Intune Flow Bot Arch

Intro-

Using Azure, Adaptive Cards, and Teams you can create a workflow that notifies end users with a uniform message that will be the same on any device.  In this example I created a notification that proactively lets the end user know their MDM enrollment failed and provides links to the Help Desk and an instructional video.

Playbook-

  • Intune is the MDM provider and has been implemented into the Azure Portal (Legacy Portal will not work)
  • Azure Log Analytics Workspace already created
  • Azure Automation Workspace already created
  • Adaptive Card already created

Microsoft / Other Resources-

Send Intune Logs to Log Analytics MS Documentation 

Intune + Log Analytics Announcement 

Adaptive Card Intro

Adaptive Card Designer 

Use Case Examples-

  • End User Starts MDM Enrollment ⇒ MDM enrollment fails ⇒ Log Analytics log generates alert ⇒ Intune Flow bot posts Help Notification into Teams/Email/Slack/Windows 10 push notification (use all communication types or limit).
  • End User Opens Company Line of Business App ⇒ MDM App is about to expire ⇒ Log Analytics generates alert ⇒ Intune Flow bot notifies LOB team that App is expiring.
  • End User attempts to connect to Corporate WiFi ⇒ WiFi Profile fails ⇒ Log Analytics generates alert ⇒ Intune Flow bot validates AD WiFi group membership and see’s user is not part of group ⇒ Intune Flow bot creates ITSM ticket to manager to approve Corporate WiFi AD Group Membership ⇒ ITSM sends webhook to notify Intune Flow bot that user is added to WiFi AD group ⇒ Intune Flow bot validate no errors for WiFi profile ⇒ bot sends notification that WiFi is available
  • Intune Health Tasks ⇒ Intune NDES certificate about to expire ⇒ bot sends notification to admins
  • Intune Health Tasks ⇒ User is attempting to register Jail Broken Device ⇒ notifies admin
  • Technician Tasks ⇒ Bot notifies team that more App licenses are required for Application ⇒ Team approves ordering additional license ⇒ bot orders and installs licenses

How To-

Make sure to follow in order since there are dependencies within each step*

1- Enable Intune Log monitoring to Log Analytics Workspace

Select Intune, Diagnostic Settings, Add diagnostic setting

Screenshot_1

Make sure to select both AuditLogs and Operational.  Audit logs log any changes made in the Intune Portal, Operational is any error or informational including end user errors.

Screenshot_2

Validate “IntuneAuditLogs” and “IntuneOperationalLogs” are created in your Log Analytics Workspace and data is flowing.  I have seen this take up to 24 hours*

Screenshot_3

2 – Create Logic App

Select Logic Apps, Add, then Create

Screenshot_7

Open newly created Logic App, Select When a HTTP request is received

Screenshot_8

Select Save

This will create the webhook URL

Screenshot_9

Now a URL will generate, Select Copy and paste this into notepad since we will be using this in step 3 Create Azure Monitor Action Group

Screenshot_10

3 – Create Azure Monitor Action Group

Select Monitor,  Alerts, Manage Actions

Screenshot_5

Add action group

Screenshot_6

Select Webhook under Action Type, and paste the URL from step 3

Screenshot_11

4 – Create Azure Monitor Alert

Create the Alert in Azure Monitor, select Log Analytics Workspace

Screenshot_5

Select “Custom log search”

Screenshot_7

Create Kusto Query (Intune failed enrollments for this example)

IntuneOperationalLogs
| where Result == “Fail”

Screenshot_1

Now Add an Action by selecting Add, Select Action Group Name (previously created in step 3)

Screenshot_12

Name your alert under ALERT DETAILS, and select Create Alert rule

Screenshot_13

5 – Customize User notification with Logic App

Now that we get an alert generated in Logic App anytime there is a User Enrollment error we can create a workflow on how to handle these events.

Open the Logic App we previously setup and select Logic app designer, + New step

Screenshot_14

Select Azure Log Analytics Action Item, Run query and list results, and input Subscription, Resource Group, Workspace Name, and utilize the same Kusto query you setup your alert with in step 4 and add a time range in the query so you are not spamming users who already have been notified from a previous alert

Example

IntuneOperationalLogs
| where Result == “Fail”
| where TimeGenerated > ago(15m)

Screenshot_16

+ New step, Data Operations, Parse JSON, Azure Automation

Parse UserID Guid from JSON

Run Azure Automation to call graph to get Email from UserID Guid

Screenshot_18

+ New step, Select Microsoft Teams, Post your own adaptive card as the Flow bot to a user

Screenshot_15

Select Get Job output Results from the previous Azure Automation Get job output.  These results will be the users email address from the Intune Guid

Screenshot_20

Now for the message to the end user we will create an Adaptive Card utilizing Microsoft’s designer found here.  Once you have customized your Adaptive Card through the designer post the code in the message.  Here is an example I created to notify the end user of a failed enrollment and if they want to open a ticket with our Help Desk or watch the instructional video we have created

Screenshot_22

LL&P

Advertisement