This week is all about notifying about Intune audit logs by using Azure Logic Apps and notifications in Teams. That means no new technology but using technology in a different way. The combination of Microsoft Intune and Azure Logic Apps is nothing new. The different examples on this blog, however, have not been focused at using logs, such as Log Analytics, as a source for monitoring. Of course, there are many different methods for using those logs for monitoring purposes. From directly using Azure Monitor, till using Azure Logic Apps. The latter, in combination with Teams, is a very affordable method for monitoring the Intune audit logs and performing actions. The idea of this post is to show the strength and simplicity of that combination. This post provides a simple example that will query the available audit logs in Log Analytics and posts that information as a notification in a Teams chat. That example can be easily extended to filter for more specific information, potentially in a different form.
Note: This post provides a straightforward example that can be easily extended with different actions, sophisticated queries, better look-and-feel, error handling, logging, and many more.
Create a workflow to query Log Analytics workspace
There are different options for querying Intune audit logs. That can be achieved by directly querying Microsoft Graph or by querying Log analytics. In most cases the latter is the easiest, as most organizations are sending their audit logs also to Log Analytics for a longer retention period. And querying data in Log Analytics provides more flexibility, as it can easily be done by using KQL. To put this all together, an Azure Logic App can be used. Logic apps are very similar to Power Automate, especially when looking at the (work)flow that will provide the automation. The main differences are on the licensing and focus. Logic apps are more focused on IT and automating IT processes. For a more extensive comparison, have a look at the docs.
For providing the workflow with the required permissions, an Azure Logic App can nowadays rely on the use of a managed identity. The required permissions for accessing the Log Analytics workspace can be assigned to that managed identity. The idea of the workflow is to query the audit logs in the Log Analytics workspace and to post a notification with an overview of the recent changes in Teams. After that, it’s up to the IT administrator to verify the recent changes. To get started, make sure that a Logic app and the related workflow are created. The main actions for that are described below.
- Open the Azure portal and navigate to Logic apps to create a new Logic app, by simply walking through the steps of specifying the Hosting options (Hosting plans), the Basics (Subscription, Resource Group, Region and more), and the Tags.
- Once created, select the Logic app, navigate to Settings > Identity and enable the System assigned managed identity. That created managed identity can be used to provide the Logic app with Log Analytics Reader permissions to query the Log Analytics workspace that is used to store the audit logs.
- After that navigate to Development Tools > Log app designer to get started with the workflow.
Once the Logic app is in place, it’s time to actually start with the configuration of the workflow. That workflow contains all the intelligence to query the Log Analytics workspace and to post a notification in Teams. An overview of that workflow is shown in Figure 1 and the details are explained below.
- The first step of the workflow is the Schedule – Recurrence trigger. That trigger will be used to trigger the workflow, based on a daily interval, and needs the following configurations of the different values.
- Frequency: Select Daily as value
- Interval: Specify 1 as value
- The second step of the workflow, as shown above in Figure 1, is the Azure Monitor Logs – Run query and visualize results action. That action will be used to query the Log Analytics workspace for the latest audit messages and needs at least the following configurations of the different values.
- Subscription: Select the Subscription that contains the Log Analytics workspace as value
- Resource Group: Specify the Resource Group that contains the Log Analytics workspace as value
- Resource Type: Select Log Analytics Workspace as value
- Query: Specify the following example as the Query to get all the audit logs of the last 24 hours and specifically take out the display name of the object and the UPN of the administrator that made the change
IntuneAuditLogs
| extend PropertiesJson = parse_json(Properties)
| where TimeGenerated > now() - 24hours
| extend Policy = replace_regex(tostring(todynamic(Properties).TargetDisplayNames), @'["\[\]]', "")
| extend ChangedBy = todynamic(Properties).Actor.UPN
| project TimeGenerated, Policy, ChangedBy, Operation=OperationName
| order by TimeGenerated- Time Range: Select Set in query as value
- Chart Type: Select Html table as value
Note: The query provided is an example and can be further detailed by looking for specific audit events.
- The third and final step already is the Microsoft Teams > Post message in a chat or channel action, when the result of the previous condition is true. That action will be used to post a summary of the audit logs, of the last 24 hours, and needs the following configuration of the different values
- Post as: Select Flow bot as value
- Post in: Select Chat with Flow bot as value to post to a specific user
- Recipient: Specify the specific user that should receive the message as value
- Message: Specify the message to send to the selected user and include data from the previous step by selecting the lighting icon > Run query and visualize results > Attachment Content as value
Note: This action is an example and can also be a message to a group or a post in a channel.
Experiencing the Teams notification to get a feeling with the result
The best method to experience the notification in Microsoft Teams, is by simply looking at it. The simplicity of this Log app is that it triggers for all the available audit messages in the Log Analytics workspace. That will make sure that every change will be available in the information that is shown to the IT administrator. The experience for the IT administrator is shown below in Figure 2. The IT administrator receives a message like that for the changes of the last 24 hours. The message provides details about when the log entry was created, the policy that was changed, the user that made the change, and the type of change.
More information
For more information about the different subjects that are used throughout this post, refer to the following docs.
- Audit changes and events in Microsoft Intune | Microsoft Learn
- Connect to Log Analytics or Application Insights – Azure Logic Apps | Microsoft Learn
- View and create queries for logic apps in Azure Monitor logs – Azure Logic Apps | Microsoft Learn
Discover more from All about Microsoft Intune
Subscribe to get the latest posts sent to your email.
Quite helpful, Thank You!