How to connect with Intune – allwhere

Before you get started

Please read our Microsoft Intune Documentation to understand how the sync will work. Your Microsoft Intune integration may create new employee records in allwhere. We recommend reading the linked documentation to ensure this does not happen.

Prerequisites

To connect allwhere to Microsoft Intune, you must:

Have one of the following Microsoft administrator roles in your organization:
- Global Administrator
- Privileged Role Administrator
- Cloud Application Administrator
Have access to your organization's Microsoft Entra (Azure AD) tenant
Be authorized to grant application permissions on behalf of your organization

Note: Unlike other MDM integrations, you do NOT need to create an App Registration or generate API tokens. allwhere handles this automatically through a secure Admin Consent flow.

How to connect Microsoft Intune to allwhere

Step 1: Navigate to Integrations

In allwhere, click the Avatar Menu > Select "Integrations"

Step 2: Initiate Intune Connection

Click "Connect" next to Microsoft Intune

Step 3: Authorize allwhere

You will see a "Connect to Microsoft Intune" button with a magic link.

Click the "Connect to Microsoft Intune" button to be redirected to Microsoft's authorization page.

Step 4: Sign in to Microsoft

Important: You must use an account with one of the required administrator roles listed in Prerequisites.

Step 5: Review and Grant Permissions

Microsoft will display the permissions allwhere is requesting:

DeviceManagementManagedDevices.Read.All - Read Microsoft Intune devices

Review the requested permissions and verify:

allwhere appears as a verified publisher (blue checkmark)
Only read-only device permissions are requested
The permission scope matches your organization's security policies

Step 6: Accept Admin Consent

Click "Accept" to grant allwhere permission to read device data from your Microsoft Intune instance.

What happens when you click Accept:

Microsoft creates a Service Principal for allwhere in your tenant
Microsoft redirects you back to allwhere with authorization confirmation
allwhere stores only your Tenant ID (no credentials)
allwhere validates the connection by attempting to read devices
Your initial sync begins automatically

Step 7: Confirm Connection

You will be redirected back to allwhere and see the Microsoft Intune integration status page.

The page will display:

Connection status: Connected
Initial sync progress
Last sync time
Synced devices count

Your sync will begin immediately once the connection is established.

Security and Privacy

What allwhere stores

Tenant ID only - Your Azure AD directory identifier (non-sensitive)
No customer credentials - No passwords, secrets, or API tokens are stored
No user credentials - allwhere never sees or stores your Microsoft login credentials

What allwhere accesses

allwhere can only:

Read device information from Microsoft Intune (read-only permission)
Access corporate-owned devices only
Retrieve device specifications and assignee information

allwhere cannot:

Modify or delete devices
Change device settings or configuration
Access personal devices
Perform device actions (wipe, lock, etc.)

How to revoke access

To disconnect Microsoft Intune from allwhere:

In allwhere, navigate to Integrations > Microsoft Intune
Click "Disconnect" button
Confirm disconnection

To fully revoke permissions in Microsoft:

Sign in to Microsoft Entra Admin Center
Navigate to Identity > Applications > Enterprise applications
Search for "Allwhere Intune Integration"
Click on the application
Click "Delete" to remove the Service Principal from your tenant

Sync Behavior

What gets synced

Corporate-owned devices only - Personal devices are automatically excluded
Laptops, Tablets, Mobile devices - Desktop computers are automatically skipped
Devices with serial numbers - Devices without serial numbers are skipped
Device specifications - Make, model, OS, memory, storage, etc.
User assignments - Email, name, and device assignments

When sync happens

Initial sync - Begins immediately after connection
Daily sync - Runs automatically once per day
Manual sync - Click "Sync Now" button (30-minute cooldown between manual syncs)

What does NOT get synced

Personal devices (managedDeviceOwnerType: personal)
Desktop computers
Devices without serial numbers
Devices where type cannot be determined
Compliance state or policy information

Troubleshooting

"Permission denied" or "Access denied" error

Cause: Your account does not have the required Microsoft administrator role.

Solution: Ask a Global Administrator, Privileged Role Administrator, or Cloud Application Administrator to complete the connection process.

"Admin consent has not been granted" error

Cause: The consent was not successfully granted or was revoked.

Solution:

Disconnect the integration in allwhere
Start the connection process again
Ensure you click "Accept" on the Microsoft consent screen

Devices are not syncing

Possible causes:

Devices do not have serial numbers
Devices are marked as personal (not corporate-owned)
Devices are desktops
Device type cannot be determined from model name

Solution: Review the sync statistics on the integration page to see the count of unsynced devices. Check that your devices in Microsoft Intune meet the minimum requirements listed in the FAQ.

Duplicate employees are being created

Cause: Employee records in allwhere use personal emails but Microsoft Intune uses work emails.

Solution: Before connecting, ensure all employees in allwhere have work emails associated with them. See the FAQ for more details.

Microsoft consent screen shows "Unverified" warning

Cause: This should not occur - allwhere is a verified publisher.

Solution: If you see an unverified warning:

Do NOT proceed with consent
Contact allwhere support immediately
Verify you are using the correct consent link provided by allwhere

Ready to learn more?

Click here to learn how the integration works

Need help?

If you encounter issues not covered in this guide, please contact allwhere support.