Alerting changes in Intune environment using Azure Event Hub and Azure Logic Apps

Sometimes, especially in large environments, keeping track of who is making which changes within Intune can be a pain and there is always that one time where change control isn’t followed and something breaks.

In this post I’m going to configure Intune to alert on Audit Logs, send to an Azure Event Hub and then use Azure Logic Apps to email when an item hits the log.

First up, create a Resource Group in Azure to hold everything and keep it all neat and tidy

Next create the Event Hub Workspace and Event Hub

In Azure, search for Event Hubs and click the Create button

Once completed, Add an event hub within the new namespace

Finally, within Event Hubs, navigate back to the main namespace and add an SAS policy

Make a note of the Primary Access code, you’ll need this in the Logic App later

Now, load up Intune, go to Tenant Administration and click on Diagnostics Settings

Add a new setting and point it to the Event Hub we created earlier

Now that’s in place, we need to build the logic App.

Within Azure search for Logic Apps and Create a New Logic App

For the Trigger, search for Event Hub and enter the SAS connection string created earlier.

For the Action, Search for Office 365 and Select Send an email

After signing in, populate your email content. If you select the Content dynamic variable, that will include the full details of whatever has happened in Intune within the email

And now if we look at our email, we can see the results

Hopefully this is of use. Keep an eye on costs though if going for a Consumption plan, those events could soon start to stack up!

8 thoughts on “Alerting changes in Intune environment using Azure Event Hub and Azure Logic Apps”

  1. Hi,
    Thanks for your tips.
    Is there a way to have a better outcome. Because when you receive this kind of mail, it could be nice if we can have a nice view as in intune for example.

    Reply
  2. Hi Andrew, thanks for the detailed guide. About the email formatting, i know you directed us to another blog, however, it doesnt come out well. Will you be able to provide clarification how the output can be human readable to identify where the change occured.

    Reply

Leave a Comment