Detect anomalies in your Intune environment with Azure Cognitive Services – Part 1 Device Compliance

It is hard to keep track of your Intune environment. With the help of log events you can build static monitoring via Azure automation or logic apps. This is possible if you are only interested in a specific event or if you can express this via static code. However, if you want to detect anomalies, e.g. a strong increase or decrease of the device count or how many devices are compliant, it is difficult to implement this without machine learning and to set static values. In this blog series I would like to show you how you can use Azure cognitive services to build a monitoring system and send you messages based on abnormal deviations. So let’s get started.

How did we get the data

Within the reports in Intune there is a report called device compliance trend. As the name suggests, this report shows you the compliance status of your devices. This is exactly the information we want to get.

To get the data we first have to find out which graph endpoint is used. How do we do that? Right we look at the network trace in the developer tools of the browser. Here it is:

So let’s get started and make something good out of the information we get provided here.

Deployment of Azure Cognitive Service anomaly detector

Open the Azure Portal and Search for Anomaly detectors

Click + Create

Select a Subscription and Resource group
Select a Region and enter the Name of the Anomaly Detector
Select the price tier (For testing Free F0 is sufficient)

Click Create

Get Teams WebHook URL

Create an MS Teams channel and add the webhook connector

Copy the WebHook URL

Create a App Registration

Search for Azure Active Directory

Select App registration

Select +New registration

Enter a Name and click Register

Click API permissions and +Add a permission

Select Microsoft Graph

Select Application permissions

Search for DeviceManagementApps.Read.All

Click Grant admin consent for *** and approve with Yes

Select Certificates & secrets and click +New client secret

Enter a Description and select a Expires time
Click Add

Copy and save the Value and the Secret ID

Create Automation Account

Search for Automation Accounts

Click + Create

Select a Subscription and a Resource group
Enter and account name and select a Region
Click Next

Click Next

Click Next -> Next -> Create

Create the Runbook

Open the Automation Account
Navigate to Variables and click + Add a variable

Add the Secret Value, TenantId, AnomalyKey, WebHookUri and the App ID as Variable

Select Runbooks
Click + Create a runbook

Enter a Name
Select PowerShell as Runbook type
Select 5.1 as Runtime version
Click Create

Insert the Script from my Github repository
Edit the variables $anomalyEndpoint (add here your endpoint from the cognitive service) and $checks add or remove checks

Hint: If you want to change the sensitivity of the anomaly detection you can adjust the attributes:
– maxAnomalyRatio: The maximum anomalies to be detected in terms of the ratio of total data points.
– sensitivity: Specify a lower value to ensure that fewer anomalies are accepted

Save and test the script

Click Publish

Navigate to Schedules and click + Add a schedule

Click Link to schedule and add the created schedule

Conclusion

Cognitive Services is a very powerful feature in Azure to easily detect anomalies, for example. If you combine this service with the information provided by Intune reporting, you can bring in a large degree of proactivity and detect abnormal behavior in your environment without having to look at reports. Since this topic has huge potential, I will be posting more blogs on this topic in the future. I hope I could help you to understand how cognitive services works and how you can use the strengths of it. Looking forward to your feedback.

Stay healthy, Cheers
Jannik