Use this article to integrate Lifecycle Manager with Microsoft Endpoint Manager. An application is required to grant access to the device and software information of your tenant and your customer tenants, to integrate Microsoft Endpoint Manager with Lifecycle Manager.

This document is for you if you're using Microsoft's Azure/Entra ID to manage your MS cloud data and your customers' MS 365 configurations. If you currently only manage your company's MS cloud data, please see the Microsoft Endpoint Manager - Single tenant integration instructions for single-instance configuration.

Prerequisites

Before proceeding with the Microsoft Endpoint Manager integration, please ensure the following requirements are met:

• Manage Integrations Permission: Verify that the Manage integrations permission is enabled for the ScalePad Hub account. This permission is required to add integrations in Lifecycle Manager.
• The user is an administrator of your Cloud Solution Provider (CSP) tenant.
• You have established GDAP relationships with your customers, with the Global Administrator, Application Administrator, or Cloud Application GDAP role.
  • If the Global Administrator, Application Administrator, or Cloud Application Administrator GDAP role isn't used, the customer will need to consent to the application's access to their tenant manually.

1. To confirm whether you have the appropriate role, navigate to the Azure Navigation menu and click Roles and Administrators.
   
2. Search for Application Administrator, Global Administrator, or Cloud Application Administrator groups.
   
3. Click the group name and verify that the user setting up the App Registration is a member of one of these groups.

Known limitation with indirect or unmanaged resellers - The Microsoft Endpoint Manager integration does not support indirect or unmanaged resellers because you need direct access to manage client devices. Indirect providers and Cloud Solution Provider (CSP) direct partners should have no issues, but this is something to be aware of if you purchase through a reseller.

Creating multiple instances

Lifecycle Manager supports setting up multiple instances of the Microsoft Endpoint Manager multi-tenant integration directly through your account.

Integration steps in Microsoft Azure

Creating the Lifecycle Manager application

We recommend creating a dedicated application that Lifecycle Manager uses to access device and software information.

1. Sign in to Microsoft Azure as a Global Administrator, Application Administrator, or Cloud Application Administrator.
2. From the Azure Active Directory in the Azure Portal, navigate to Azure Active Directory App registrations.
3. Click the +New Registration button.
   
4. Enter a user-facing display name for the new application registration (for example, Lifecycle Manager MEM multi-tenant).
5. Under Supported account types, check Accounts in any organizational directory only (Any Microsoft Entra ID tenant - Multitenant) is selected. Leave the rest of the default settings as is.
6. Click Register to create the application.
   
7. Note the Application (client) ID and Directory (tenant) ID under the newly created application.
   

Tracking Microsoft Defender for Endpoint through Microsoft Endpoint Manager

To track assets with Windows Defender for Endpoint, you must add API permissions through Microsoft Endpoint Manager so that we can provide reporting on endpoint protection by consuming Windows Defender information through Microsoft Endpoint Manager.

Here are the steps to track Microsoft Defender for Endpoint through Microsoft Endpoint Manager.

1. Within the created application, navigate to the API permissions section.
2. Click the Add a permission button.
3. In the Request API permissions screen, select APIs my organization uses.
4. Manually type in WindowsDefenderATP, select WindowsDefenderATP, and then Delegated Permissions
5. Search and select: Machine
6. Search and select: Machine.Read.All
7. Click Grant admin consent.

When setting your sync settings for Microsoft Endpoint Manager—Multi-Tenant, ensure that the Include Microsoft Defender for Endpoint option is selected.

When adding the Microsoft Endpoint Manager integration to Lifecycle Manager, you must add the Azure application (client) ID, and the Azure client secret value to the Microsoft Endpoint Manager multi-tenant add integration page.

Configuring Lifecycle Manager delegated permissions

Users/admins must grant permissions to applications before they can call APIs. For full functionality, the following delegated permissions are required:

• Microsoft Graph
  • Device.Read.All
  • DeviceManagementApps.Read.All
  • DeviceManagementManagedDevices.Read.All
  • Directory.Read.All
  • Organization.Read.All
• Microsoft Partner Center
  • User_impersonation (this is accessed under “API Permissions” -> “APIs my organization uses” and searching “Partner center”. User_impersonation is granted as a delegated permission.

1. Within the created application, navigate to the API permissions section.
   
2. Click the Add a permission button.
3. In the Request API permissions screen, select Microsoft Graph and then select Delegated permissions.
   
   
4. In the Select permissions section, click the arrows next to the required modules to expand each section or start typing the permission to filter the results.
   1. In the Device module, select Device.Read.All.
      
   2. In the DeviceManagementApps module, select DeviceManagementApps.Read.All.
      
   3. In the DeviceManagementManagedDevices module, select DeviceManagementManagedDevices.Read.All.
      
   4. In the Directory module, select Directory.Read.All.
      
   5. In the Organization module, select Organization.Read.All.
      
   6. Once all permissions are selected, click Add permissions.
      1. After selecting Add permissions, you must add administrator consent for each permission name by selecting Grant admin consent.
         
5. Click the Add a permission button.
   
6. In the Request API permissions screen, select Microsoft Graph and then select APIs my organization uses.
   
7. Select Microsoft Partner.
8. Select Delegated Permissions.
9. Select user_impersonation.
   
   
10. Click Add permissions.

Configuring Lifecycle Manager application process

1. Navigate to the Azure Active Directory Groups section.
2. Search for AdminAgents, and then select it. The name must only be AdminAgents.
3. Navigate to the Members section for the group.
4. Select Add members, search for the Lifecycle Manager application that was created (e.g., Lifecycle Manager MEM MT integration), and click Select.

Granting Lifecycle Manager access

Client secrets, also known as application passwords, are secret strings the application uses to prove its identity when it requests a token.

1. Within the created application, navigate to the Certificates & secrets section.
   
2. In the Client secrets section, click the New client secret button.
   
3. Add a description for the client secret. After entering a description, we recommend leaving the default expiry settings to 6 months.
4. Click the Add button.
5. Take note of the Client secret Value, as this value is required when adding the integration to Lifecycle Manager. 
   1. Important: Keep the Client secret Value in a secure location. Once you navigate away, it is not recoverable.

Why 6 months for expiry? - We recommend 6 months because it strikes a balance between security and convenience. Microsoft’s guidelines simply require that the secret not be indefinite. Before a client secret expires, a new one can be created and saved in the existing integration with no downtime.

Authentication steps

Azure portal authentication

1. Within the created application, navigate to the Authentication section on the left side of the Azure app management page.
   
2. Under Platform configurations, unless Web is already present, click Add a platform and choose Web.
   
   
   1. If adding a new platform, enter https://app.scalepad.com/account/integration/oauth as the redirect URI, then click Configure.
   2. If the Web platform was already there, click Add URI and enter https://app.scalepad.com/account/integration/oauth, then click Save.
3. Under Supported account types, check Accounts in any organizational directory only (Any Microsoft Entra ID tenant - Multitenant) is selected.

Adding credentials to Lifecycle Manager

1. Within Lifecycle Manager, navigate to the Microsoft Endpoint Manager multi-tenant add integration page and fill in the following information gathered previously:
   1. Azure application (client) ID
   2. Azure client secret value
2. When setting your sync settings for Microsoft Endpoint Manager—Multi-Tenant, ensure that the Include Microsoft Defender for Endpoint option is selected. See Tracking Microsoft Defender for Endpoint through Microsoft Endpoint Manager for information.
3. Click Connect now.
   
4. After the page has been saved, click Authorize, which will open a popup to a Microsoft authorization page to run through.

When you click Connect now, Lifecycle Manager performs a full sync. When finished, you should be able to view your assets in your account.

What's next

• How to adjust your Microsoft Endpoint Manager - Multi-Tenant sync settings