Microsoft Intune
Pulls managed device inventory from Microsoft Intune (MDM) into Clariti — device compliance status, OS versions, encryption state, and last check-in timestamps. This gives you a real-time view of your endpoint fleet's health alongside your other security assets.
What You'll Need
- Global Administrator or Application Administrator role in Entra ID
- Microsoft Intune license (included in Microsoft 365 Business Premium, E3, E5)
- About 10 minutes (or about 2 minutes if reusing your Entra ID app registration)
- A Clariti account with adapter setup permissions
If you already set up the Microsoft Entra ID adapter, you can reuse the same app registration. Just add one more permission and re-grant consent — skip ahead to Step 5.
Configure in Microsoft Entra
Open App Registrations
Navigate to: entra.microsoft.com → App registrations → New registration
Navigate to entra.microsoft.com, then go to Identity → Applications → App registrations in the left sidebar. Click New registration at the top.
If you're reusing an existing Clariti app registration, find it in the list and click on it, then skip to Step 5.
Why: Clariti needs a registered application in your tenant. If you already have one from the Entra ID adapter setup, skip to Step 5.
Register the Application
Navigate to: App registrations → Register an application
Fill in the registration form:
- Name:
Clariti AI - Supported account types: Select Accounts in this organizational directory only
- Redirect URI: Leave blank
Click Register.
Why: Creates the identity Clariti uses to call the Intune API. Skip this if reusing an existing registration.
Copy Application and Tenant IDs
Navigate to: App registration → Overview page
On the Overview page, copy:
- Application (client) ID
- Directory (tenant) ID
Both values are on the App Registration Overview page. The Application (client) ID is the GUID in the middle row. The Directory (tenant) ID is just below it.
Why: These two GUIDs identify your app and tenant. Skip this if you already have them from Entra ID setup.
Create a Client Secret
Navigate to: App registration → Certificates & secrets
Go to Certificates & secrets → Client secrets tab → New client secret.
- Description:
Clariti-AI - Expires: 12 or 24 months recommended
Click Add and immediately copy the Value.
Client secret values are only visible at creation. If you navigate away and see dots, the value is gone — you'll need to create a new secret.
Why: The client secret authenticates Clariti's API calls. Skip if reusing credentials from Entra ID setup.
Add Intune Device Permission
Navigate to: App registration → API permissions → Add a permission
Go to API permissions → Add a permission → Microsoft Graph → Application permissions.
Search for and add:
- DeviceManagementManagedDevices.Read.All — Read Microsoft Intune devices
Click Add permissions.
This permission specifically grants access to Intune's device management data — compliance status, OS versions, encryption state, and check-in history. It's separate from the directory permissions used by the Entra ID adapter.
Why: This permission grants read access to Intune managed device data. Even if you already set up Entra ID permissions, you need to add this one specifically for Intune.
📋 Copy the DeviceManagementManagedDevices.Read.All — you'll need it in Clariti.
Grant Admin Consent
Navigate to: API permissions page
Click Grant admin consent for [your organization] → Yes.
Verify that all permissions (including any Entra ID permissions if this is a shared registration) show green checkmarks.
Even if you already granted admin consent for the Entra ID adapter, you must click Grant admin consent again after adding the Intune permission. Consent is not automatically extended to newly added permissions.
Why: You must re-grant admin consent any time you add new permissions — even if you previously granted consent for other permissions on this same app registration.
Enter Credentials in Clariti
Navigate to Adapters → Add Adapter → Microsoft Intune and enter the values:
| Value from vendor console | Paste into Clariti field |
|---|---|
Application (client) ID | Client ID |
Directory (tenant) ID | Tenant / Directory ID |
Client secret value | Client Secret |
Verify Connection
Click Test Connection. A green checkmark confirms Clariti can reach the Intune API. Your first sync pulls managed device inventory within a few minutes — you'll see devices with their compliance status, OS details, and encryption state in your asset inventory.
Troubleshooting
403 Forbidden The most common cause: your Intune license is not assigned or not active. Verify in the Microsoft 365 admin center that Intune licenses are assigned to your tenant and that the service is active. Also confirm the DeviceManagementManagedDevices.Read.All permission shows "Granted" status.
401 Unauthorized Admin consent was not granted for the device management permission specifically. Even if you granted consent for Entra ID permissions before, you need to re-grant after adding the Intune permission. Go to API permissions and click Grant admin consent again.
400 Bad Request Verify your Tenant ID and Client ID are correct. If you're reusing credentials from the Entra ID adapter, double-check that you're entering the same values — a common mistake is mixing up credentials from different app registrations.
No devices appearing after sync If the connection succeeds but no devices show up, verify that devices are actually enrolled in Intune. Check the Intune admin center at intune.microsoft.com → Devices to confirm your fleet is enrolled.