Skip to main content

Integration with Intune

Product Team
Updated

Overview

Seamlessly add assets to allwhere and synchronize device specifications by connecting your Microsoft Intune to allwhere.

Key Features

1. Continuously share and update data

Microsoft Intune will sync with allwhere once a day

2. Create new assets in allwhere from Microsoft Intune

Minimum requirements for a new asset to be created in allwhere

  • allwhere can determine the asset type based on platform (iOS, macOS, Android) and model patterns for Windows devices (laptop, mobile, tablet)
  • The asset has a serial number
  • Corporate-owned devices only (managedDeviceOwnerType: company)
  • Desktop devices are automatically excluded

Determining status and assignee information for new assets

  • The asset status for any new asset added to allwhere will be allocated
  • If the asset in Microsoft Intune contains an email address that allwhere can match with an existing user, the existing user will be linked as the assignee on that asset
  • If the asset in Microsoft Intune contains an email address, first name and last name, and the assignee does not exist in allwhere, a new employee will be created and linked to the new asset
  • If the asset in Microsoft Intune contains no email address, allwhere will create the asset without an assignee in the allocated status

3. Update existing allwhere asset data with device info from Microsoft Intune

Serial number will be the unique identifier. If allwhere finds a matching serial number, then we will update the existing asset record so that the device hardware information from Microsoft Intune will override asset data in allwhere.

Microsoft Intune will become the source of truth for the following fields:

  • color
  • display size
  • IMEI number
  • make
  • memory (converted from bytes to GB) coming soon
  • model
  • operating system
  • operating system version
  • release date
  • storage (converted from bytes to GB)
  • storage type
  • Microsoft Intune ID
  • Azure AD Device ID

Null value protection: If the allwhere asset has a value for a field but Microsoft Intune returns null/empty for that field, the existing allwhere value will be preserved (not overwritten with null).

By default, allwhere will remain the source of truth for assignee, location, status and condition for existing assets. You can optionally enable MDM-Driven Assignee Updates to let Microsoft Intune update the allwhere assignee during sync.

4. Create new employees in allwhere from Microsoft Intune

If your Microsoft Intune instance includes reference to assignee that does not already exist in allwhere, we will create a new employee and assign the asset to that employee

Minimum fields required are:

  • First Name
  • Last Name
  • At least one email address

WARNING: If your allwhere instance currently contains a list of employees that only has personal emails and your Microsoft Intune instance contains a list of assignees that only has work emails, allwhere will create new employee records for all of your Microsoft Intune assignees. This may result in duplicate employee records being created in allwhere.

We recommend you ensure all employees in allwhere have work emails associated with them prior to connecting Microsoft Intune to avoid creating duplicate employee records in allwhere.

5. New fields added to the allwhere backend

The following fields will be available on the asset record:

  • Microsoft Intune ID - Unique device identifier from Intune
  • OS Version - Operating system version (e.g., "10.0.19045.3803")
  • Activation Lock Bypass Code - Securely stored bypass code for device recovery
  • Azure AD Device ID - For cross-referencing with Azure AD

Ready to get started?

Click here for a detailed guide on how to set up your integration

Customer Prerequisites

The customer's Microsoft administrator must:

  1. Have Global Administrator, Privileged Role Administrator, or Cloud Application Administrator role in Microsoft Entra
  2. Be prepared to grant the DeviceManagementManagedDevices.Read.All permission to allwhere

Note: Unlike other MDM integrations, customers do NOT need to create their own App Registration or manage secrets. allwhere's multi-tenant app handles this automatically through a secure Admin Consent flow.

Connection Process

How authentication works

Microsoft Intune integration uses a secure Admin Consent URL (magic link) approach:

  1. allwhere has registered a multi-tenant application in Microsoft Entra with read-only device permissions
  2. Customers authorize allwhere by clicking a consent link and granting permission in Microsoft's UI
  3. No customer credentials are entered or stored - only the Tenant ID returned after consent
  4. Only Primary Admins can establish or modify the Intune connection
  5. For beta release: Users must also have the Intune Beta permission enabled in Auth0

Connection flow

  1. User navigates to Integrations > Microsoft Intune
  2. User clicks "Connect" button
  3. System displays an Admin Consent URL (magic link) for the user to click
  4. User clicks the link and is redirected to Microsoft's consent page
  5. User (must be a Microsoft admin) reviews and grants the requested permissions
  6. Microsoft redirects back to allwhere with authorization confirmation
  7. System validates the connection and begins initial sync
  8. User sees sync progress and results on the Intune details page

Device Type Detection

Microsoft Intune does not provide a dedicated device type field. allwhere uses intelligent detection:

  1. Platform-based detection - iOS, macOS, and Android devices are identified by their operating system
  1. Regex pattern matching - Windows devices are classified by analyzing the model name:
  • Laptop: "Dell XPS", "HP EliteBook", "Lenovo ThinkPad", "Microsoft Surface Laptop"
  • Tablet: "Microsoft Surface Pro", "Surface Go"
  • Desktop: "Dell OptiPlex", "HP EliteDesk" (automatically skipped)
  • Mobile: "iPhone", "iPad"
  1. Desktop exclusion - Devices identified as desktops are automatically skipped and not synced to allwhere
  1. Unknown types - Devices where type cannot be determined are skipped and logged

Sync Behavior

What happens during sync

  • The system performs an automated data sync from Microsoft Intune once daily
  • Only corporate-owned devices (managedDeviceOwnerType: company) are synced - personal devices are excluded
  • Devices without serial numbers are skipped
  • Desktop devices are skipped
  • For existing assets, status and assignee ID are preserved by default. You can opt in to MDM-Driven Assignee Updates to allow Intune to update the allwhere assignee
  • If a device is removed from Intune, the corresponding allwhere asset remains unchanged by default. With MDM-Driven Assignee Updates enabled, lifecycle-end detection may transition the asset
  • Batch processing (50 devices per batch) ensures reliable sync for large organizations

Manual sync

The UI includes a "Sync Now" button with a 30-minute debounce period to prevent excessive syncing. This feature ensures admins can trigger immediate syncs when needed while protecting API rate limits.

Sync statistics

The integration status page displays:

  • Last sync time and next scheduled sync
  • Devices synced count (successfully processed)
  • Devices unsynced count (skipped or failed)
  • Historical list of all devices that have been successfully synced from Intune

Security

  • No customer credentials are stored - only the Tenant ID (non-sensitive identifier)
  • allwhere's app credentials are stored securely as environment variables (not in database)
  • The activationLockBypassCode field contains sensitive data and is stored securely on the asset record
  • Only the minimum required permission (DeviceManagementManagedDevices.Read.All) is requested
  • All communication uses HTTPS exclusively
  • OAuth flows include state parameter validation to prevent CSRF attacks

Performance

  • The sync process handles organizations with up to 10,000 devices without timeout
  • Batch processing follows industry best practices (50 devices per batch)
  • Request throttling prevents Microsoft Graph API rate limits
  • Individual device failures do not fail the entire sync (isolation)
  • Sync completes within 30 minutes for up to 10,000 devices

What is NOT synced

The following are explicitly out of scope for this integration:

  • Bidirectional sync - No data will be pushed back to Intune
  • Compliance state tracking - The complianceState field will not be synced
  • Device actions - No remote wipe, lock, or other device management actions
  • Personal device sync - Only corporate-owned devices will be synced
  • Desktop device sync - Desktop devices will be identified and skipped

Troubleshooting

If devices are not syncing

Check that:

  1. Devices have serial numbers
  2. Devices are marked as corporate-owned in Intune
  3. Devices are not desktops
  4. Device type can be determined (platform or model pattern match)

If duplicate employees are created

This typically happens when employee records in allwhere use personal emails but Intune uses work emails. Ensure all employees in allwhere have work emails before connecting Intune.

If sync fails

  • Verify the Microsoft admin who granted consent has the required permissions
  • Check that consent has not been revoked in Microsoft Entra
  • Contact allwhere support for assistance

Support

For questions or issues with your Microsoft Intune integration, please contact allwhere support. Ready to get started? Click here for step by step instructions.

Related articles