Detect anomalies in your Intune environment with Azure Cognitive Services – Part 1 Device Compliance

It is hard to keep track of your Intune environment. With the help of log events you can build static monitoring via Azure automation or logic apps. This is possible if you are only interested in a specific event or if you can express this via static code. However, if you want to detect anomalies, e.g. a strong increase or decrease of the device count or how many devices are compliant, it is difficult to implement this without machine learning and to set static values. In this blog series I would like to show you how you can use Azure cognitive services to build a monitoring system and send you messages based on abnormal deviations. So let’s get started.

How did we get the data

Within the reports in Intune there is a report called device compliance trend. As the name suggests, this report shows you the compliance status of your devices. This is exactly the information we want to get.

To get the data we first have to find out which graph endpoint is used. How do we do that? Right we look at the network trace in the developer tools of the browser. Here it is:

So let’s get started and make something good out of the information we get provided here.

Deployment of Azure Cognitive Service anomaly detector

  • Click + Create
  • Select a Subscription and Resource group
  • Select a Region and enter the Name of the Anomaly Detector
  • Select the price tier (For testing Free F0 is sufficient)
  • Click Create

Get Teams WebHook URL

  • Create an MS Teams channel and add the webhook connector
  • Copy the WebHook URL

Create a App Registration

  • Search for Azure Active Directory
  • Select App registration
  • Select +New registration
  • Enter a Name and click Register
  • Click API permissions and +Add a permission
  • Select Microsoft Graph
  • Select Application permissions
  • Search for DeviceManagementApps.Read.All
  • Click Grant admin consent for *** and approve with Yes
  • Select Certificates & secrets and click +New client secret
  • Enter a Description and select a Expires time
  • Click Add
  • Copy and save the Value and the Secret ID

Create Automation Account

  • Search for Automation Accounts
  • Click + Create
  • Select a Subscription and a Resource group
  • Enter and account name and select a Region
  • Click Next
  • Click Next
  • Click Next -> Next -> Create

Create the Runbook

  • Open the Automation Account
  • Navigate to Variables and click + Add a variable
  • Add the Secret Value, TenantId, AnomalyKey, WebHookUri and the App ID as Variable
  • Select Runbooks
  • Click + Create a runbook
  • Enter a Name
  • Select PowerShell as Runbook type
  • Select 5.1 as Runtime version
  • Click Create
  • Insert the Script from my Github repository
  • Edit the variables $anomalyEndpoint (add here your endpoint from the cognitive service) and $checks add or remove checks

Hint: If you want to change the sensitivity of the anomaly detection you can adjust the attributes:
maxAnomalyRatio: The maximum anomalies to be detected in terms of the ratio of total data points.
– sensitivity: Specify a lower value to ensure that fewer anomalies are accepted

  • Save and test the script
  • Click Publish
  • Navigate to Schedules and click + Add a schedule
  • Click Link to schedule and add the created schedule


Cognitive Services is a very powerful feature in Azure to easily detect anomalies, for example. If you combine this service with the information provided by Intune reporting, you can bring in a large degree of proactivity and detect abnormal behavior in your environment without having to look at reports. Since this topic has huge potential, I will be posting more blogs on this topic in the future. I hope I could help you to understand how cognitive services works and how you can use the strengths of it. Looking forward to your feedback.

Stay healthy, Cheers

5 thoughts on “Detect anomalies in your Intune environment with Azure Cognitive Services – Part 1 Device Compliance

  1. I’d avoid using DeviceManagementApps.ReadWrite.All. DeviceManagementApps.Read.All should be more than sufficient

    Liked by 1 person

Comments are closed.