Microsoft Intune

IAM & SecurityOAuth 2.0Live

Connect your customers' Intune tenants so your product can read managed device inventory, app protection policies, and compliance state without asking the customer to export anything. The customer's admin consents on Microsoft's screen once and Askel manages token refresh from there.

Book a demo

View docs

What you can do

List managed devices and their compliance state

Fetch all devices enrolled in Intune along with OS type, OS version, compliance status, last check-in time, and the user they are assigned to. Covers Windows, macOS, iOS, and Android devices.

Read device configuration profiles

Pull the list of device configuration policies assigned in the tenant, including profile name, platform, and assignment scope. Verify that expected security baselines are deployed before go-live.

Inspect compliance policies and their rules

Read compliance policies and the specific rules they enforce, such as minimum OS version, password requirements, and encryption mandates. Surface gaps between policy intent and actual device state.

Read app protection policies

Fetch mobile app management (MAM) policies including target apps, data-protection settings, and access requirements. Useful for security reviews that need to verify data-loss prevention controls on mobile devices.

List apps deployed through Intune

Read the managed app catalog, including app name, type (LOB, store, Win32), and assignment state. Verify that expected endpoint security tools are deployed across the device fleet.

Read non-compliant device reports

Query devices filtered by compliance state to pull only the non-compliant records. Lets your product build a remediation checklist without fetching the full device inventory on every sync.

Sample use case

Verifying device compliance before granting access to a new platform

You sell a B2B SaaS data-access platform. A new customer, Stonemill Insurance Group, requires that every employee device accessing your platform meets a minimum OS version and has disk encryption enabled. Stonemill manages all devices through Intune. Your product needs to read their device compliance state at onboarding and block access for non-compliant devices.

1
Admin consents in Microsoft
Stonemill's Intune administrator clicks Connect Microsoft Intune in your product's onboarding wizard. Askel redirects to Microsoft's consent screen listing the required Graph API scopes for device and policy reads.
2
Token issued and stored
The admin approves consent for the Stonemill tenant. Askel stores the refresh token; access tokens are minted per request using the Microsoft identity platform and expire after one hour.
3
Device inventory pull
Askel reads all Stonemill managed devices from the Graph /deviceManagement/managedDevices endpoint. Your product receives 340 device records with compliance state, OS version, and assigned user.
4
Non-compliant devices flagged
Your product filters for devices with complianceState != compliant. It finds 18 devices: 12 running outdated Windows versions and 6 iOS devices without the required screen-lock policy applied.
5
Access gated and Stonemill notified
Your product blocks login attempts from the 18 non-compliant devices and sends Stonemill's IT admin a summary list. When Intune marks a device compliant after remediation, the next Askel sync picks up the change and access is restored automatically.

Authentication

OAuth 2.0

The customer's Intune (or Entra) administrator consents on Microsoft's standard OAuth screen. Askel requests the minimum required Microsoft Graph scopes for Intune device and policy reads (DeviceManagementManagedDevices.Read.All, DeviceManagementConfiguration.Read.All). Only the refresh token is stored; access tokens are minted per request against the Microsoft identity platform token endpoint.

Data flow

How Askel sits between your product and the customer's system

Managed devicesCompliance policiesConfiguration profilesApp protection policiesDeployed apps

Related integrations

Microsoft Entra ID

Read users, groups, and conditional-access policies from customer Entra tenants.

Okta

Manage users, groups, and apps in customer Okta orgs via a service app.

Google Workspace Admin

Manage users, groups, and devices in customer Google Workspace tenants.

FAQ for Microsoft Intune

What Microsoft Graph scopes are required?+

The read-only workflow uses DeviceManagementManagedDevices.Read.All for device inventory and compliance state, DeviceManagementConfiguration.Read.All for configuration and compliance profiles, and DeviceManagementApps.Read.All for app assignments. The exact list is shown on the consent screen.

Does this work if the customer uses Intune standalone or as part of Microsoft Endpoint Manager?+

Intune is the underlying service in both cases. The Graph API endpoints Askel uses are the same regardless of whether the customer accesses Intune through the standalone portal or through Microsoft Endpoint Manager (Intune admin center).

Can we write compliance or configuration policies through this integration?+

By default the connection requests read-only scopes. If your workflow includes creating or updating policies, the admin would need to re-consent with write scopes (DeviceManagementConfiguration.ReadWrite.All). Write access is never requested by default.

What is the typical device sync latency from Intune to Askel?+

Askel reads from the Microsoft Graph API, which reflects Intune's current state as synchronised by the enrolled devices. Device check-in frequency is controlled by Intune policy (typically 8 hours by default for Windows). Askel reads the current state at the time of the API call; it does not cache device records between calls.

Ready to ship integrations faster?customers faster?implementations faster?

Join onboarding teams delivering integrations without the engineering queue,
catching drift before it breaks, and hitting go-live dates.

Book a demo

Security & Compliance

Askel.ai

Automation for customer onboarding teams

Product

Features Documentation Integrations

Company

About us Our team Blog Contact

Resources