Azure EntraID Discovery & Intune based LAPS

microsoft_entraid

microsoft_entraid

Dear JDisc friends,

JDisc Discovery already supports scanning Microsoft Azure cloud environments. With the current release, we have significantly extended the Azure EntraID and Intune discovery.

  1. We support LAPS for Intune managed devices. With this approach, scan accounts do not need to be configured in JDisc since we can get the current scan username and password from the Intune API.
  2. We get more EntraID artefacts like Administrative Units, groups, and users.

Videos

We also have videos explaining how configure access to Azure and EntraID in JDisc Discovery

The second video explains how to setup a scan job and how to scan Intune managed devices properly.

Permissions to Scan the Azure Cloud (including EntraID and Intune)

In order to obtain information from the Azure cloud, you need to create an application in the EntraID’s app registration. The screenshot below lists all permissions that are needed to fully scan the Azure environment including EntraID and Intune. If you need to scan resources added for specific subscriptions, then you also need to grant read access for this application to each subscription separately. Don’t forget to Grant admin consent when adding those permissions. You can see the admin consent status within the “Admin consent req..” column.

EntraID App permissions required by JDisc Discovery.

Some of the permissions are optional and the following table explains in details what is needed and what is optional:

  • Directory.Read.All
    This permission is required and we need it to read basic information for the tenant, groups, and administrative units.
  • User.Read.All
    This permission is required to read information for all users created in EntraID.
  • DeviceManagementManagedDevices.Read.All
    This permission is optional. However, you need this permission if you would like to read the list of devices managed by Intune. When you are not using Intune, then you don’t need this permission.
  • AuditLog.Read.All
    This permission is optional. We use the EntraIDs audit log to deterine the last logon date for users. Without this permission, you will simply not get the last logon date for EntraID managed users.
  • DeviceLocalCredential.Read.All
    This permission is optional and only required when your Intune devices use LAPS and the local administrator’s username and password is stored within the Intune cloud. Otherwise, you don’t need this permission.

LAPS for Intune Managed Devices

Microsoft historically offers two LAPS versions. The first version (legacy LAPS) needed to be installed on top of the operating system and you needed to extend the Active Directory schema with new properties. The second LAPS version is integrated in the operating system and can store the actual password in the local Active Directory or within the Cloud (when you use Intune managed LAPS).

JDisc Discovery already supported both LAPS versions when the passwords gets stored in the local active directory. When we scan a device, then we read the actual login and password using LDAP protocol. However, we got the request from customers to also support cases when devices are managed by Intune and also store the LAPS local administrator account and password within the Intune cloud. When the password gets stored within the Intune cloud, the we need to obtain the current password using the MS Graph API instead of the LDAP protocol (when the password gets stored in the local Active Directory).

Intune managed device with a LAPS account and password stored within the Intune cloud.

The screenshot illustrates what happens when you scan an Intune managed device with LAPS that is connected to the corporate network. First, we identify the device in the database using its name and or mac address. When we find the device, then we check whether the device is managed by Intune. When the device is configured with LAPS, then we can query the local administrator username and password for this device. So no configuration is necessary in this case!

Enhanced EntraID Discovery

EntraID offers administrative units and groups to group devices and users in your directory. We have enhanced JDisc Discovery to obtain the list of administrative units, groups, users and devices and create the relationships between them.

EntraID structure and Intune managed devices.

We display all directory related information (local Active Directory or EntraID) within the Directory report which is available from the Network reports. The reporting has slightly changed because the reports for directory users and devices has been migrated to the one directory report. Different aspects such as usersgroups, or devices get displayed in the separate tabs for a directory item.

Cheers,
Thomas

About The Author

Thomas Trenz
I own and manage JDisc and its network inventory and discovery products. Before I started JDisc, I worked quite a long time for Hewlett-Packard developing software for network assessments and inventory projects. Feel free to contact me on Linked-In or Xing.

Leave A Comment