Microsoft 365

Visualize Microsoft 365 services, groups, and users, and monitor changes through queries and alerts.

Installation

Installation

To use this integration, you must have:

• An organizational Active Directory tenant to target for ingestion. The integration does not support the use of other tenant types.
• An account in the tenant you want to target for ingestion that has global administrator access. You will log in with this account to grant the JupiterOne application API permissions that can read data across all users (admin consent).

Configuration in JupiterOne

To install the Microsoft 365 integration in JupiterOne, navigate to the Integrations tab in JupiterOne and select Microsoft 365. Click New Instance to begin configuring your integration, providing the following:

• The Account Name used to identify the Microsoft 365 account in JupiterOne. Ingested entities will have this value stored in tag.AccountName when the AccountName toggle is enabled.

• Description to assist in identifying the integration instance, if desired.

• Polling Interval that you feel is sufficient for your monitoring needs. You may leave this as DISABLED and manually execute the integration.

• Include Advanced Device Details queries for and includes device properties: physicalMemoryInBytes, iccid and ethernetMacAddress when available. Ingestion duration may increase due to additional API requests.

Data Volume Configuration

Control how much data is ingested from Microsoft 365 to manage storage and processing.

Data Filtering Options

Field	Type	Description	Default
Included Vulnerability Severities	Multi-select	Select vulnerability severities to ingest	Low, Medium, High, Critical

Available severity options:

• Unknown
• Informational
• Low (default)
• Medium (default)
• High (default)
• Critical (default)

How it affects data volume: Filtering by severity reduces the number of vulnerability entities ingested. By default, Low, Medium, High, and Critical severity vulnerabilities are imported. Disabling lower severities will reduce data volume.

Additional Options

Field	Type	Description	Default
Include Advanced Device Details	Boolean	Enables ingestion of additional device properties (memory, ICCID, MAC)	false

How it affects data volume: Enabling advanced device details increases the number of API requests and may extend ingestion duration, but adds more granular device information.

Click Create after you have provided all the values.

When prompted, click Begin Authorization.

You are then directed to the Microsoft identity platform where you must log in as a global administrator of the organizational Active Directory tenant you intend to integrate with.

You must select an account belonging to an organizational tenant. When you are already logged into an account, the badge icons indicate the nature of the tenant the account belongs to. Do not select a personal account.

Review the requested permissions (described below) and grant consent. Once you proceed through the authorization, you will have successfully completed the integration setup process.

Granted permissions

1. DeviceManagementApps.Read.All
   • Read Microsoft Intune apps
   • Needed for creating Application entities
2. DeviceManagementConfiguration.Read.All
   • Read Microsoft Intune device configuration and policies
   • Needed for creating Configuration and ControlPolicy entities
3. DeviceManagementManagedDevices.Read.All
   • Read Microsoft Intune devices
   • Needed for creating Device and HostAgent entities
4. Organization.Read.All
   • Read organization information
   • Needed for creating the Account entity
5. APIConnectors.Read.All
   • Read API connectors for authentication flows
   • Needed for enriching the Account entity with Intune subscription information
6. DeviceManagementServiceConfig.Read.All
   • Read Microsoft Intune configuration
   • Also needed for enriching the Account entity with Intune subscription information
7. Directory.Read.All
   • Read directory data
   • Needed for creating User, Group, and GroupUser entities
8. AuditLog.Read.All
   • OPTIONAL
   • If provided on a B2C or premium tenant, the integragration will include singInActivity in the User entity.

Next steps

Now that your integration instance has been configured, it will begin running on the polling interval you provided, populating data within JupiterOne. Continue on to our Instance management guide to learn more about working with and editing integration instances.

Data Model

Entities

The following entities are created:

Resources	Entity _type	Entity _class
[AD] Account	microsoft_365_account	Account
[AD] Group	azure_user_group	UserGroup
[AD] Group Member	azure_group_member	User
[AD] User	azure_user	User
Autopilot Device Identity	intune_autopilot_device_identity	Device
Compliance Policy	intune_compliance_policy	Configuration, ControlPolicy
Detected Application	intune_detected_application	Application
Device Configuration	intune_device_configuration	Configuration, ControlPolicy
Intune Host Agent	intune_host_agent	HostAgent
Managed Application	intune_managed_application	Application
Managed Device	user_endpoint	Device, Host
Managed Device	workstation	Device, Host
Managed Device	laptop	Device, Host
Managed Device	desktop	Device, Host
Managed Device	server	Host
Managed Device	server	Device, Host
Managed Device	smartphone	Device, Host
Noncompliance Finding	intune_noncompliance_finding	Finding

Relationships

The following relationships are created:

Source Entity _type	Relationship _class	Target Entity _type
azure_user	HAS	user_endpoint
azure_user	HAS	workstation
azure_user	HAS	laptop
azure_user	HAS	desktop
azure_user	HAS	computer
azure_user	HAS	server
azure_user	HAS	smartphone
azure_user	USES	user_endpoint
azure_user	USES	workstation
azure_user	USES	laptop
azure_user	USES	desktop
azure_user	USES	computer
azure_user	USES	server
azure_user	USES	smartphone
azure_user_group	HAS	azure_user
azure_user_group	HAS	azure_user_group
azure_user_group	HAS	azure_group_member
computer	HAS	intune_noncompliance_finding
computer	ASSIGNED	intune_managed_application
computer	INSTALLED	intune_detected_application
desktop	HAS	intune_noncompliance_finding
desktop	ASSIGNED	intune_managed_application
desktop	INSTALLED	intune_detected_application
intune_autopilot_device_identity	ASSIGNED	azure_user
intune_compliance_policy	IDENTIFIED	intune_noncompliance_finding
intune_device_configuration	IDENTIFIED	intune_noncompliance_finding
intune_host_agent	MANAGES	user_endpoint
intune_host_agent	MANAGES	workstation
intune_host_agent	MANAGES	laptop
intune_host_agent	MANAGES	desktop
intune_host_agent	MANAGES	computer
intune_host_agent	MANAGES	server
intune_host_agent	MANAGES	smartphone
intune_host_agent	ASSIGNED	intune_compliance_policy
intune_host_agent	ASSIGNED	intune_device_configuration
laptop	HAS	intune_noncompliance_finding
laptop	ASSIGNED	intune_managed_application
laptop	INSTALLED	intune_detected_application
microsoft_365_account	HAS	azure_user
microsoft_365_account	HAS	azure_user_group
server	HAS	intune_noncompliance_finding
server	ASSIGNED	intune_managed_application
server	INSTALLED	intune_detected_application
smartphone	HAS	intune_noncompliance_finding
smartphone	ASSIGNED	intune_managed_application
smartphone	INSTALLED	intune_detected_application
user_endpoint	HAS	intune_noncompliance_finding
user_endpoint	ASSIGNED	intune_managed_application
user_endpoint	INSTALLED	intune_detected_application
workstation	HAS	intune_noncompliance_finding
workstation	ASSIGNED	intune_managed_application
workstation	INSTALLED	intune_detected_application

Types

Azure Group Member

azure_group_member inherits from User

---

Azure User

azure_user inherits from User

Property	Type	Description	Specifications
accountEnabled *	boolean
givenName	string | null
jobTitle	string | null
mail	string	The SMTP address for the user
mobilePhone	string | null
officeLocation	string | null
preferredLanguage	string | null
surname	string | null
usageLocation	string | null
userPrincipalName	string | null
userType	string | null

---

Azure User Group

azure_user_group inherits from UserGroup

Property	Type	Description	Specifications
isMailEnabled *	boolean
isSecurityEnabled *	boolean
mail	string | null
mailEnabled *	boolean	Please use isMailEnabled instead	deprecated: true
mailNickname	string | null
renewedOn	number
securityEnabled *	boolean	Please use isSecurityEnabled instead	deprecated: true

---

Desktop

desktop inherits from Device, Host

---

Intune Autopilot Device Identity

intune_autopilot_device_identity inherits from Device

Property	Type	Description	Specifications
addressableUserName	string | null
azureAdDeviceId	string | null
deploymentProfileAssignedDateTime	number
deploymentProfileAssignmentDetailedStatus	string		Any of: none hardwareRequirementsNotMet surfaceHubProfileNotSupported holoLensProfileNotSupported windowsPcProfileNotSupported surfaceHub2SProfileNotSupported unknownFutureValue
deploymentProfileAssignmentStatus	string		Any of: unknown assignedInSync assignedOutOfSync assignedUnkownSyncState notAssigned pending failed
deviceFriendlyName	string | null
enrollmentState	string		Any of: unknown enrolled pendingReset failed notContacted blocked
groupTag	string | null
lastContactedDateTime	number
managedDeviceId	string | null
productKey	string | null
purchaseOrderIdentifier	string | null
skuNumber	string | null
userPrincipalName	string | null

---

Intune Compliance Policy

intune_compliance_policy inherits from Configuration, ControlPolicy

Property	Type	Description	Specifications
category *	string		const: compliance
function *	string		const: endpoint-compliance
policyType	string	Examples: iosCompliancePolicy
version	number

---

Intune Detected Application

intune_detected_application inherits from Application

Property	Type	Description	Specifications
sizeInByte	number
version	string | null

---

Intune Device Configuration

intune_device_configuration inherits from Configuration, ControlPolicy

Property	Type	Description	Specifications
category *	string		const: config
configurationType	string	Examples: iosCustomConfiguration, windows10GeneralConfiguration, iosWiFiConfiguration
function *	string		const: endpoint-configuration
version	number

---

Intune Host Agent

intune_host_agent inherits from HostAgent

Property	Type	Description	Specifications
complianceState	string		Any of: unknown compliant noncompliant conflict error inGracePeriod configManager
compliant	boolean	Please use isCompliant instead	deprecated: true
isCompliant	boolean
managementAgent	string	Management channel of the device. Examples: eas, mdm, easMdm, intuneClient, easIntuneClient, jamf, googleCloudDevicePolicyController
registrationState	string		Any of: notRegistered registered revoked keyConflict approvalPending certificateReset notRegisteredPendingEnrollment unknown
state	string		Any of: managed retirePending retireFailed wipePending wipeFailed unhealthy deletePending retireIssued wipeIssued wipeCanceled retireCanceled discovered

---

Intune Managed Application

intune_managed_application inherits from Application

Property	Type	Description	Specifications
committedContentVersion	string | null
developer	string | null	Most often the same as the owner
featured	boolean	Please use isFeatured instead	deprecated: true
informationURL	string | null
isFeatured	boolean	Indicates that this app is being featured on the Company Portal
isPublished *	boolean
lastUpdatedOn	number
packageId	string | null
privacyInformationURL	string | null
publisher	string | null
version	string | null

---

Intune Noncompliance Finding

intune_noncompliance_finding inherits from Finding

Property	Type	Description	Specifications
category *	string		const: endpoint
id	string
lastProcessedOn	number
lastTestedOn	number
lastUpdatedOn	number
status	string		Any of: unknown notApplicable compliant remediated nonCompliant error conflict notAssigned

---

Laptop

laptop inherits from Device, Host

---

Microsoft 365 Account

microsoft_365_account inherits from Account

Property	Type	Description	Specifications
defaultDomain	string
intuneAccountId	string
intuneSubscriptionState	string
mobileDeviceManagementAuthority	string
organizationName	string | null
verifiedDomains	array of strings

---

Server

server inherits from Host

---

Server

server inherits from Device, Host

Property	Type	Description	Specifications
aadDeviceId	string
assetTag	array of strings
BYOD	boolean
deviceCategoryDisplayName	string
deviceName	string
deviceType	string
easDeviceId	string
encrypted	boolean
enrolledDateTime	number
ethernetMacAddress	string
freeStorageSpace	string
freeStorageSpaceInBytes	number
hardwareManufacturer	string
hardwareModel	string
hardwareSerial	string
hardwareVendor	string
hardwareVersion	string
iccid	string
id	string
imei	string
ipAddress	string
jailBroken	string
lastSyncDateTime	number
lastUpdateDateTime	number
macAddress	array of strings
managed	boolean
meid	string
name	string
ownerType	string
phoneNumber	string
physical	boolean
processorArchitecture	string
serialNumber	string
supervised	boolean
totalPhysicalMemory	string
totalPhysicalMemoryInBytes	number
totalStorageSpace	string
totalStorageSpaceInBytes	number
udid	string
userDisplayName	string
userEmails	array of strings
userId	string
username	string
version	string
wifiMacAddress	string

---

Smartphone

smartphone inherits from Device, Host

---

User Endpoint

user_endpoint inherits from Device, Host

---

Workstation

workstation inherits from Device, Host

---