customers have expressed interest in exploring what options are available to proactively notify their teams when an Intune connector is determined to be unhealthy.

 

This blog will walk through the configuration steps to create an automated cloud flow using Power Automate that will notify a team or an individual when an Intune connector is unhealthy. The walkthrough will use the NDES Certificate Connector as an example, but this same flow logic can be leveraged across all Intune connectors in your environment. If you are not familiar with Power Automate, it’s a “low-code” Microsoft service that can be used to automate repetitive tasks to improve efficiencies for organizations. These automated tasks are called flows.

 

While the flow outlined in this blog will use email as the example notification method, keep in mind that flexibility and customization is key here. You can implement alternative notification methods that best aligns with your organization’s workflows such as mobile push notifications to the Power Automate app, Microsoft Teams channel posts, or even generating a ticket in your Helpdesk system if it can integrate with Power Automate. You can find a list of services that have published Power Automate connectors here.

 

Requirements

  • Azure Active Directory 
  • Microsoft Intune 
  • Microsoft Power Automate

NoteThe example flow in this blog leverages the HTTP action, which is a premium connection action. For more information on Power Automate licensing, see the docs page here.

 

Register an enterprise application in Azure Active Directory

  1. Create a new enterprise application registration in Azure Active Directory. In this example, the application is named "Flow Intune Connector Health Check."

    Redirect URI should be set to https://global.consent.azure-apim.net/redirect.

    Registering a new application in Azure Active Directory.Registering a new application in Azure Active Directory.
  2. Under API permissions, add the appropriate read-only Graph API application permissions to the enterprise appThe table below outlines the minimum permissions required to read the Graph endpoints for some commonly used Intune connectors.

    Permission 

    Graph Endpoints 

    Intune Connector 

    DeviceManagementConfiguration.Read.All 

    ndesConnector

    androidManagedStoreAccountEnterpriseSettings 

    NDES 

    Managed Google Play 

    DeviceManagementServiceConfig.Read.All 

    applePushNotificationCertificate 

    vppToken 

    depOnboardingSettings 

    windowsAutopilotSettings 

    mobileThreatDefenseConnector 

    APNS Certificate 

    VPP Tokens 

    DEP Tokens 

    Autopilot 

    MTD 



  3. After adding these permissions, be sure to grant admin consent for the organization.

    Granting admin consent for the organization in Azure Active Directory.Granting admin consent for the organization in Azure Active Directory.

  4. Under Certificates & secrets, generate a new client secret. Temporarily copy the secret value into Notepad since it will be used in another step soon, and you will not be able to retrieve it after you perform another operation or leave this blade.

    Example screenshot of the Client secrets "Value" and "ID".Example screenshot of the Client secrets "Value" and "ID".

That should complete your Azure AD Enterprise App configuration. Next, you will be creating a Power Automate cloud flow that performs the following actions every hour for the NDES connectors in your Intune environment:

  1. Perform an HTTP GET request to each connector’s Microsoft Graph REST API endpoint. 
  2. Parse the JSON response returned from Graph API. 
  3. If there can be multiple connectors for a given Graph endpoint, use an Apply to each step. For example, only one APNS cert can be configured per Intune tenant, so an Apply to each would not be required. However, there can be numerous VPP tokens or NDES Connectors in a given tenant, so this step will loop through each connector returned in the response. 
  4. Evaluate each connector’s health state. 
  5. If determined to be unhealthy, send an email notification to a specified email address to notify the relevant admin or team.

 

Create a Power Automate flow to evaluate Intune Connector health

  1. To begin, open the Power Automate admin console, create a new scheduled cloud flow. For this examplethe flow is configured to run once an hour.

    Creating a new Power Automate flow in the Power Automate admin console.Creating a new Power Automate flow in the Power Automate admin console.
    NoteEnsure to not run this flow on an overly aggressive schedule to reduce the risk of throttling! Graph API and Intune service-specific throttling limits can be found here: Microsoft Graph throttling guidance. Power Platform request limits and allocations can be found here: Requests limits and allocations.

  2. Create a new HTTP action under the reoccurrence trigger using Active Directory OAuth as your authentication methodThis action will retrieve the NDES Connectors by querying the https://graph.microsoft.com/beta/deviceManagement/ndesConnectors endpointIn this example, this step is named "Get NDES Connectors".

    HTTP action properties for the ndesConnectors flow.HTTP action properties for the ndesConnectors flow.

    Method: GET 

    URIhttps://graph.microsoft.com/beta/deviceManagement/ndesConnectors

    Authentication: Active Directory OAuth

    Authorityhttps://login.microsoft.com

    Tenant: Directory (tenant) ID from Overview blade in your Azure AD App Registration

    Audience: https://graph.microsoft.com 

    Client ID: Application (client) ID from Overview blade in your Azure AD App Registration

    Credential type: Secret

    Secret: Secret key value generated while configuring the Azure AD App Registration.


    Overview of the Flow Intune Connector Health Check.Overview of the Flow Intune Connector Health Check.
    Secret key value generated while configuring the Azure AD App Registration.Secret key value generated while configuring the Azure AD App Registration.
  3. Create a new step to parse the JSON response returned from the GET request using the Parse JSON action. This will allow the flow to use values returned from our HTTP request for our connector health evaluation, as well as our notification message.

    Content: Use the ‘Body’ dynamic content value generated from the previous step. 

    Schema: You can find the JSON schema by running a test GET request in Graph Explorer, and using the response to generate the schema. For example, run the following query in Graph Explorer: https://graph.microsoft.com/beta/deviceManagement/ndesConnectors.

    Example GET request in Graph Explorer for the "ndesConnectors" query.Example GET request in Graph Explorer for the "ndesConnectors" query.
    This should return a JSON response. Copy this JSON response and paste it into Generate from sample in your Parse JSON step. This should generate the following schema, which will allow the flow to use the values in the JSON response such as state and lastConnectionDateTime as Dynamic Values in future steps to check if our connector is healthy. Here is what the JSON schema generated from the response should look like:

    {
        "type": "object",
        "properties": {
            "@@odata.context": {
                "type": "string"
            },
            "value": {
                "type": "array",
                "items": {
                    "type": "object",
                    "properties": {
                        "id": {
                            "type": "string"
                        },
                        "lastConnectionDateTime": {
                            "type": "string"
                        },
                        "state": {
                            "type": "string"
                        },
                        "displayName": {
                            "type": "string"
                        }
                    },
                    "required": [
                        "id",
                        "lastConnectionDateTime",
                        "state",
                        "displayName"
                    ]
                }
            }
        }
    }

     

  4. Create a Condition step to check the NDES Connector health. For this step, the only condition to check is to see if state is not equal to active. Your health check should look similar to this:

    Condition step to check the NDES Connector health.Condition step to check the NDES Connector health.
    Note: When you set the Condition step, the flow will automatically create an Apply to each step (think of it as a for-each loop). The reason for this behavior is that the "Parse NDES Connector Response" step returns an array which could contain multiple NDES connectors. The Apply to each step ensures each NDES Connector in the response has ran through the health check.

  5. Next, create a step to send an email to your specified email address if the connector is determined to be unhealthy using the Send an email notification (V3) action. In this example, the email body is customized to include details such as the display name of the connector that is unhealthy, last connection time, and additional troubleshooting resources.

    Email notification check to send a customized email notification.Email notification check to send a customized email notification.
  6. Save, and test the flow. If your NDES connector is in an unhealthy state, the email addresses specified should receive a message similar to this:

    Example screenshot of an email notification sent to an admin.Example screenshot of an email notification sent to an admin.
    Note: If your connector is currently active and healthy, but you want to test the email notification, temporarily set your health check condition to check for a state that would return "Yes". For example, state is equal to active. Make sure to switch this back once you have confirmed the notification is sent as expected.

    You should now have a working automated cloud flow that scans Graph for NDES connector details, checks the connector’s health, and sends out an email notification if the connector is determined to be in an unhealthy state on an hourly schedule. The completed flow should look like this:

    Overview of a working automated cloud flow that scans Graph for NDES connector details.Overview of a working automated cloud flow that scans Graph for NDES connector details.
  7. Now, you can apply these same set of steps for the remaining Intune connectors in your environment. Either in different flows, or as parallel branches under the same recurrence.

    Additional Intune connector resources you could add in your environment.Additional Intune connector resources you could add in your environment.

Connector Health Check Examples

Properties that can be used to determine each connector’s health status can be found in Microsoft’s Graph API documentation for Intune.

 

For commonly used Intune connectors, here are some health check examples that can be used or built on for the health check Condition step, as well as their Graph URI endpoints for the HTTP step:

 

Apple Push Notification Certificate

URI: https://graph.microsoft.com/beta/deviceManagement/applePushNotificationCertificate

expirationDateTime is less than addToTime(utcNow(), 61, 'day')

 

Apple VPP Tokens

URI: https://graph.microsoft.com/beta/deviceAppManagement/vppTokens 

lastSyncStatus is equal to failed

or

state is not equal to valid

 

Apple DEP Tokens

URI: https://graph.microsoft.com/beta/deviceManagement/depOnboardingSettings 

lastSyncErrorCode is not equal to 0

or

tokenExpirationDateTime is less than addToTime(utcNow(), 61, 'day')

 

Managed Google Play

URI: https://graph.microsoft.com/beta/deviceManagement/androidManagedStoreAccountEnterpriseSettings 

bindStatus is not equal to boundAndValidated

or

lastAppSyncStatus is not equal to success

 

Autopilot

URI: https://graph.microsoft.com/beta/deviceManagement/windowsAutopilotSettings 

syncStatus is not equal to completed

and

syncStatus is not equal to inProgress

 

Mobile Threat Defense Connectors

URI: https://graph.microsoft.com/beta/deviceManagement/mobileThreatDefenseConnectors 

partnerState is not equal to enabled

and

partnerState is not equal to available

 

Considerations

  • You can create a flow for each individual Intune connector, or you can create parallel branches under your recurrence trigger that check multiple connectors’ health in the same flow.

    For example, you may not want to check your Managed Google Play connector in the same flow as your NDES connector. Or, you may want to check your DEP token expiration on a different cadence than your DEP token sync status. Flexibility is key here - use what works best for your organization!

  • In this blog, we executed Graph API requests using the HTTP action without creating a Graph API custom connector. However, an alternative method could be a Power Automate custom connector for Graph, and configuring the HTTP requests as custom actions to read the Graph Intune connector endpoints. Here are some considerations when deciding which method may work best for your organization:

    Without custom connector 

    With custom connector 

    • Leverages Azure AD application permissions.
    • HTTP requests will run without administrative user credentials. These will continue to operate as long as the Azure AD Enterprise App secret key being used is valid.
    • Leverages Azure AD delegated permissions. 
    • HTTP requests will be run using an administrator account who has proper permissions to check the respective Intune connector health. The connector may fail to run and require reauthentication if the account used for the connection has a password change, access tokens revoked, or needs to satisfy an MFA requirement.

    More information can be found here: 30DaysMSGraph – Day 12 – Authentication and authorization scenarios.

  • Not all connectors can have multiple instances. For example, an Apply to each step will not be necessary for the APNS certificate health check. Since only one APNS can be configured in a tenant at a time, an array would not be returned in the JSON response.
  • For health checks where you are evaluating connector or token expirations, you should customize your health checks based on your organization’s needs. For example, the Microsoft Endpoint Manager admin center will start flagging a DEP token or APNS certificate as nearing expiration when the expiration date is 60 days away. However, you may prefer to check for and send these notifications a few weeks or a month in advance rather than 60 days, every hour until it is renewed.
  • Consider leveraging secure inputs and outputs for steps in the flow that handle your Azure AD app’s secret key. By default, in Power Automate, you can see inputs and outputs in the run history for a flow. When you enable secure inputs and outputs, you can protect this data when someone tries to view the inputs and outputs and instead display the message "Content not shown due to security configuration."
  • In addition to secure inputs and outputs, consider leveraging Azure Key Vault and the Azure Key Vault Power Automate Connector to handle storage and retrieval of your Azure AD app’s secret key. Keep in mind that actions for this connector will be run using an administrator account who has proper permissions to check the respective Key Vault. The connector may fail to run and require reauthentication if the account used for the connection has a password change, access tokens revoked, or needs to satisfy an MFA requirement.
  • For more robust NDES health evaluation, consider adding two more HTTP steps that validate expected responses for these URLs
    • [public facing NDES URL]/certsrv/mscep/mscep.dll
    • [public facing NDES URL]/certsrv/mscep/mscep.dll?operation=GetCACaps&message=ca

 

In the health check step, the first URL should return a 403. The second URL should return a 200.

 

NDES health evaluation flowNDES health evaluation flow

For these new HTTP steps, you’ll need to configure the next step after them to run even if the HTTP request has failed, for two reasons. For the first URL, a 403 is the response code we are hoping for, but Power Automate will interpret it a failed response and will not move on to the next step by default. For the second URL, we want to ensure we move on to the health check step regardless of the response returned, so that a notification email will be sent out if needed.

 

NDES HTTP check exampleNDES HTTP check example

Thanks to our Mobility MVP Alexander Vanyurikhin for posting this suggestion on Twitter!

 

You should now have an understanding of how you can leverage Power Automate and Graph API to proactively notify your team when an Intune connector is in an unhealthy state. Please let us know if you have any additional questions by replying to this post or by reaching out to @Mark_Hopper24 or @IntuneSuppTeam on Twitter.

 

Additional Resources

For further resources on Graph API, Power Automate, and Intune connectors, please see the links below.

 

Blog Post Updates:

4/19/21: Added steps to check for NDES health evaluation.

5/26/21: Updated the syntax from "or" to "and" for both the Autopilot and Mobile Threat Defense Connectors connector health check examples.

20 Comments
Version history
Last update:
‎Nov 30 2023 04:07 PM
Updated by: