Azure tutorials and guides by Microsoft MVP Jannik Reinhard — Logic Apps, Functions, Automation, OpenAI, AI Search and the supporting Azure services for endpoint admins.
It is hard to keep track of your Intune environment. With the help of log events you can build static monitoring via Azure automation or logic apps. This is possible if you are only interested in a specific event or if you can express this via static code. However, if you want to detect anomalies, e.g. a strong increase or decrease of the device count or how many devices are compliant, it is difficult to implement this without machine learning and to set static values. In this blog series I would like to show you how you can use Azure Cognitive Services (now Azure AI Services) to build a monitoring system and send you messages based on abnormal deviations. So let’s get started.
Synchronizing an Azure AD group with a kiosk configuration profile is mainly about keeping the assignment target reliable. The group should clearly describe the kiosk scenario, the device ownership model, and the configuration profile it belongs to.
Before using the approach in production, validate the group membership, profile assignment, and device check-in behavior on a small number of test devices. This makes it easier to separate assignment problems from kiosk shell or application configuration problems.
I have already described in a previous blog how to deploy a device as a kiosk device using Intune. This actually works really well. There is only one small thing that is really inconvenient. If a Microsoft Entra ID (formerly Azure AD) user or group is selected as the logon type (only specific users are allowed to log on to these devices), this policy must not only be assigned to a group, but the allowed users must also be defined in the profile. The option also allows you to add Microsoft Entra ID users and groups, and the SIDs of these objects are written to the local group, but Windows cannot resolve the Microsoft Entra ID groups (bug or feature?). The resolution of whether the user who is trying to log in is a member of one of the groups is done by Windows via Graph; when MFA is disabled, it works. But if MFA is enabled, Windows fails to get the token. In this blog I want to show you how you can easily work around this by syncing a Microsoft Entra ID group with this configuration profile.
This step-by-step guide shows how to send daily Intune device reports via Logic Apps, email and Teams. The flow combines Microsoft Graph queries, Azure Logic Apps, and your existing Microsoft 365 channels — no third-party reporting tool needed, and the whole pipeline runs on the Azure consumption plan for a few cents per month.
For an Intune admin it is always helpful to get an overview of the current status of their tenant and an overview of the count of devices in the field. In this blog I would like to explain how you can use Logic Apps to send you a detailed daily report.
It is useful after triggering a remediation action or for simply getting feedback from the user/customer to have a kind of survey. Contacting them by mail usually results in very poor response rates. It is much better to contact them directly via a popup. A similar approach can also be useful for user-facing notifications, for example when configuring Windows Update reboot notifications. How you can implement this with the help of a Remediation script and write the response in a Log Analytics workspace I will explain in this blog post.
After we have looked at the three categories of Device Management, Application Management and Endpoint Security, this blog continues with the Reporting section of Intune. Thanks to everyone who read the preceding blogs and gave me feedback. But it’s not over with very powerful and helpful features in Intune. Also in the reporting section you will find features that can make your daily work easier as an administrator and with which you can greatly increase the user experience. With Endpoint Analytics there is a very powerful feature which is continuously developed and improved. But let’s take a closer look at it below.
Once you start treating Windows 11 as a different deployment ring than Windows 10, you’ll need a clean way to scope policies, applications and Conditional Access to “all Windows 11 devices in the tenant” — without manually maintaining a static group. The good news is that Entra ID supports dynamic device groups with rich rule syntax, and you can target Windows 11 by OS version, build number or device-category attribute with a single line of dynamic-membership rule. This post lays out the membership rules I use in production tenants, with examples for Windows 11 21H2 through 23H2 and beyond.
With Windows 11 widely deployed across enterprise estates, you might want to test configurations or apps specifically on Windows 11 devices. For that testing you need a group in Microsoft Entra ID. In this blog I want to show you how to create a dynamic group that contains all Windows 11 devices. I also want to show you how to create a device filter for Windows 11.
Many companies have a cloud-first strategy and are trying to move more and more on prem infrastructure to the cloud. This also includes the device management. With Covid 19, remote working was the new normal and many companies are facing the challenge of how to manage devices secure and comfortable in the home office.
With Intune, Microsoft has a very powerful solution to manage devices via the internet. In my blogs I would like to give insights into cloud device management and provide you helpful scripts and tools.
In this blog post I will start with a basic topic, it’s about how to set up Windows Autopilot Device from scratch. I explain how you can set up a test environment to gain experience with Windows 10 Autopilot or to test different things.
