All Collections
Integrations
Intune Connection Details (Windows)
Intune Connection Details (Windows)

This article walks through the details of configuring Intune to connect to Drata.

Ashley Hyman avatar
Written by Ashley Hyman
Updated over a week ago

HERE'S WHY

Connecting to Intune will turn on the MDM option in Workstation Configuration Monitoring on your Company's Internal Security settings. If the Drata Agent is not present and active, it will then proceed to obtain workstation configuration info from the Intune instance for compliance purposes.

BEFORE DIVING IN

  1. Make sure that the devices you wish to monitor are enrolled through the Intune Company Portal website or app. Devices can be enrolled by any of these methods. If your employees are already enrolled, it is not necessary for them to install the Company Portal application.

  2. Make sure that your Entra (formerly Azure) account has already been populated with users.

  3. Make sure you have an existing Microsoft Endpoint Manager group containing all users that need to be monitored. Both types of "Microsoft 365" and "Security" are supported.

  4. Make sure that all devices that need to be synced have the user's email address entered into the device's User Principal Name field. Also ensure this value matches the Personnel email address in Drata.

  5. You will need a Global Administrator account in order to set everything up in Entra/Intune.

  6. At this time, while Drata’s device compliance checks using the Intune connection checks device settings directly for Hard Disk Encryption, the rest of Drata’s device compliance checks confirms the following:

    • Does the policy of the required name and/or type exist?

    • Is that policy mapped to the device?

    • Is that device compliant with that policy?

    If all three of the above criteria are met, Drata will show that device as passing for the other device compliance checks.

Current Limitations

  • The integration supports Microsoft Windows 10 and 11 Pro and Enterprise devices only. Windows 10 and 11 Home devices are not supported.

  • Drata's Autopilot (nightly automated testing) must run before the application list from Intune can be shown.

  • The application list for each device can take up to seven days to sync. This is because Intune updates the discovered apps list once every seven days after Intune was installed.

  • Drata supports both the Intune Discovered Apps list and Intune Managed Apps list natively.

  • The Intune API doesn't return the version of the Intune Agent used.

  • Only one configuration source per machine will be read, with the Drata agent taking precedence. To sync Intune data, ensure the Drata agent is uninstalled.

  • Intune cannot natively pick up browser extensions, so if those are being used as a password manager, that compliance check will fail. Your users will need to use the equivalent installed desktop application. Ensure that this app shows on Intune's discovered apps list.

  • Currently, policies and configuration profiles set up using Intune Settings Catalog are not supported. In order for compliance data to sync, you must use the policy and configuration profile types defined in this help article.

Overview of what we're going to set up

  • Create an Intune OAuth app on Entra ID and obtain the app’s Application ID (client ID), Tenant ID, and app secret.

  • Create policies on Microsoft Endpoint Manager. These are necessary for Windows Autoupdates, Lock Screen, Firewall, Disk Encryption, and Antivirus compliance data.

  • Sync devices to get the latest policies and actions from Intune.

  • Grant permissions to the app.

  • Connect to your Intune instance in Drata.

Create Intune App on Entra ID

Create new App Registration

  1. Starting from the Microsoft Intune admin center, select All services > Microsoft Entra. A new tab will open the Microsoft Entra admin center.

2. Select Identity > Applications > App registrations.

3. On the App Registration page, select + New registration.

  • Alternatively, for steps 1-3, you can go to portal.azure.com -> click on Microsoft Entra ID -> click on App registrations in the left sidebar -> select + New registration.

4. On the Register an application page, enter the following name exactly as provided: Drata - Intune App

5. Select the radio option for Accounts in this organizational directory only (<directory name> only - Single tenant).

6. Select Register. You are taken back to the app's Overview page.

7. Copy the Application (client) ID and Directory (tenant) ID. You will use the IDs to connect to your Intune instance in Drata.

8. Select Add a certificate or secret.

User-uploaded Image

9. Select + New client secret.

User-uploaded Image

10. Enter the details for the Description, select 24 months for Expires, and then select Add.

User-uploaded Image

11. Copy the Value (not the Secret ID) of the new secret to paste it into the Application Secret text field on the Drata slide-out panel (Note: this will be the only time you can copy this secret key). Refresh the Azure Certificates and Secrets screen to make the secret Value useable (Microsoft holds it in a pending state until the screen is refreshed).

  • Note: Ensure to update before the expiration date so the connection remains active.

API Permissions

Microsoft Graph has two types of permissions: Delegated and Application. The Drata OAuth app needs Application permissions.

1. Select API permissions.

2. Select + Add a permission.

3. Select Microsoft Graph.

User-uploaded Image

4. Select Application permissions.

5. Select the following four permissions:

  • DeviceManagementManagedDevices.Read.All

  • DeviceManagementConfiguration.Read.All

  • User.Read.All

  • DeviceManagementApps.Read.All

6. Select Add permissions.

User-uploaded Image

7. The four new permissions status displays as Not granted. Select Grant admin consent to grant the app these new permissions.

8. Select Yes in the Grant admin consent confirmation popup.

9. Confirm that the status displays Granted.

Connect to your Intune instance in Drata

1. Go to the Drata app to select Connections (located on the bottom sidebar).

2. Select Connect for the Intune integration.

3. In the extended drawer, enter the details you saved in the previous steps: Directory (tenant) ID, Application (client) ID, and Application Secret.

4. Select Save & Test Connection.

Configure Intune in Drata for employee onboarding

  1. Go to the Drata app to select your company's name (located on the bottom sidebar) to select Internal Security.

  2. Toggle on Automated via Intune on and toggle off Automated via Drata Agent to disable the Drata agent.

  3. Note: If both remain on, and the Drata agent is installed on an employee computer, the Drata agent will take precedence; meaning, employee compliance checks will come from the agent.

Lock Screen and Password Configuration Profile

Create a new Configuration Profile with a Device Restriction Policy to get the Lock Screen and Password information according to the following steps.

NOTE: If you already have an existing Lock Screen and Password Configuration Profile, you may submit that profile's name to our Support team and Drata will apply it after your connection is made.

  1. Sign in to the Microsoft Endpoint Manager admin center.

  2. Select Devices > Configuration profiles > Create profile.

  3. Enter the following properties:

    • Platform: Choose Windows 10 and later

    • Profile: Choose Templates > Device restrictions.

  4. Select Create.

User-uploaded Image

5. On the Basics page, enter the following name exactly as provided: Drata - Screen Lock

6. Description is optional. Select Next.

7. On the Configuration settings page, expand each group of settings, and configure the settings you want to manage with this profile. The two settings below in the Password section must be set at a minimum.

  • Select Require for Password.

  • Select 15 Minutes for Maximum minutes of inactivity until screen locks (you can optionally make this shorter).

  • Configure other settings as your business requires.

8. Under Assignments, choose + Select groups to include and then assign the profile to one or more groups. Use + Select groups to exclude to fine-tune the assignment. Select Next.

  • Note: The Security group is the only selectable option for the Screen Lock profile.

9. Applicability Rules are optional. Select Next.

10. On the Review + create page, ensure your settings are correct, and select Create. You are taken back to the profile's Overview page.

Device Security Policy

Create a new compliance policy to sync the BitLocker, Secure Boot, and Antivirus settings with the following steps.

  1. Select Devices > Compliance policies > Policies > Create Policy.

  2. Enter the following property for Platform: Choose Windows 10 and later.

  3. Select Create.

  4. On the Basics page, the following name is recommended, but Drata can read an existing policy with these settings: Drata - Device Security

  5. Description is optional. Select Next.

  6. On the Compliance settings page, expand each group of settings, and configure the settings you want to manage with this policy. The settings below must be set at a minimum.

  7. Expand the Device Health option.

    • Select Require for BitLocker.

    • Select Require for Require Secure Boot to be enabled on the device.

    • Configure other settings as your business requires.

User-uploaded Image

8. Expand the System Security option. Scroll down to the Device Security section.

  • Select Require for Antivirus.

  • Configure other settings as your business requires.

9. Scroll down to the Defender section.

  • Select Require for Microsoft Defender Antimalware.

  • Select Require for Microsoft Defender Antimalware security intelligence up-to-date.

  • Select Require for Real-time protection.

  • Configure other settings as your business requires.

10. The Actions for noncompliance section is optional. Select Next.

11. Under Assignments, choose + Select groups to include and then assign the policy to one or more groups. Use + Select groups to exclude to fine-tune the assignment. Select Next.

12. On the Review + create page, ensure your settings are correct, and click Create. You are taken back to the profile's Overview page.

Windows Updates Profile

Create a new policy to sync Windows Autoupdate settings with the following steps.

NOTE: If you already have an existing Windows Update Ring profile, you may submit that profile's name to our Support team and Drata will apply it after your connection is made.

  1. Select Devices > Windows > Update rings for Windows 10 and later > Create profile.

  2. On the Basics page, enter the following name exactly as provided: Drata - Windows Updates

  3. Description is optional. Select Next.

User-uploaded Image

4. Under Update ring settings, configure the settings you want to manage with this profile. For information about the available settings, see Windows update settings. Select Next.

5. Under Assignments, choose + Select groups to include and then assign the update ring to one or more groups. Use + Select groups to exclude to fine-tune the assignment. Select Next.

  • Note: The Security group is the only selectable option for the Windows Update profile. While update rings can deploy to both device and user groups (i.e. a Security group can have both as members), consider using only device groups when you also use feature updates.

6. On the Review + create page, ensure your settings are correct, and select Create. Your new update ring is displayed in the list of update rings.

Create Security Policies

Disk Encryption Security Policy

  1. Sign in to the Microsoft Endpoint Manager admin center.

  2. Select Endpoint security.

  3. Select the "Disk encryption" policy type, and then select Create Policy.

  4. Enter the following properties:

    • Platform: Choose Windows 10 and later.

    • Profile: Choose BitLocker.

  5. Select Create.

  6. On the Basics page, the following name is recommended, but Drata can read an existing policy with these settings: Drata - Disk Encryption

  7. Description is optional. Select Next.

  8. On the Configuration settings page, expand each group of settings, and configure the settings you want to manage with this policy. For the Drata connection, these settings are required:

    1. BitLocker

      1. Require Device Encryption: Enabled

      2. Allow Warning For Other Disk Encryption: Enabled

    2. Administrative Templates

      1. Windows Components > BitLocker Drive Encryption

        1. Choose drive encryption method…: Enabled

        2. Select the encryption method for removable data drives: AES-CBC 128-bit

        3. Select the encryption method for fixed data drives: XTS-AES 128-bit

        4. Select the encryption method for operating system drives: ATS-AES 128-bit

      2. Windows Components > BitLocker Drive Encryption > Operating System Drives

        1. Enforce drive encryption type on operating system drives: Enabled

        2. Select the encryption type: (Device): Use Space Only encryption

      3. Windows Components > BitLocker Drive Encryption > Fixed Data Drives

        1. Enforce drive encryption type on fixed data drives: Enabled

        2. Select the encryption type: (Device): Allow user to choose

    3. Configure other settings as your business requires.

9. When you're done configuring settings, select Next.

10. Scope tags are optional. Select Next.

11. Under Assignments, choose + Add groups under Included Groups and then assign the policy to one or more groups. Use + Add groups to Excluded Groups to fine-tune the assignment as necessary. For more information on assigning profiles, see Assign user and device profiles.

  • Note: The Security group is the only selectable option for the Disk Encryption policy.

12. On the Review + create page, ensure your settings are correct, and select Create. The new policy is displayed in the list when you select the type for the policy you created.

Firewall Security Policy

  1. Go to Endpoint security.

  2. Select the "Firewall" policy type, and then select Create Policy.

  3. Enter the following properties:

    • Platform: Choose Windows 10, Windows 11, and Windows Server.

    • Profile: Choose Microsoft Firewall

  4. Select Create.

  5. On the Basics page, the following name is recommended, but Drata can read an existing policy with these settings: Drata - Firewall

  6. Description is optional. Select Next.

  7. On the Configuration settings page, configure the settings you want to manage with this policy. The three settings below must be set at a minimum.

    1. Select True for Enable Domain Network Firewall

    2. Select True for Enable Private Network Firewall

    3. Select True for Enable Public Network Firewall

    4. Configure other settings as your business requires

8. When you're done configuring settings, select Next.

9. Scope tags are optional. Select Next.

11. Under Assignments, choose + Select groups to include and then assign the policy to one or more groups. Use + Select groups to exclude to fine-tune the assignment. For more information on assigning profiles, see Assign user and device profiles.

  • Note: The Security group is the only selectable option for the Firewall policy.

12. On the Review + create page, ensure your settings are correct, and select Create. The new policy is displayed in the list when you select the type for the policy you created.

Note: There is a known Intune bug where Firewall compliance could have False/Positive results.

Sync devices to get the latest policies and actions with Intune

The Sync device action forces the selected devices to immediately check in with Intune. When a device checks in, it receives any pending actions or policies that have been assigned to it. This feature can help you immediately validate and troubleshoot policies you've assigned, without waiting for the next scheduled check-in.

Sync bulk devices

  1. Select Devices > All devices > Bulk Device Actions.

User-uploaded Image

2. On the Basics page, enter the following:

  • Select Windows for OS

  • Select Sync for Device action

3. On the Devices page, select from 1 to 100 devices. select Next.

4. On the Review + create page, ensure your settings are correct, and select Create. You are taken back to the Devices page.

  • Note: If the device has just enrolled, the check-in frequency will be more frequent. Windows PCs will check in every 3 minutes for 30 minutes, and then every 8 hours.

Did this answer your question?