How to scan Intune with a Microsoft Cloud Services credential

Scanning mobile devices from Intune with a Microsoft Cloud Services Credential is a feature introduced in Lansweeper 8.3. If you are using an older Lansweeper release, you will need to update by following the instructions in this knowledge base article.

The scanning of mobile devices enrolled in Intune was introduced in version 7.1. This original implementation made use of delegated permissions and basic authentication. In Lansweeper version 8.3, we introduced the Microsoft Cloud Service credential, which can be used to scan Intune. This credential makes full use of Modern Authentication and the Microsoft Graph API, using application permissions. To follow this article you must have already created the Microsoft Cloud Services application that is required to scan Intune. This article explains what the prerequisites are, what permissions you'll need to add and how to setup Lansweeper to scan your Intune devices.

With an Intunev2 scanning target you'll be able to scan Android, iOS (iPhone and iPad) and Windows Phone mobile devices enrolled in Intune.

Prerequisites

To scan mobile devices from Intune with a Microsoft Cloud Services Credential, make sure that:

  • You've already set up your Microsoft Cloud Services application.
  • You're in possession of your Microsoft Cloud Services application's Application (client) ID, Directory (tenant) ID, and Client secret or certificate. These are obtained when creating the application.

Adding permissions to the Microsoft Graph application to scan Intune data

Step 1: Click on the API permissions tab

Open your companies Azure portal, navigate to App registrations, click on the app you've already created and click on the API permissions tab in the left-hand menu.

On the API permissions page, click on the Add permission button and select the Microsoft Graph from the API list.

As we are setting up the Microsoft Graph API to enforce modern authentication, you will need to add Application permissions. Therefore, click the Application permissions button.

Add the DeviceManagementManagedDevices.Read.All API permission. This is required to scan your Intune data. Once the permission is added, click the save button on the bottom of the page and double-check the permissions that are listed.

Step 2: Grant admin consent

The permission is added but admin consent must still be granted. To do this, click the button Grant admin consent for <organization> and click the Grant button in the resulting pop-up.

The added permissions should now show Granted for <organization>.

How to set up Lansweeper to scan your Intune data

Step 1: Open the Lansweeper web console.

In the Lansweeper web console, navigate to the  Scanning\Scanning Credentials tab.

Step 2: Add a new credential.

On the Scanning Credentials tab, click the Add New Credential button.
Select credential type Microsoft Cloud Service, fill in the name, Application ID and Directory ID. Application ID and Directory ID are obtained when creating the Microsoft Cloud Services application.

Step 3: Select client secret or certificate thumbprint as authentication type.

If a Client secret is selected, add the client secret (obtained when creating the MS Graph app in Azure).

If a Certificate thumbprint is selected, add the certificate thumbprint. (obtained when creating the MS Graph app in Azure)

Step 4: Select the Scanning targets.

When creating the Microsoft Cloud Service scanning credential, Lansweeper can automatically create a scanning target to scan your Intune data. To automatically create the scanning target, tick the designated checkboxes and click the OK button. When you check Intune v2, an Intunev2 scanning target is automatically created and linked to this credential.

When multiple scanning targets are selected, ensure that the app has sufficient API permissions to scan the selected scanning targets. E.g. if you'd like to use the credential for both Office 365 scanning and Intune scanning, make sure application permissions are set for both.

If no Scanning targets are selected when creating the scanning credential, create a scanning target manually via Scanning\Scanning Targets and map the scanning credential to the scanning target afterward.

Related Articles

Get Started Right Away

Try Lansweeper for Free