HERE'S WHY
Connecting to Intune will turn on the MDM option in Workstation Configuration Monitoring on your Company's Internal Security settings. If the Drata Agent is not present and active, it will then proceed to obtain workstation configuration information from the Intune instance for compliance purposes.
BEFORE DIVING IN
Make sure that the devices you wish to monitor are enrolled through the Intune Company Portal website or app. Devices can be enrolled by any of these methods. If your employees are already enrolled, it is not necessary for them to install the Company Portal application.
Make sure that your Entra (formerly Azure) account has already been populated with users.
Make sure you have an existing Microsoft Endpoint Manager group containing all users that need to be monitored. Both types of "Microsoft 365" and "Security" are supported.
Make sure that all devices that need to be synced have the user's email address entered into the device's User Principal Name field. Also ensure this value matches the Personnel email address in Drata.
You will need a Global Administrator account in order to set everything up in Entra/Intune.
At this time, while Drata’s device compliance checks using the Intune connection check device settings directly for Hard Disk Encryption, the rest of Drata’s device compliance checks confirm the following:
Does the policy of the required name and/or type exist?
Is that policy mapped to the device?
Is that device compliant with that policy?
If all three of the above criteria are met, Drata will show that device as passing for the other device compliance checks.
Current Limitations
The integration supports Microsoft Windows 10 and 11 Pro and Enterprise devices only. Windows 10 and 11 Home devices are not supported.
Drata's Autopilot (nightly automated testing) must run before the application list from Intune can be shown.
The application list for each device can take up to seven days to sync. This is because Intune updates the discovered apps list once every seven days after Intune was installed.
Drata supports both the Intune Discovered Apps list and Intune Managed Apps list natively.
The Intune API doesn't return the version of the Intune Agent used.
Only one configuration source per machine will be read, with the Drata agent taking precedence. To sync Intune data, ensure the Drata agent is uninstalled.
1Password is only detected when it is installed via Intune.
Intune cannot natively pick up browser extensions, so if those are being used as a password manager, that compliance check will fail. Your users will need to use the equivalent installed desktop application. Ensure that this app shows on either Intune's discovered apps list or Intune's Managed Apps list.
You may choose to upload manual evidence as an alternative.
Currently, policies and configuration profiles set up using Intune Settings Catalog are not supported. In order for compliance data to sync, you must use the policy and configuration profile types defined in this help article.
Currently, Endpoint Security policies (required for Disk Encryption and Firewall settings) set up using Security Baselines are not supported. In order for compliance data to sync, you must use the policy and configuration profile types defined in this help article.
Overview of what we're going to set up
Create an Intune OAuth app on Entra ID and obtain the app’s Application ID (client ID), Tenant ID, and app secret.
Create policies on Microsoft Endpoint Manager. These are necessary for Windows Autoupdates, Lock Screen, Firewall, Disk Encryption, and Antivirus compliance data.
Sync devices to get the latest policies and actions from Intune.
Grant permissions to the app.
Connect to your Intune instance in Drata.
Create Intune App on Entra ID
Create new App Registration
You can start from the Microsoft Intune admin center or portal.azure.com. Start from step 3 if you would like to start at portal.azure.com. Depending on your starting point, the instructions to do certain actions may differ.
If you start from Microsoft Intune admin center,
If you start from portal.azure.com,
On the App Registration page, select + New registration.
On the Register an application page, enter or select the following values exactly as provided:
Name:
Drata - Intune App
Supported account types: Accounts in this organizational directory only (
<directory name>
only - Single tenant)
Select Register. You are taken back to the app's Overview page.
Copy the Application (client) ID and Directory (tenant) ID. You will use the IDs to connect to your Intune instance in Drata.
You may have to select the newly registered app to view the IDs.
Select Add a certificate or secret or <#>certificate, <#> secret. If you do not see this option, you may have to select the newly registered app.
Select + New client secret.
Enter the details for the Description, select 24 months for Expires, and then select Add.
Copy the Value (not the Secret ID) of the new secret to paste it into the Application Secret text field on the Drata slide-out panel.
Note: This will be the only time you can copy this secret key.
Refresh the Azure Certificates and Secrets screen to make the secret Value useable. Microsoft holds it in a pending state until the screen is refreshed.
Note: Ensure to update before the expiration date so the connection remains active.
API Permissions
Microsoft Graph has two types of permissions: Delegated and Application. The Drata OAuth app needs Application permissions.
Select API permissions. Utilize the search bar if you cannot find this option.
Ensure you have selected the app. The following image showcases the app Creation App Test. From there, we are able to select API permissions.
Select + Add a permission.
Select Microsoft Graph.
Select Application permissions.
Search and select the following four permissions:
DeviceManagementManagedDevices.Read.All
DeviceManagementConfiguration.Read.All
User.Read.All
DeviceManagementApps.Read.All
Select Add permissions.
The four new permissions status displays as Not granted. Select Grant admin consent to grant the app these new permissions.
Select Yes in the Grant admin consent confirmation popup.
Confirm that the status displays Granted.
Connect to your Intune instance in Drata
Go to the Drata app to select Connections (located on the bottom sidebar).
Search and select Connect for the Intune integration.
In the extended drawer, enter the details you saved in the previous steps: Directory (tenant) ID, Application (client) ID, and Application Secret.
Select Save & Test Connection.
Configure Intune in Drata for employee onboarding
Go to Settings and then Internal Security.
Toggle on Automated via Intune on and toggle off Automated via Drata Agent to disable the Drata agent.
Note: If both remain on, and the Drata agent is installed on an employee computer, the Drata agent will take precedence; meaning, employee compliance checks will come from the agent.
Lock Screen and Password Configuration Profile
Create a new Configuration Profile with a Device Restriction Policy to get the Lock Screen and Password information according to the following steps.
NOTE: If you already have an existing Lock Screen and Password Configuration Profile, you may submit that profile's name to our Support team and Drata will apply it after your connection is made.
Sign in to the Microsoft Endpoint Manager admin center.
Select Devices on the left side navigation menu.
Then, search and select Configuration under Manage devices. Then, select Create and New Policy.
Enter the following properties:
Platform: Choose Windows 10 and later
Profile: Choose Templates
Template name: Device restrictions
Select Create.
You will be redirected to a Device restrictions page where there are multiple steps or tabs to fill out.
On the Basics tab, enter the following name exactly as provided:
Drata - Screen Lock
and description is optional. Select Next.On the Configuration settings tab, expand each group of settings, and configure the settings you want to manage with this profile. You must configure the two permissions. After setting these required permissions, select Next.
Select Require for Password.
Select 15 Minutes for Maximum minutes of inactivity until screen locks (Optional: You can make this shorter).
On the Assignments tab, under Included groups section, select Add groups to choose to assign the profile to one or more groups. Under Excluded groups section, select Add groups to fine-tune the assignment. Select Next.
Note: The Security group is the only selectable option for the Screen Lock profile.
Applicability Rules are optional. Select Next.
On the Review + create page, ensure your settings are correct, and select Create.
You are taken back to the profile's Overview page.
Device Security Policy
Create a new compliance policy to sync the BitLocker, Secure Boot, and Antivirus settings with the following steps.
Select Devices on the left side navigation menu. Then, search and select Compliance under Manage devices. Then, select Create policy.
Enter the following property
Platform: Windows 10 and later
Select Create.
You will be redirected to a Windows 10/11 compliance policy page where there are multiple steps or tabs to fill out.
On the Basics tab, enter the following name (the following name is recommended, but Drata can read an existing policy with these settings):
Drata - Device Security
and description is optional. Select Next.On the Compliance settings tab, expand each group of settings, and configure the settings you want to manage with this policy. The settings below must be set at a minimum.
Expand the Device Health option.
Select Require for BitLocker
Select Require for Secure Boot
Expand the System Security and then scroll down to the Device Security section.
Select Require for Antivirus.
Scroll down to the Defender section.
Select Require for Microsoft Defender Antimalware
Select Require for Microsoft Defender Antimalware security intelligence up-to-date.
Select Require for Real-time protection
The Actions for noncompliance section is optional. Select Next.
On the Assignments tab, under Included groups section, select Add groups to choose to assign the profile to one or more groups. Under Excluded groups section, select Add groups to fine-tune the assignment. Select Next.
On the Review + create page, ensure your settings are correct, and click Create.
You are taken back to the profile's Overview page.
Windows Updates Profile
Create a new policy to sync Windows Autoupdate settings with the following steps.
NOTE: If you already have an existing Windows Update Ring profile, you may submit that profile's name to our Support team and Drata will apply it after your connection is made.
Select Devices on the left side navigation menu. Then, search and select Windows updates under Manage updates. Then, select Create profile.
You will be redirected to a Create Update ring for Windows 10 and later page where there are multiple steps or tabs to fill out.
On the Basics tab, enter the following name exactly as provided:
Drata - Windows Updates
and description is optional. Select Next.On the Update ring settings tab, configure the settings you want to manage with this profile. For information about the available settings, refer to Windows update settings. Select Next.
On the Assignments tab, under Included groups section, select Add groups to choose to assign the profile to one or more groups. Under Excluded groups section, select Add groups to fine-tune the assignment. Select Next.
Note: The Security group is the only selectable option for the Windows Update profile. While update rings can deploy to both device and user groups (i.e. a Security group can have both as members), consider using only device groups when you also use feature updates.
On the Review + create page, ensure your settings are correct, and select Create. Your new update ring is displayed in the list of update rings.
Create Security Policies
Disk Encryption Security Policy
Sign in to the Microsoft Endpoint Manager admin center.
Select Endpoint security.
Search and select the Disk encryption policy type, and then select Create Policy.
Enter the following properties and then select Create.
Platform: Choose Windows
Profile: Choose BitLocker
On the Basics page, the following name is recommended, but Drata can read an existing policy with these settings:
Drata - Disk Encryption
Description is optional. Select Next.
On the Configuration settings page, configure the settings you want to manage with this policy. For the Drata connection, the following permissions must be enabled. You may have to expand these sections if they are closed, and you can also utilize the search bar to find these permissions more easily.
Under the BitLocker section,
Require Device Encryption: Enabled
Allow Warning For Other Disk Encryption: Enabled
Under the BitLocker Drive Encryption section:
Choose drive encryption method and cipher strength (Windows 10 [Version 1511] and later): Enabled
Once you enable the previous permission, enable the following permissions:
Select the encryption method for fixed data drives: XTS-AES 128-bit
Select the encryption method for operating system drives: XTS-AES 128-bit
Select the encryption method for removable data drives: AES-CBC 128-bit
Under the Operating System Drives section:
Enforce drive encryption type on operating system drives: Enabled
Once you enable the previous permission, enable the following permissions:
Select the encryption type: (Device): Use Space Only encryption
Under the Fixed Data Drives section:
Enforce drive encryption type on fixed data drives: Enabled
Once you enable the previous permission, enable the following permissions:
Select the encryption type: (Device): Allow user to choose
Configure other settings as your business requires.
When you're done configuring settings, select Next.
Scope tags are optional. Select Next.
Under Assignments, choose + Add groups under Included Groups and then assign the policy to one or more groups. Use + Add groups to Excluded Groups to fine-tune the assignment as necessary. For more information on assigning profiles, see Assign user and device profiles.
Note: The Security group is the only selectable option for the Disk Encryption policy.
On the Review + create page, ensure your settings are correct, and select Create. The new policy is displayed in the list when you select the type for the policy you created.
Firewall Security Policy
Go to Endpoint security.
Select the Firewall policy type, and then select Create Policy.
Enter the following properties:
Platform: Choose Windows
Profile: Choose Windows Firewall
Select Create.
On the Basics page, the following name is recommended, but Drata can read an existing policy with these settings:
Drata - Firewall
Description is optional. Select Next.
On the Configuration settings page, configure the settings you want to manage with this policy.
The three settings below must be set at a minimum. You can search for these configurations as well.
Select True for Enable Domain Network Firewall
Select True for Enable Private Network Firewall
Select True for Enable Public Network Firewall
Configure other settings as your business requires
When you're done configuring settings, select Next.
Scope tags are optional. Select Next.
Under Assignments, choose + Select groups to include and then assign the policy to one or more groups. Use + Select groups to exclude to fine-tune the assignment. For more information on assigning profiles, see Assign user and device profiles.
The Security group is the only selectable option for the Firewall policy.
On the Review + create page, ensure your settings are correct, and select Create. The new policy is displayed in the list when you select the type for the policy you created.
Note: There is a known Intune bug where Firewall compliance could have False/Positive results.
Sync devices to get the latest policies and actions with Intune
The Sync device action forces the selected devices to immediately check in with Intune. When a device checks in, it receives any pending actions or policies that have been assigned to it. This feature can help you immediately validate and troubleshoot policies you've assigned, without waiting for the next scheduled check-in.
Sync bulk devices
Select Devices > All devices > Bulk Device Actions.
Enter the following configurations:
Select Windows for OS
Select Sync for Device action
On the Devices page, select from 1 to 100 devices. Select Next.
On the Review + create page, ensure your settings are correct, and select Create.
You are taken back to the Devices page.
Note: If the device has just enrolled, the check-in frequency will be more frequent. Windows PCs will check in every 3 minutes for 30 minutes, and then every 8 hours.