First you will need an app-reg with the appropriate permissions which can be created by running "create-app-reg.ps1" create-app-reg.ps1 Make a note of the client ID and secret, you will need these later
Second you want to deploy the resources to Azure by clicking this link:
Fill in the required details and it will create runbooks and an app service with the web page content.
The runbook script content will be automatically populated, but if you want to start with a forked version, update accordingly.
When it is complete, click on Outputs and make a note of the details.
Finally, navigate to your new app service website and you will be prompted to enter the details recorded earlier.
Add these and you are now up and running
App Reg:
- Create a new App Registration (multi-tenant if required) and make a note of the Application (client) ID
- Add the redirect URIs to Microsoft default values:
- https://login.microsoftonline.com/common/oauth2/nativeclient
- https://login.live.com/oauth20_desktop.srf
- msal2afd3959-6ff7-400b-8cb3-4c4828166bf1://auth
- Add these API permissions (all Application type):
- AppCatalog.ReadWrite.All
- DeviceManagementApps.ReadWrite.All
- DeviceManagementConfiguration.ReadWrite.All
- DeviceManagementManagedDevices.ReadWrite.All
- DeviceManagementRBAC.ReadWrite.All
- DeviceManagementServiceConfig.ReadWrite.All
- Directory.ReadWrite.All
- Domain.ReadWrite.All
- Group.ReadWrite.All
- GroupMember.ReadWrite.All
- Policy.Read.All
- Policy.ReadWrite.ConditionalAccess
- Policy.ReadWrite.PermissionGrant
- Policy.ReadWrite.SecurityDefaults
- RoleManagement.ReadWrite.Directory
- CloudPC.ReadWrite.All
- AuditLog.Read.All
- Click on Certificates and secrets and create a new secret. Make a note of the secret value
Runbooks:
- Create a new automation account and add these modules to it:
- Microsoft.Graph.Devices.CorporateManagement
- Microsoft.Graph.Groups
- Microsoft.Graph.DeviceManagement
- Microsoft.Graph.Authentication
- Microsoft.Graph.Identity.Signins
- Create a runbook for the backup/restore script, run on Azure, PowerShell v5.1
- Paste this script into the content: intune-backup-restore-withgui.ps1
- Publish it
- Click Webhooks and create a new webhook. Don't populate any of the fields, they are passed from the application itself.
- Make a note of the URI, it will not display again after leaving the page.
- Create a second runbook following the same process for this drift monitoring using this script: monitor-drift.ps1
Web Service
- Create an Azure App Service running PHP (latest version), or you can use any other web hosting facilities
- Copy the contents of this directory into the root: Webpage Content
- Navigate to the new URL and add /install to the URL
- Complete the steps to setup the environment
Logic App for Drift Cron job
- Create a new logic app using the designer
- Set the trigger to be Recurrence at the date/time/frequency required
- Add an HTTP action sending a POST request to the website URL "/cron.php"