# Microsoft Intune Integration

### Area Overview

The Microsoft Intune integration enables Sprinto to automatically collect and monitor device-related security and compliance data from your organisation’s device fleet. As a Mobile Device Management (MDM) integration, it helps track device posture, enforce compliance requirements, and provide audit-ready evidence.

Sprinto uses this integration to:

* Maintain a centralised inventory of managed devices.
* Evaluate compliance against security policies.
* Monitor encryption, antivirus, OS updates, and access controls.
* Map devices to users for accountability and audit trails.

Supported platforms include Windows, macOS, iOS, and Android.

***

### How it Works

Sprinto integrates with Microsoft Intune using Microsoft Graph APIs to retrieve device, user, and compliance data.

Once connected:

* Sprinto authenticates using OAuth 2.0 or client credentials.
* Device inventory is fetched from Intune and mapped to users.
* Compliance policies and their evaluation results are retrieved.
* Security signals such as encryption status, antivirus presence, and OS version are analysed.
* Devices are continuously monitored for compliance against configured policies.

Sprinto performs an initial sync immediately after connection, followed by periodic syncs every 8–24 hours to ensure data remains up to date.

#### Sprinto checks for Microsoft Intune <a href="#sprinto-checks-for-microsoft-intune" id="sprinto-checks-for-microsoft-intune"></a>

Following are the checks offered by Sprinto for the Microsoft Intune tool:

<table><thead><tr><th width="189.83984375">Sprinto check</th><th>Required action</th></tr></thead><tbody><tr><td>Device OS should be upto date on staff device</td><td><p>The check gets activated against a staff member if their device is running on an outdated operating system (OS) version.</p><p><br>To fix this check, a staff member needs to update the device operating system with the latest available OS version and report the device status using the Microsoft Intune tool.</p></td></tr><tr><td>Disk encryption should be enabled on staff device</td><td><p>The check gets activated against a staff member if their device storage is not encrypted.</p><p>To fix this check, a staff member needs to enable encryption on their device storage and report the device status using the Microsoft Intune tool.</p></td></tr></tbody></table>

### Prerequisites

Before connecting Microsoft Intune, ensure the following:

* You have a **Microsoft 365 / Entra ID (Azure AD) tenant**.
* You have one of the following roles:
  * Global Administrator
  * Intune Administrator
  * Cloud Application Administrator
* **Admin consent must be granted** for required permissions in Entra ID.
* You have access to a **work or school account**. Personal Microsoft accounts are not supported.
* If using custom authentication:
  * An Azure AD application must be registered.
  * Tenant ID, Application (Client) ID, and Client Secret must be available.

***

### Authentication Options

Sprinto supports two authentication methods for Microsoft Intune.

#### Option 1: OAuth (Recommended)

* Uses a Sprinto-managed application.
* Requires login via Microsoft during setup.
* Automatically handles token management and refresh.

#### Option 2: Client Credentials (Custom Azure App)

* Uses your own Azure AD application.
* Requires:
  * Tenant ID.
  * Application (Client) ID.
  * Client Secret.
* Suitable for organisations with stricter access control requirements.

***

### Permissions Required

The integration requires the following Microsoft Graph API application permissions:

<table><thead><tr><th>Permission</th><th width="346.87109375">Purpose</th><th>Requirement</th></tr></thead><tbody><tr><td>DeviceManagementManagedDevices.Read.All</td><td>Read managed devices, installed apps, and protection status</td><td>Core</td></tr><tr><td>User.Read.All</td><td>Map devices to users and retrieve tenant details</td><td>Core</td></tr><tr><td>DeviceManagementConfiguration.Read.All</td><td>Read compliance policies and device compliance status</td><td>Enhanced monitoring</td></tr></tbody></table>

**Important:**\
Admin consent must be granted for all permissions at the organisation level in Entra ID.

***

### Steps to Connect

#### Step 1: Navigate to Microsoft Intune Integration

1. Log in to the Sprinto dashboard.
2. Go to **Settings → Integrations**.
3. In the **All** tab, search for **Microsoft Intune**.
4. Click **Connect**.

<figure><img src="https://3220032727-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FEsyn5VMU6e0OyGjRtKgx%2Fuploads%2FGuqfUQyk2DhGIud1vo3P%2FScreenshot%202026-04-02%20at%2012.19.43.png?alt=media&#x26;token=3a5621fa-7c1d-49d2-9f62-670f3a004260" alt="" width="563"><figcaption></figcaption></figure>

***

#### Step 2: Review Permissions and Data Access

1. A drawer will open displaying:
   * Controls and checks that will be automated.
   * Permissions required by Sprinto.
   * Data that will be accessed (device details, user information, compliance status, etc.).
2. Review the information.
3. Click **Next**.

<figure><img src="https://3220032727-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FEsyn5VMU6e0OyGjRtKgx%2Fuploads%2FGWdYjYss8ETG9N02oWkH%2FScreenshot%202026-04-02%20at%2012.20.59.png?alt=media&#x26;token=b558da56-5bdf-4dd9-8453-cc46e3e5cff4" alt="" width="375"><figcaption></figcaption></figure>

***

#### Step 3: Initiate Authentication

1. In the setup drawer, review the connection details.
2. Click **Connect Microsoft Intune** to start authentication.

<figure><img src="https://3220032727-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FEsyn5VMU6e0OyGjRtKgx%2Fuploads%2FgaMtZK0qCiQHxRSPdMZk%2FScreenshot%202026-04-02%20at%2012.21.37.png?alt=media&#x26;token=6047bbcb-ed01-4714-a127-16fb8c09921f" alt="" width="375"><figcaption></figcaption></figure>

***

#### Step 4: Sign in to Microsoft

1. You will be redirected to the Microsoft login page.
2. Sign in using your **work or school account**.
3. Personal Microsoft accounts are not supported.

***

#### Step 5: Grant Permissions

1. Review the permissions requested by Sprinto.
2. Select **Consent on behalf of your organisation** if applicable.
3. Click **Accept** to grant access.

<figure><img src="https://3220032727-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FEsyn5VMU6e0OyGjRtKgx%2Fuploads%2FwXXpX8fKcnzGhD9dVGFa%2FScreenshot%202026-02-25%20at%204.34.28%E2%80%AFPM.png?alt=media&#x26;token=b48131df-fa94-4aee-839e-445c0a345219" alt="" width="563"><figcaption></figcaption></figure>

***

#### Step 6: Complete Integration

Once authentication is successful:

* You will be redirected back to Sprinto.
* The integration will be established.
* Initial data sync will begin automatically.

***

### Data Collected by Sprinto

Sprinto retrieves the following data from Microsoft Intune:

<table><thead><tr><th width="318.875">Data Type</th><th width="326.6796875">Purpose</th></tr></thead><tbody><tr><td>Device details</td><td>Maintain device inventory</td></tr><tr><td>User information</td><td>Map devices to employees</td></tr><tr><td>OS version</td><td>Evaluate compliance and patch status</td></tr><tr><td>Encryption status (BitLocker/FileVault)</td><td>Verify data protection</td></tr><tr><td>Compliance state</td><td>Assess security posture</td></tr><tr><td>Device configuration policies</td><td>Validate enforcement of controls</td></tr><tr><td>Installed applications</td><td>Detect antivirus and security tools</td></tr><tr><td>Antivirus / protection status</td><td>Ensure endpoint protection</td></tr></tbody></table>

***

### Controls and Checks Automated

Sprinto uses Intune data to automate the following checks:

<table><thead><tr><th width="179.03515625">Control Area</th><th width="444.4140625">Description</th></tr></thead><tbody><tr><td>Disk Encryption</td><td>Verifies BitLocker (Windows) and FileVault (macOS)</td></tr><tr><td>Screen Lock</td><td>Ensures screen lock policies are enforced</td></tr><tr><td>OS Updates</td><td>Validates devices are up to date</td></tr><tr><td>Antivirus</td><td>Detects presence and status of antivirus tools</td></tr><tr><td>Compliance Policies</td><td>Evaluates device compliance against Intune policies</td></tr></tbody></table>

Sprinto also accounts for compliance grace periods to avoid false negatives.

***

### Post-Connection Flow

After successful integration:

* An **initial sync** is triggered immediately.
* Subsequent syncs occur every **8–24 hours**.
* Devices are:
  * Mapped to users where possible.
  * Included even if user mapping is unavailable (based on configuration).
* Compliance evaluations are continuously updated based on Intune policy results.

***

### Troubleshooting

#### 1. Invalid Credentials

**Error:** Invalid credentials or authentication failure.\
**Resolution:** Verify Tenant ID, Application ID, and Client Secret. Re-authenticate if using OAuth.

#### 2. Insufficient Permissions

**Error:** Access denied or incomplete data.\
**Resolution:** Ensure all required permissions are granted and admin consent is provided in Entra ID.

#### 3. Admin Consent Required

**Error:** “Administrator consent is required.”\
**Resolution:** A Global or Intune Administrator must grant organisation-wide consent.

#### 4. Expired Client Secret

**Error:** Authentication fails due to expired credentials.\
**Resolution:** Generate a new client secret in Azure AD and update it in Sprinto.

#### 5. Tenant or Application Not Found

**Error:** Tenant ID or Application ID not recognised.\
**Resolution:** Verify values and ensure the application exists in the correct tenant.

#### 6. Temporary Microsoft API Errors

**Error:** Rate limiting (429) or server errors (5xx).\
**Resolution:** Retry after some time. Sprinto automatically handles retries and token refresh where applicable.

***

### Support

Please contact [Sprinto Support](mailto:www.support@sprinto.com) If you have any queries related to the integration or need any assistance.