Microsoft Intune Integration

Integrate Microsoft Intune with Sprinto to automate device compliance checks, monitor security posture, and sync device data using Microsoft Graph APIs.

Area Overview

The Microsoft Intune integration enables Sprinto to automatically collect and monitor device-related security and compliance data from your organisation’s device fleet. As a Mobile Device Management (MDM) integration, it helps track device posture, enforce compliance requirements, and provide audit-ready evidence.

Sprinto uses this integration to:

Maintain a centralised inventory of managed devices.
Evaluate compliance against security policies.
Monitor encryption, antivirus, OS updates, and access controls.
Map devices to users for accountability and audit trails.

Supported platforms include Windows, macOS, iOS, and Android.

How it Works

Sprinto integrates with Microsoft Intune using Microsoft Graph APIs to retrieve device, user, and compliance data.

Once connected:

Sprinto authenticates using OAuth 2.0 or client credentials.
Device inventory is fetched from Intune and mapped to users.
Compliance policies and their evaluation results are retrieved.
Security signals such as encryption status, antivirus presence, and OS version are analysed.
Devices are continuously monitored for compliance against configured policies.

Sprinto performs an initial sync immediately after connection, followed by periodic syncs every 8–24 hours to ensure data remains up to date.

Sprinto checks for Microsoft Intune

Following are the checks offered by Sprinto for the Microsoft Intune tool:

Sprinto check

Required action

Device OS should be upto date on staff device

The check gets activated against a staff member if their device is running on an outdated operating system (OS) version.

To fix this check, a staff member needs to update the device operating system with the latest available OS version and report the device status using the Microsoft Intune tool.

Disk encryption should be enabled on staff device

The check gets activated against a staff member if their device storage is not encrypted.

To fix this check, a staff member needs to enable encryption on their device storage and report the device status using the Microsoft Intune tool.

Prerequisites

Before connecting Microsoft Intune, ensure the following:

You have a Microsoft 365 / Entra ID (Azure AD) tenant.
You have one of the following roles:
- Global Administrator
- Intune Administrator
- Cloud Application Administrator
Admin consent must be granted for required permissions in Entra ID.
You have access to a work or school account. Personal Microsoft accounts are not supported.
If using custom authentication:
- An Azure AD application must be registered.
- Tenant ID, Application (Client) ID, and Client Secret must be available.

Authentication Options

Sprinto supports two authentication methods for Microsoft Intune.

Option 1: OAuth (Recommended)

Uses a Sprinto-managed application.
Requires login via Microsoft during setup.
Automatically handles token management and refresh.

Option 2: Client Credentials (Custom Azure App)

Uses your own Azure AD application.
Requires:
- Tenant ID.
- Application (Client) ID.
- Client Secret.
Suitable for organisations with stricter access control requirements.

Permissions Required

The integration requires the following Microsoft Graph API application permissions:

Permission

Purpose

Requirement

DeviceManagementManagedDevices.Read.All

Read managed devices, installed apps, and protection status

Required

User.Read.All

Map devices to users and retrieve tenant details

Required

DeviceManagementConfiguration.Read.All

Read compliance policies and device compliance status

Enhanced monitoring only

Important

Admin consent must be granted for all permissions at the organisation level in Entra ID.
The DeviceManagementConfiguration.Read.All permission is only required if you have enabled advanced compliance policy monitoring features. For basic device inventory and encryption status checks, this permission is optional.

Steps to Connect

Step 1: Navigate to Microsoft Intune Integration

Log in to the Sprinto dashboard.
Go to Settings → Integrations.
In the All tab, search for Microsoft Intune.
Click Connect.

Step 2: Review Permissions and Data Access

A drawer will open displaying:
- Controls and checks that will be automated.
- Permissions required by Sprinto.
- Data that will be accessed (device details, user information, compliance status, etc.).
Review the information.
Click Next.

Step 3: Initiate Authentication

In the setup drawer, review the connection details.
Click Connect Microsoft Intune to start authentication.

You will be redirected to the Microsoft login page.
Sign in using your work or school account.
Personal Microsoft accounts are not supported.

Step 5: Grant Permissions

Review the permissions requested by Sprinto.
Select Consent on behalf of your organisation if applicable.
Click Accept to grant access.

Step 6: Complete Integration

Once authentication is successful:

You will be redirected back to Sprinto.
The integration will be established.
Initial data sync will begin automatically.

Data Collected by Sprinto

Sprinto retrieves the following data from Microsoft Intune:

Data Type

Purpose

Device details

Maintain device inventory

User information

Map devices to employees

OS version

Evaluate compliance and patch status

Encryption status (BitLocker/FileVault)

Verify data protection

Compliance state

Assess security posture

Device configuration policies

Validate enforcement of controls

Installed applications

Detect antivirus and security tools

Antivirus / protection status

Ensure endpoint protection

Controls and Checks Automated

Sprinto uses Intune data to automate the following checks:

Control Area

Description

Disk Encryption

Verifies BitLocker (Windows) and FileVault (macOS)

Screen Lock

Ensures screen lock policies are enforced

OS Updates

Validates devices are up to date

Antivirus

Detects presence and status of antivirus tools

Compliance Policies

Evaluates device compliance against Intune policies

Sprinto also accounts for compliance grace periods to avoid false negatives.

Post-Connection Flow

After successful integration:

An initial sync is triggered immediately.
Subsequent syncs occur every 8–24 hours.
Devices are:
- Mapped to users where possible.
- Included even if user mapping is unavailable (based on configuration).
Compliance evaluations are continuously updated based on Intune policy results.

Troubleshooting

1. Invalid Credentials

Error: Invalid credentials or authentication failure. Resolution: Verify Tenant ID, Application ID, and Client Secret. Re-authenticate if using OAuth.

2. Insufficient Permissions

Error: Access denied or incomplete data. Resolution: Ensure all required permissions are granted and admin consent is provided in Entra ID.

Error: “Administrator consent is required.” Resolution: A Global or Intune Administrator must grant organisation-wide consent.

4. Expired Client Secret

Error: Authentication fails due to expired credentials. Resolution: Generate a new client secret in Azure AD and update it in Sprinto.

5. Tenant or Application Not Found

Error: Tenant ID or Application ID not recognised. Resolution: Verify values and ensure the application exists in the correct tenant.

6. Temporary Microsoft API Errors

Error: Rate limiting (429) or server errors (5xx). Resolution: Retry after some time. Sprinto automatically handles retries and token refresh where applicable.

Support

Please contact Sprinto Support If you have any queries related to the integration or need any assistance.

PreviousEndpoint Central Integration NextJira Active Sync Integration

Last updated 3 days ago