Microsoft 365
Visualize Microsoft 365 services, groups, and users, and monitor changes through queries and alerts.
- Installation guide
- Microsoft 365 data model
- Microsoft 365 types
Installation
To use this integration, you must have:
- An organizational Active Directory tenant to target for ingestion. The integration does not support the use of other tenant types.
- An account in the tenant you want to target for ingestion that has global administrator access. You will log in with this account to grant the JupiterOne application API permissions that can read data across all users (admin consent).
Configuration in JupiterOne
To install the Microsoft 365 integration in JupiterOne, navigate to the Integrations tab in JupiterOne and select Microsoft 365. Click New Instance to begin configuring your integration, providing the following:
The Account Name used to identify the Microsoft 365 account in JupiterOne. Ingested entities will have this value stored in
tag.AccountName
when theAccountName
toggle is enabled.Description to assist in identifying the integration instance, if desired.
Polling Interval that you feel is sufficient for your monitoring needs. You may leave this as
DISABLED
and manually execute the integration.Include Advanced Device Details queries for and includes device properties:
physicalMemoryInBytes
,iccid
andethernetMacAddress
when available. Ingestion duration may increase due to additional API requests.
Click Create after you have provided all the values.
When prompted, click Begin Authorization.
You are then directed to the Microsoft identity platform where you must log in as a global administrator of the organizational Active Directory tenant you intend to integrate with.
You must select an account belonging to an organizational tenant. When you are already logged into an account, the badge icons indicate the nature of the tenant the account belongs to. Do not select a personal account.
Review the requested permissions (described below) and grant consent. Once you proceed through the authorization, you will have successfully completed the integration setup process.
Granted permissions
DeviceManagementApps.Read.All
- Read Microsoft Intune apps
- Needed for creating
Application
entities
DeviceManagementConfiguration.Read.All
- Read Microsoft Intune device configuration and policies
- Needed for creating
Configuration
andControlPolicy
entities
DeviceManagementManagedDevices.Read.All
- Read Microsoft Intune devices
- Needed for creating
Device
andHostAgent
entities
Organization.Read.All
- Read organization information
- Needed for creating the
Account
entity
APIConnectors.Read.All
- Read API connectors for authentication flows
- Needed for enriching the
Account
entity with Intune subscription information
DeviceManagementServiceConfig.Read.All
- Read Microsoft Intune configuration
- Also needed for enriching the
Account
entity with Intune subscription information
Directory.Read.All
- Read directory data
- Needed for creating
User
,Group
, andGroupUser
entities
AuditLog.Read.All
- OPTIONAL
- If provided on a B2C or premium tenant, the integragration will include
singInActivity
in theUser
entity.
Next steps
Now that your integration instance has been configured, it will begin running on the polling interval you provided, populating data within JupiterOne. Continue on to our Instance management guide to learn more about working with and editing integration instances.
Data Model
Entities
The following entities are created:
Resources | Entity _type | Entity _class |
---|---|---|
Compliance Policy | intune_compliance_policy | Configuration, ControlPolicy |
Detected Application | intune_detected_application | Application |
Device Configuration | intune_device_configuration | Configuration, ControlPolicy |
Intune Host Agent | intune_host_agent | HostAgent |
Managed Application | intune_managed_application | Application |
Managed Device | user_endpoint | Device, Host |
Managed Device | workstation | Device, Host |
Managed Device | laptop | Device, Host |
Managed Device | desktop | Device, Host |
Managed Device | server | Host |
Managed Device | smartphone | Device, Host |
Noncompliance Finding | intune_noncompliance_finding | Finding |
[AD] Account | microsoft_365_account | Account |
[AD] Group | azure_user_group | UserGroup |
[AD] Group Member | azure_group_member | User |
[AD] User | azure_user | User |
Relationships
The following relationships are created:
Source Entity _type | Relationship _class | Target Entity _type |
---|---|---|
azure_user | HAS | computer |
azure_user | USES | computer |
azure_user | HAS | desktop |
azure_user | USES | desktop |
azure_user | HAS | laptop |
azure_user | USES | laptop |
azure_user | HAS | server |
azure_user | USES | server |
azure_user | HAS | smartphone |
azure_user | USES | smartphone |
azure_user | HAS | user_endpoint |
azure_user | USES | user_endpoint |
azure_user | HAS | workstation |
azure_user | USES | workstation |
azure_user_group | HAS | azure_group_member |
azure_user_group | HAS | azure_user |
azure_user_group | HAS | azure_user_group |
computer | INSTALLED | intune_detected_application |
computer | ASSIGNED | intune_managed_application |
computer | HAS | intune_noncompliance_finding |
desktop | INSTALLED | intune_detected_application |
desktop | ASSIGNED | intune_managed_application |
desktop | HAS | intune_noncompliance_finding |
intune_compliance_policy | IDENTIFIED | intune_noncompliance_finding |
intune_device_configuration | IDENTIFIED | intune_noncompliance_finding |
intune_host_agent | MANAGES | computer |
intune_host_agent | MANAGES | desktop |
intune_host_agent | ASSIGNED | intune_compliance_policy |
intune_host_agent | ASSIGNED | intune_device_configuration |
intune_host_agent | MANAGES | laptop |
intune_host_agent | MANAGES | server |
intune_host_agent | MANAGES | smartphone |
intune_host_agent | MANAGES | user_endpoint |
intune_host_agent | MANAGES | workstation |
laptop | INSTALLED | intune_detected_application |
laptop | ASSIGNED | intune_managed_application |
laptop | HAS | intune_noncompliance_finding |
microsoft_365_account | HAS | azure_user |
microsoft_365_account | HAS | azure_user_group |
server | INSTALLED | intune_detected_application |
server | ASSIGNED | intune_managed_application |
server | HAS | intune_noncompliance_finding |
smartphone | INSTALLED | intune_detected_application |
smartphone | ASSIGNED | intune_managed_application |
smartphone | HAS | intune_noncompliance_finding |
user_endpoint | INSTALLED | intune_detected_application |
user_endpoint | ASSIGNED | intune_managed_application |
user_endpoint | HAS | intune_noncompliance_finding |
workstation | INSTALLED | intune_detected_application |
workstation | ASSIGNED | intune_managed_application |
workstation | HAS | intune_noncompliance_finding |
Azure User
azure_user
inherits from User
Property | Type | Description | Specifications |
---|---|---|---|
givenName | string | null | ||
jobTitle | string | null | ||
mail | string | The SMTP address for the user | |
mobilePhone | string | null | ||
officeLocation | string | null | ||
preferredLanguage | string | null | ||
surname | string | null | ||
userPrincipalName | string | null | ||
userType | string | null | ||
accountEnabled * | boolean | ||
usageLocation | string | null |
Microsoft 365 Account
microsoft_365_account
inherits from Account
Property | Type | Description | Specifications |
---|---|---|---|
organizationName | string | null | ||
defaultDomain | string | ||
verifiedDomains | array of string s | ||
intuneAccountId | string | ||
mobileDeviceManagementAuthority | string | ||
intuneSubscriptionState | string |
Azure User Group
azure_user_group
inherits from UserGroup
Property | Type | Description | Specifications |
---|---|---|---|
mail | string | null | ||
mailEnabled * | boolean | Please use isMailEnabled instead | deprecated: true |
isMailEnabled * | boolean | ||
mailNickname | string | null | ||
renewedOn | number | ||
securityEnabled * | boolean | Please use isSecurityEnabled instead | deprecated: true |
isSecurityEnabled * | boolean |
Azure Group Member
azure_group_member
inherits from User
User Endpoint
user_endpoint
inherits from Device, Host
Workstation
workstation
inherits from Device, Host
Laptop
laptop
inherits from Device, Host
Desktop
desktop
inherits from Device, Host
Server
server
inherits from Host
Server
server
inherits from Device, Host
Property | Type | Description | Specifications |
---|---|---|---|
deviceName | string | ||
name | string | ||
id | string | ||
deviceType | string | ||
enrolledDateTime | number | ||
lastSyncDateTime | number | ||
lastUpdateDateTime | number | ||
version | string | ||
serialNumber | string | ||
totalStorageSpace | string | ||
totalStorageSpaceInBytes | number | ||
freeStorageSpace | string | ||
freeStorageSpaceInBytes | number | ||
totalPhysicalMemory | string | ||
totalPhysicalMemoryInBytes | number | ||
processorArchitecture | string | ||
hardwareVendor | string | ||
hardwareManufacturer | string | ||
hardwareModel | string | ||
hardwareSerial | string | ||
hardwareVersion | string | ||
meid | string | ||
imei | string | ||
iccid | string | ||
udid | string | ||
wifiMacAddress | string | ||
ethernetMacAddress | string | ||
macAddress | array of string s | ||
ipAddress | string | ||
easDeviceId | string | ||
assetTag | array of string s | ||
userEmails | array of string s | ||
BYOD | boolean | ||
ownerType | string | ||
encrypted | boolean | ||
userId | string | ||
userDisplayName | string | ||
phoneNumber | string | ||
managed | boolean | ||
supervised | boolean | ||
jailBroken | string | ||
aadDeviceId | string | ||
deviceCategoryDisplayName | string | ||
username | string | ||
physical | boolean |
Smartphone
smartphone
inherits from Device, Host
Intune Host Agent
intune_host_agent
inherits from HostAgent
Property | Type | Description | Specifications |
---|---|---|---|
managementAgent | string | Management channel of the device. Examples: eas, mdm, easMdm, intuneClient, easIntuneClient, jamf, googleCloudDevicePolicyController | |
state | string | Any of: managed retirePending retireFailed wipePending wipeFailed unhealthy deletePending retireIssued wipeIssued wipeCanceled retireCanceled discovered | |
registrationState | string | Any of: notRegistered registered revoked keyConflict approvalPending certificateReset notRegisteredPendingEnrollment unknown | |
complianceState | string | Any of: unknown compliant noncompliant conflict error inGracePeriod configManager | |
compliant | boolean | Please use isCompliant instead | deprecated: true |
isCompliant | boolean |
Intune Compliance Policy
intune_compliance_policy
inherits from Configuration, ControlPolicy
Property | Type | Description | Specifications |
---|---|---|---|
function * | string | const: endpoint-compliance | |
category * | string | const: compliance | |
version | number | ||
policyType | string | Examples: iosCompliancePolicy |
Intune Noncompliance Finding
intune_noncompliance_finding
inherits from Finding
Property | Type | Description | Specifications |
---|---|---|---|
category * | string | const: endpoint | |
id | string | ||
lastProcessedOn | number | ||
lastTestedOn | number | ||
lastUpdatedOn | number | ||
status | string | Any of: unknown notApplicable compliant remediated nonCompliant error conflict notAssigned |
Intune Device Configuration
intune_device_configuration
inherits from Configuration, ControlPolicy
Property | Type | Description | Specifications |
---|---|---|---|
function * | string | const: endpoint-configuration | |
category * | string | const: config | |
version | number | ||
configurationType | string | Examples: iosCustomConfiguration, windows10GeneralConfiguration, iosWiFiConfiguration |
Intune Managed Application
intune_managed_application
inherits from Application
Property | Type | Description | Specifications |
---|---|---|---|
publisher | string | null | ||
isPublished * | boolean | ||
lastUpdatedOn | number | ||
featured | boolean | Please use isFeatured instead | deprecated: true |
isFeatured | boolean | Indicates that this app is being featured on the Company Portal | |
privacyInformationURL | string | null | ||
informationURL | string | null | ||
developer | string | null | Most often the same as the owner | |
version | string | null | ||
committedContentVersion | string | null | ||
packageId | string | null |
Intune Detected Application
intune_detected_application
inherits from Application
Property | Type | Description | Specifications |
---|---|---|---|
version | string | null | ||
sizeInByte | number |