Use this article to integrate Lifecycle Manager with Microsoft Endpoint Manager. A configured Azure application is required to grant Lifecycle Manager access to your device and software information in order to integrate Microsoft Endpoint Manager with Lifecycle Manager.
Known limitation with indirect or unmanaged resellers - The Microsoft Endpoint Manager integration does not support indirect or unmanaged resellers because you need direct access to manage client devices. Indirect providers and Cloud Solution Provider (CSP) direct partners should have no issues, but this is something to be aware of if you purchase through a reseller.
Prerequisites
Before proceeding with the integration, please ensure the following requirements are met:
- Manage Integrations Permission: Verify that the Manage integrations permission is enabled for your ScalePad Hub account.
- Administrator Credentials: Confirm that you have Administrator user credentials for Microsoft Azure.
-
Work (or school) accounts from Microsoft. This includes organizations that use Office 365
-
An active Intune subscription
Lifecycle Manager supports setting up multiple instances of the Microsoft Endpoint Manager single-tenant integration directly through your account, without the need to contact Support for manual activation.
Integration steps in Microsoft Azure
Creating the application
-
Sign in to Microsoft Azure as a global administrator
-
From the Azure Directory admin center, navigate to Azure Active Directory App registrations
-
Click the +New Registration button
-
Enter a user-facing display name for the new application registration
-
After entering a name (for example, Lifecycle Manager MEM Integration), we recommend leaving the default settings unchanged.
-
Click Register to create the application
-
Under your newly created application, take note of the Application (client) ID and the Directory (tenant) ID.
When adding the Microsoft Endpoint Manager integration to Lifecycle Manager, you will need to add the Application (client) ID and Directory (tenant) ID to the Microsoft Endpoint Manager add integration page.
Adding API permissions
Users/admins are required to grant permissions to applications before they can call APIs. For full functionality, the following permissions are required:
-
DeviceManagementApps.Read.All
-
DeviceManagementManagedDevices.Read.All
-
Organization.Read.All
- User.Read.All - The User.Read.All permission is necessary to retrieve user data.
-
Navigate to the API permissions section
-
Click the Add a permission button
-
In the Request API permissions screen, select Microsoft Graph and then select Application permissions
-
In the Select permissions section, click the arrows next to DeviceManagementManagedDevices, DeviceManagementApps, and Organization to expand each section or start typing the permission to filter the results.
-
In the DeviceManagementApps module, select the DeviceManagementApps.Read.All.
-
In the DeviceManagementManagedDevices module, select the DeviceManagementManagedDevices.Read.All.
-
In the Organization module, select the Organization.Read.All.
-
-
Click Add permissions
-
After adding permissions, you need to add administrator consent for each permission name.
-
-
Click Grant admin consent
Tracking Microsoft Defender for Endpoint through Microsoft Endpoint Manager
If you have assets with Windows Defender for Endpoint that you want to track, you have to add API permissions through Microsoft Endpoint Manager so that we can provide reporting on endpoint protection by consuming windows defender information through Microsoft Endpoint Manager.
Here are the steps to track Microsoft Defender for Endpoint through Microsoft Endpoint Manager.
-
Navigate to the API permissions section
-
Click the **Add a permission** button
-
In the Request API permissions screen, select APIs my organization uses
-
In the Request API permissions screen, manually type WindowsDefenderATP, select WindowsDefenderATP and then select Application permissions
-
In the Select permissions section, click the arrows next to Machine, to expand the section or start typing the permission to filter the results.
-
In the *Machine* module, select Machine.Read.All.
-
-
Click Add permissions
-
Click Grant admin consent
Ensure that the Include Microsoft Defender for Endpoint option is selected when setting your sync settings for Microsoft Endpoint Manager - Single-Tenant.
Configure application process
Client secrets, also known as application passwords, are secret strings that the application uses to prove its identity when it requests a token.
-
Navigate to the Certificates & secrets section
-
In the Client secrets section, click the New client secret button
-
Add a description for the client secret. After entering a description, we recommend leaving the default expiry settings to 6 months.
-
Click the Add button.
-
Take note of the Client secret Value, as this value is required when adding the integration to Lifecycle Manager.
-
Note: Keep the Client secret Value in a secure location, because this value is not recoverable once navigating away.
-
Why 6 months for expiry? - We follow Microsoft's recommendation of a 6-month expiration for client secrets as this period of time is a balance between securing the application's access and convenience of use for our partners. Expiry dates can range from 1 day to 2 years, but Microsoft client secrets must expire eventually. Before a client secret expires, a new one can be created and saved in the existing integration with no downtime.
Integration steps in Lifecycle Manager
-
Navigate to the Microsoft Endpoint Manager add integration page and fill in the following information gathered previously:
-
Azure Tenant ID
-
Azure Application (client) ID
-
Azure Client Secret
-
- Select Include Microsoft Defender for Endpoint (optional)
-
Click Connect now
When you click Connect now, Lifecycle Manager performs a full sync. When finished, you should be able to view your hardware assets in your account, as well as any software assets.