Embarking on another exciting journey in the world of Microsoft Sentinel customization is always a passion of mine. I enjoy unraveling the complexities of security operations and making the most of Microsoft’s powerful tools.

In this blog, I’m excited to share my experiences integrating Microsoft Intune with Microsoft Sentinel through a Custom Data Connector.

In the ever-changing field of cybersecurity, seamless collaboration between different platforms is crucial. This blog will take you through my exploration of integrating Microsoft Intune and Microsoft Sentinel, driven by the goal of enhancing security operations, simplifying workflows, and gaining actionable insights from our data.

Before diving into the configuration process, ensure you have the following prerequisites in place:

1. An Intune License: Ensure that your Intune environment is licensed appropriately.
2. Permission for Intune Tenant: You need either Global Administrator or Intune Service Administrator permissions.
3. An Azure Subscription: Make sure you have an active Azure subscription.
4. Permission to Log Analytic Workspace: Ensure you have the necessary permissions to access and configure the Log Analytic workspace.

The first step in this integration is deploying the Custom Data Connector using the ARM template I’ve created. You can find the template on my GitHub repository.

With just a single click using the Azure Deploy button, you can kickstart the deployment process seamlessly.

Now, let’s proceed with the configuration:

1. Open Microsoft Intune at https://endpoint.microsoft.com.
2. Navigate to Reports 🡪 Diagnostic settings and click on Add diagnostic settings.

3. On the next page, enter a Diagnostic Setting name. If you have multiple destinations, consider specifying the destination in the name.

4. Under the Categories section, choose all since the number of logs is typically manageable.

5. In the Destination details, select your Log Analytic workspace where the Microsoft Sentinel solution is installed.

After completing the configuration, data will start flowing into your chosen Log Analytic workspace.

This approach allows you to set up the connection between Microsoft Intune and Microsoft Sentinel, enabling the creation of a dedicated data connector visible in the ‘Data Connectors’ dashboard.

Additionally, if you’re interested in customized KQL queries for Intune, you can also find them in my GitHub repository.

Hope you find this blog useful, and if you discover ways to enhance efficiency or spot any mistakes (since it was my first attempt at creating a custom data connector and ARM template), feel free to reach out to me on LinkedIn.

Your feedback is valuable! If you enjoyed reading this blog, give it a clap!👏