Description:
Microsoft Intune is a cloud-based service for mobile device management (MDM) and mobile application management (MAM).Capturing Intune logs and sending them to Log Analytics allows you to monitor and analyze the status of devices, applications, and policies in your organization. By sending Intune logs to Log Analytics, you can leverage Azure Monitor to track, query, and create alerts based on device and app performance, security compliance, and policy enforcement.
Enabling Intune log collection and integration with Log Analytics enhances the visibility of your device and application management activities and provides detailed insights into the overall health of your MDM environment.
Rationale:
Capturing and sending Intune logs to Log Analytics allows for:
Centralized logging and monitoring of device and app activity in one location.
Real-time visibility into the status of devices, applications, and policies across your organization.
Troubleshooting and compliance monitoring by querying Intune logs for events such as device non-compliance, app installation failures, or policy violations.
Alerting and automation by integrating Intune logs with Azure Monitor to create actionable insights and alerts based on log data.
Impact:
By enabling Intune log collection to Log Analytics, you gain deeper insights into your Intune-managed devices and applications. However, this may increase the volume of log data stored in Log Analytics, which could affect your storage costs, depending on the volume and retention policies of your logs. You should ensure that the Log Analytics workspace is properly configured for log retention and that queries are optimized for performance.
Default Value:
By default, Intune logs are not automatically sent to Log Analytics. You need to configure Azure Monitor to capture and send Intune logs to your Log Analytics workspace.
Pre-requisites:
Azure subscription with Intune and Azure Monitor (Log Analytics) enabled.
Owner, Contributor, or Security Administrator role permissions to configure Intune and Log Analytics integration.
Log Analytics workspace created.
Microsoft Intune configured and operational for device management.
Audit:
Sign in to Azure portal as an Owner, Contributor, or Security Administrator.
Navigate to Azure Monitor and Log Analytics to review the existing log data sources and ensure that Intune logs are being captured.
Verify that Intune logs are being sent to the Log Analytics workspace and that the configuration is correct.
Implementation Steps (Manual):
Sign in to Azure portal:
Use an account with Owner, Contributor, or Security Administrator permissions.
Navigate to Azure Monitor:
In the Azure portal, search for Azure Monitor and select it.
Configure Data Collection:
In Azure Monitor, navigate to Data Collection under Log Analytics.
In the Data Collection settings, choose Intune as the data source for sending logs to Log Analytics.
Select your Log Analytics workspace to store Intune logs.
Enable Intune Data Collection:
In Microsoft Intune, go to Device configuration > Profiles > Diagnostics settings.
In the Diagnostics settings, configure the logs you want to capture (e.g., device health, policy compliance, app usage, etc.).
Enable Log Analytics integration to ensure the logs are sent to your Log Analytics workspace.
Example steps to enable integration:
In Azure portal, navigate to Microsoft Intune.
Under Monitoring, select Diagnostic settings.
Choose + Add diagnostic setting to create a new setting.
Under Logs, select the types of logs you want to collect (e.g., Device compliance, App installation status, Policy assignment).
Select Send to Log Analytics and choose the appropriate Log Analytics workspace.
Verify Intune Log Capture:
Once logs are enabled, navigate to your Log Analytics workspace.
Run a query to verify that Intune logs are being sent and captured.
You can query logs such as device compliance, app installations, or policy evaluations based on the types of logs you selected to capture.
Configure Alerts (Optional):
You can create alerts in Azure Monitor based on specific log data from Intune.
In Azure Monitor, navigate to Alerts and create a new alert rule based on the log data you want to monitor (e.g., alerts for non-compliant devices, app installation failures).
Set the criteria for the alert (e.g., when a device fails a compliance policy) and configure the notification action group (email, SMS, webhook).
Monitor and Review Logs:
Use Azure Monitor and Log Analytics to regularly review Intune logs for insights on the health, compliance, and performance of your devices and applications.
Set up custom dashboards or use pre-built templates in Log Analytics to visualize the log data.
Test the Integration:
To verify the setup, trigger a compliance policy violation, app installation failure, or device health issue.
Check your Log Analytics workspace to ensure the event is logged and visible for further analysis.
Backout Plan (Manual):
Sign in to Azure portal:
Use an account with Owner, Contributor, or Security Administrator permissions.
Navigate to Azure Monitor:
Go to Azure Monitor in the Azure portal.
Disable Intune Data Collection:
In Azure Monitor, go to Data Collection under Log Analytics and disable the Intune logs integration.
Alternatively, in Intune, navigate to Device configuration > Profiles > Diagnostics settings and disable the integration with Log Analytics.
Verify the Backout:
After disabling Intune log collection, check your Log Analytics workspace to ensure no further Intune logs are being captured.
Test the Reverted Configuration:
Trigger an event (e.g., a policy violation) and confirm that no logs are generated in Log Analytics.