Microsoft Intune integration
Intune integration with Microsoft Graph API connector
Microsoft Intune integration
Intune integration with Microsoft Graph API connector
Intune integration related capabilities are included in Microsoft Graph API connector (formerly Entra ID connector).
With Microsoft Graph API connector you can read data from Microsoft Intune. Starting from 2025.2 version, you can also make changes/actions towards Intune. With both of those capabilities it delivers clear business value across four key areas:
Improved Visibility and Control: Almost real-time access to device and software data enhances IT oversight, asset tracking, and decision-making.
Automation and Efficiency: Automated changes reduce manual work, accelerate response times, and streamline processes like onboarding and updates.
Enhanced Security and Compliance: Rapid detection and remediation of risks support stronger security postures and adherence to regulatory standards.
Strategic Integration and Innovation: Seamless integration with other IT systems enables smarter automation, better governance, and supports digital transformation efforts.
For Microsoft Graph API Connection and Task basic configuration, see Microsoft Graph API Connector documentation.
For Customer instructions, see https://docs.efecte.com/customer-instructions/efecte-provisioning-engine-customer-instructions-for-entra-id
Most common use-cases with Intune are
- Reading devices from Intune to CMDB (this comes with 2025.1 baseline)
- Reading software from Intune to CMDB
Read Devices from Intune
See Microsoft documentation for their API https://learn.microsoft.com/en-us/graph/api/resources/intune-devices-manageddevice?view=graph-rest-1.0
Entra ID application permissions
For Intune Devices import, application in Entra ID needs these permissions
For Customer instructions, see https://docs.efecte.com/customer-instructions/efecte-provisioning-engine-customer-instructions-for-entra-id
| Permission type | Permission |
| Application |
DeviceManagementManagedDevices.Read.All or DeviceManagementManagedDevices.ReadWrite.All |
Queries for Scheduled Task
It is not recommended to use more than 3 subqueries, as every subquery makes fetching data a lot heavier.
If possible, have performance test before taking task to production usage.
Remove subqueries which you don't use in attribute mappings.
If you need to fetch data from more subqueries than is acceptable for performance, create own separate tasks for those, and then use ESM capabilities to combine data fetched by two tasks.
Query: deviceManagement/managedDevices
Subqueries (Example possibilities for subqueries. For mappings used below, no subqueries needed):
deviceManagement/managedDevices/{id}/windowsProtectionState
deviceManagement/managedDevices/{id}/users
Mappings for Scheduled Task
Always use Generic Template for Intune Mappings Type:
You might have different Target Template and/or Target Folder for Devices in your environment, where you want to import devices from Intune. You also might have different Task Id mapping field, and value for Status attribute when device is deleted from Intune.
This example uses these values:
Target Template - Device
Target Folder - Asset/Server
Task Id mapping - Related connector task. Select attribute where to store task id number, in this example “Related connector task”. That can be used on scripts to determine which task has created/updated datacard. This attribute is also internally used on “Set value for deleted objects“ functionality.
Set value for deleted object - checked
Attribute name - Status
Attribute value - 07 - Disposed
Basic example set of mappings for Intune devices. You might want to map different attributes, because of different use of Intune attributes and because of different requirements and templates.
These Intune attributes are not in mappings dropdown (left column), so you need to add those by clicking “+ New Attribute” button
If you set this deviceManagement/managedDevices/{id}/windowsProtectionState subquery, you can add mapping also for example to these Intune attributes related to Devices windowsProtectionState:
Or if you added other subqueries, for example: deviceManagement/managedDevices/{id}/users
you can have mappings for those.
Example Attribute mapping table for Intune devices
This contains most used attributes related to Intune devices, but you can add also other attributes to mapping table.
| External attribute | Local attribute |
|---|---|
| id | intune_id |
| userId | intune_userid |
| managedDeviceOwnerType | intune_manageddeviceownertype |
| enrolledDateTime | intune_enrolleddatetime |
| lastSyncDateTime | intune_lastsyncdatetime |
| jailBroken | intune_jailbroken |
| deviceHealthAttestationState | intune_devicehealthattestationstate |
| subscriberCarrier | intue_subscribercarrier |
| meid | intune_meid |
| totalStorageSpaceInBytes | intune_totalstoragespaceinbytes |
| freeStorageSpaceInBytes | intune_freestoragespaceinbytes |
| managedDeviceName | intune_manageddevicename |
| partnerReportedThreatState | intune_partnerreportedthreatstate |
| activationLockBypassCode | intune_activationlockbypasscode |
| complianceState | intune_compliancestate |
| emailAddress | intune_emailaddress |
| isSupervised | intune_issupervised |
| operatingSystem | intune_operatingsystem |
| osVersion | intune_osversion |
| serialNumber | intune_serialnumber |
| managementAgent | intune_managementagent |
| easActivated | intune_easactivated |
| easDeviceId | intune_easdeviceid |
| easActivationDateTime | intune_easactivationdatetime |
| azureADRegistered | intune_azureadregistered |
| deviceEnrollmentType | intune_deviceenrollmenttype |
| azureADDeviceId | intune_azureaddeviceid |
| deviceRegistrationState | intune_deviceregistrationstate |
| deviceCategoryDisplayName | intune_devicecategorydisplayname |
| exchangeLastSuccessfulSyncDateTime | intune_exchangelastsuccessfulsyncdatetime |
| deviceName | intune_devicename |
| model | intune_model |
| exchangeAccessState | intune_exchangeaccessstate |
| exchangeAccessStateReason | intune_exchangeaccessstatereason |
| isEncrypted | intune_isencrypted |
| manufacturer | intune_manufacturer |
| userPrincipalName | intune_userprincipalname |
| phoneNumber | intune_phonenumber |
| androidSecurityPatchLevel | intune_androidsecuritypatchlevel |
| userDisplayName | intune_userdisplayname |
| wiFiMacAddress | intune_wifimacaddress |
| imei | intune_imei |
| deviceActionResults | intune_deviceactionresults |
Read Software from Intune
See Microsoft documentation for their API https://learn.microsoft.com/en-us/graph/api/intune-devices-detectedapp-list?view=graph-rest-1.0&tabs=http
Entra ID application permissions
For Intune Devices import, application in Entra ID needs these permissions
For Customer instructions, see https://docs.efecte.com/customer-instructions/efecte-provisioning-engine-customer-instructions-for-entra-id
| Permission type | Permission |
| Application |
DeviceManagementManagedDevices.Read.All or DeviceManagementManagedDevices.ReadWrite.All |
Queries for Scheduled Task
Query: deviceManagement/detectedApps
Subqueries: deviceManagement/detectedApps/{id}/managedDevices
Mappings for Scheduled Task
Always use Generic Template for Intune Mappings Type:
Mapping for subquery devices id's: deviceManagement/detectedApps/{id}/managedDevices.id
mapped to multivalue string attribute devices.
Wipe Intune Device
Wipe is one of the supported actions for Intune devices. With wipe action you can clear data of lost device. For all actions see chapter: “All supported actions for Intune devices” at this page.
Microsoft documentation for wipe action: Documentation for wipe
Event-Based Task
Url for Event-Based task can be empty. Final url to call is build by combining connector url and workflow node url.
Mappings for Event-Based Task
Header for Event-based Task
No need to set extra headers, Connector management sets this automatically:
| Content-type | application/json |
Workflow Node
Select these Orchestrate, Data Source and Activitys:
Select event-based task you made for this action. You can also use one event-based task for many actions.
Activity: Generic REST API call
Type: POST
Url: deviceManagement/managedDevices/$attributecode_for_deviceid$/wipe
Body example:
{ "keepEnrollmentData": true,
"keepUserData": false,
"macOsUnlockCode": "Mac Os Unlock Code value",
"persistEsimDataPlan": true }
Entra ID application permissions
For Intune Devices actions, application in Entra ID needs these permissions
For Customer instructions, see https://docs.efecte.com/customer-instructions/efecte-provisioning-engine-customer-instructions-for-entra-id
| Permission type | Permission |
|---|---|
| Application |
DeviceManagementManagedDevices.ReadWrite.All or DeviceManagementManagedDevices.PrivilegedOperations.All |
Other Actions for Intune Devices
Entra ID application permissions
For Intune Devices actions, application in Entra ID needs permissions. To set correct permissions see: https://docs.efecte.com/customer-instructions/efecte-provisioning-engine-customer-instructions-for-entra-id and https://learn.microsoft.com/en-us/graph/permissions-reference
Event-Based Task
Url for Event-Based task can be empty. Final url to call is build by combining connector url and workflow node url.
Mappings for Event-Based Task
Header for Event-based Task
No need to set extra headers, Connector management sets this automatically:
| Content-type | application/json |
Workflow Node
On Workflow Orchestration node, select these Orchestrate, Data Source and Activity:
Select event-based task you made for this action. You can also use one event-based task for many actions.
All of these actions use http method POST, except Delete device from Intune which uses DELETE.
Note! For action urls, remember to set correct attribute for $attributecode_for_deviceid$ either directly from datacard or through reference $referencedata:attributecode_for_deviceid$.
Device Lifecycle & Compliance
Wipe
Wipe the data from the device (optionally retain user data).
Documentation for wipe
Url: deviceManagement/managedDevices/$attributecode_for_deviceid$/wipe
{ "keepEnrollmentData": true,
"keepUserData": false,
"macOsUnlockCode": "Mac Os Unlock Code value",
"persistEsimDataPlan": true }
Retire
Remove company data and management profile from the device.
Documentation for retire
Url: deviceManagement/managedDevices/$attributecode_for_deviceid$/retire
Delete
Permanently delete a device record from Intune.
Documentation for Delete
Action type: DELETE
Url: deviceManagement/managedDevices/$attributecode_for_deviceid$
Clean Windows Device
Perform a clean Windows reinstall.
Documentation for clean
Url: deviceManagement/managedDevices/$attributecode_for_deviceid$/cleanWindowsDevice
Sync Device
Force device to check in with Intune.
Documentation for Sync
Url: deviceManagement/managedDevices/$attributecode_for_deviceid$/syncDevice
Security & Management
Remote Lock
Remotely lock the device.
Remote lock is supported on devices running:
- Android
- iOS
Documentation for remote locking
Url: deviceManagement/managedDevices/$attributecode_for_deviceid$/remoteLock
Reset Passcode (iOS/iPadOS only)
Reset the passcode of the device.
Documentation of reset password
Url: deviceManagement/managedDevices/$attributecode_for_deviceid$/resetPasscode
Body example:
{
"password": "Temparary-??-42?!"
}
Enable/Disable Lost Mode (iOS only)
Track lost devices via Lost Mode.
Note! Microsoft has not yet added this to v1 version of their Graph API. So in order to call these API's, you need to have connector using Microsoft Graph API beta version. Graph api url in connector: https://graph.microsoft.com/beta/ 
Documentation for Enable lost mode
Documentation for Disable lost mode
Url: deviceManagement/managedDevices/$attributecode_for_deviceid$/enableLostMode
Body example:
{
"footer": "Please return this device to CompanyX IT",
"message": "Device lost. Contact companyX IT department at +358999999999.",
"phoneNumber": "+358999999999"
}
Locate Device
Get GPS coordinates of a lost device.
Documentation locate device
Url: deviceManagement/managedDevices/$attributecode_for_deviceid$/locateDevice
Body example:
{
"deviceTag": "HRDeptTempTag"
}
Restart Now (Windows only)
Restart the device remotely.
Documentation restart
Url: deviceManagement/managedDevices/$attributecode_for_deviceid$/restartNow
Shut Down (Windows only)
Shut the device down remotely.
Documentation shutdown
Url: deviceManagement/managedDevices/$attributecode_for_deviceid$/shutdown
Rotate BitLocker Keys
Rotate BitLocker recovery keys for security.
Documentation rotate bitlocker keys
Url: deviceManagement/managedDevices/$attributecode_for_deviceid$/rotateBitLockerKeys
Configuration and Cloud PC
Set Device Name
Assign a new name to the device.
Documentation set device name
Url: deviceManagement/managedDevices/$attributecode_for_deviceid$/setDeviceName
Body example:
{
"deviceName": "Finance-Laptop-20250123"
}
More Intune Related Examples
This chapter gives you some examples, how it can be used to fetch Intune data.
How to Fetch Intune Devices
Example below shows how to fetch Intune devices, primary user of device and device windows protection state.
If you want to use filters in Microsoft Entra query for deviceManagement/managedDevices check this Microsoft document: https://learn.microsoft.com/en-us/graph/api/resources/intune-devices-manageddevice?view=graph-rest-1.0
Here is one example for filtering, which filters you devices which complianceState is noncompliant: deviceManagement/managedDevices?$filter=complianceState eq 'noncompliant'
Attribute Mapping
With Intune query and subqueries, here are examples how to read data with Attribute mappings:
More Intune mapping examples:
Mapping from Subquery
If you want to read attribute from subquery, it has it's own format. First you need to have subquery as a prefix, then dot (.) and then attribute name you want to read.
As an example, let's check this mapping more detailed:/deviceManagement/managedDevices/{id}/windowsProtectionState.deviceState
prefix(same as subquery): /deviceManagement/managedDevices/{id}/windowsProtectionState
dot: .
suffix as attribute name from subquery resultset: deviceState
That subquery mapping reads from all main query resulted devices windowsProtectionState object, and from there it reads deviceState attribute value.
Microsoft Graph API Information Related to this Intune Example
https://learn.microsoft.com/en-us/graph/api/intune-devices-manageddevice-list?view=graph-rest-1.0
How to Fetch Intune Applications
Example below shows how to fetch Intune applications and devices having those applications.
Microsoft entra query: deviceManagement/detectedApps
Sub Queries: deviceManagement/detectedApps/{id}/managedDevices
Attribute Mapping
With Intune query and subqueries, here are 3 examples for mappings:
displayName
platform
deviceManagement/detectedApps/{id}/managedDevices.operatingSystem
Microsoft Graph API Information Related to This Intune Example
https://learn.microsoft.com/en-us/graph/api/resources/intune-devices-detectedapp?view=graph-rest-1.0
Known Restrictions
Restrictions in 2025.2 and older versions
Microsoft Intune reporting API https://graph.microsoft.com/beta/deviceManagement/reports/exportJobs is not supported https://learn.microsoft.com/en-us/intune/intune-service/fundamentals/reports-export-graph-available-reports
More than 1 level of subqueries are not supported, for performance reasons.
More than 1 subquery is not supported for versions older than 2025.3. Support for this was added to 2025.3 version.
Connector doesn't support marking Intune objects deleted to Matrix42 Core,Pro,IGA when object is deleted from Microsoft Intune, in versions older than 2025.3. Support for this was added to 2025.3 version.
Restrictions in 2025.3
Microsoft Intune reporting API https://graph.microsoft.com/beta/deviceManagement/reports/exportJobs is not supported https://learn.microsoft.com/en-us/intune/intune-service/fundamentals/reports-export-graph-available-reports
More than 1 level of subqueries are not supported, for performance reasons.
Table of Contents