Microsoft Intune
Pulls managed device inventory from Microsoft Intune (MDM) into Clariti — device compliance status, OS versions, encryption state, and last check-in timestamps. This gives you a real-time view of your endpoint fleet's health alongside your other security assets.
What this adapter actually does for you
Once connected, Clariti pulls the inventory of every device enrolled in Intune for your tenant, plus the compliance policies you've defined. Each device shows up in Clariti's asset list with three pieces of information that matter for posture:
- Compliance state —
compliant,noncompliant,inGracePeriod, ornotEvaluated. A noncompliant device that signs in to Microsoft 365 is the canonical "what's exposing me right now" question Clariti was built to answer. - Encryption posture — BitLocker (Windows) or FileVault (macOS) status as Intune sees it. Feeds the
encryption_rateposture metric. - Patch currency — the OS version and last check-in time. Devices that haven't checked in for 30+ days are surfaced as stale assets.
If you also have the Entra ID adapter connected, Clariti cross-references the two: a user signing into Microsoft 365 from a device that is not enrolled in Intune is flagged as an unmanaged device exposure. That's the single highest-value Intune signal for an SMB — it tells you exactly which BYOD or contractor laptops are walking around your tenant with no policy enforcement.
What this adapter does NOT pull
We deliberately stay narrow on Intune. The adapter does not pull:
- App inventory or installed software lists (privacy-sensitive; covered by separate adapters when needed).
- User identity, group memberships, or sign-in logs (that's Entra ID's job — different adapter).
- File or document content from synced OneDrive / SharePoint endpoints (out of scope).
- Conditional access policy definitions (read separately via the Secure Score adapter).
- Any write actions. Clariti never wipes, locks, retires, or modifies a device. The Graph API permission we request is read-only.
If you want any of those, look at the Microsoft Entra ID, Microsoft Secure Score, or Microsoft Purview adapters in the catalog.
What You'll Need
- Global Administrator or Application Administrator role in Entra ID
- Microsoft Intune license (included in Microsoft 365 Business Premium, E3, E5)
- About 10 minutes (or about 2 minutes if reusing your Entra ID app registration)
- A Clariti account with adapter setup permissions
If you already set up the Microsoft Entra ID adapter, you can reuse the same app registration. Just add one more permission and re-grant consent — skip ahead to Step 5.
Configure in Microsoft Entra
Open App Registrations
Navigate to: entra.microsoft.com → App registrations → New registration
Navigate to entra.microsoft.com, then go to Identity → Applications → App registrations in the left sidebar. Click New registration at the top.
If you're reusing an existing Clariti app registration, find it in the list and click on it, then skip to Step 5.
Why: Clariti needs a registered application in your tenant. If you already have one from the Entra ID adapter setup, skip to Step 5.
Register the Application
Navigate to: App registrations → Register an application
Fill in the registration form:
- Name:
Clariti AI - Supported account types: Select Accounts in this organizational directory only
- Redirect URI: Leave blank
Click Register.
Why: Creates the identity Clariti uses to call the Intune API. Skip this if reusing an existing registration.
Copy Application and Tenant IDs
Navigate to: App registration → Overview page
On the Overview page, copy:
- Application (client) ID
- Directory (tenant) ID
Both values are on the App Registration Overview page. The Application (client) ID is the GUID in the middle row. The Directory (tenant) ID is just below it.
Why: These two GUIDs identify your app and tenant. Skip this if you already have them from Entra ID setup.
Create a Client Secret
Navigate to: App registration → Certificates & secrets
Go to Certificates & secrets → Client secrets tab → New client secret.
- Description:
Clariti-AI - Expires: 12 or 24 months recommended
Click Add and immediately copy the Value.
Client secret values are only visible at creation. If you navigate away and see dots, the value is gone — you'll need to create a new secret.
Why: The client secret authenticates Clariti's API calls. Skip if reusing credentials from Entra ID setup.
Add Intune Device Permission
Navigate to: App registration → API permissions → Add a permission
Go to API permissions → Add a permission → Microsoft Graph → Application permissions.
Search for and add:
- DeviceManagementManagedDevices.Read.All — Read Microsoft Intune devices
Click Add permissions.
This permission specifically grants access to Intune's device management data — compliance status, OS versions, encryption state, and check-in history. It's separate from the directory permissions used by the Entra ID adapter.
Why: This permission grants read access to Intune managed device data. Even if you already set up Entra ID permissions, you need to add this one specifically for Intune.
📋 Copy the DeviceManagementManagedDevices.Read.All — you'll need it in Clariti.
Grant Admin Consent
Navigate to: API permissions page
Click Grant admin consent for [your organization] → Yes.
Verify that all permissions (including any Entra ID permissions if this is a shared registration) show green checkmarks.
Even if you already granted admin consent for the Entra ID adapter, you must click Grant admin consent again after adding the Intune permission. Consent is not automatically extended to newly added permissions.
Why: You must re-grant admin consent any time you add new permissions — even if you previously granted consent for other permissions on this same app registration.
Enter Credentials in Clariti
In Clariti, go to Connectors → Integrations and connect Microsoft 365 — Intune data flows through that connection. If entering app-registration values manually:
| Value from vendor console | Paste into Clariti field |
|---|---|
Application (client) ID | Client ID |
Directory (tenant) ID | Tenant / Directory ID |
Client secret value | Client Secret |
Verify Connection
Click Test Connection. A green checkmark confirms Clariti can reach the Intune API. Your first sync pulls managed device inventory within a few minutes — you'll see devices with their compliance status, OS details, and encryption state in your asset inventory.
What you'll see after connect
Within ~2 minutes of a successful connect, the Assets screen in Clariti will show:
- One row per Intune-enrolled device, labelled Microsoft Intune in the source chip. Click any row for the full compliance breakdown — OS version, compliance state, encryption posture, last check-in.
- Your MDM coverage tile on the dashboard turns green once Intune devices land. Clariti treats Intune enrollment as the MDM signal — it doesn't second-guess Intune by looking at the per-device BitLocker/FileVault flag. If a device is enrolled in Intune, Clariti trusts that your Intune compliance policy enforces encryption. The raw
is_encryptedfield is still visible on the device card if you want to verify directly. - If your tenant has non-compliant devices, a Finding card titled "N non-compliant device(s) in Intune" appears in the Findings list with the offending device names and a remediation checklist.
- If you also have Entra ID connected, devices that sign into Microsoft 365 but are missing from the Intune inventory get flagged as "Unmanaged device exposure" findings — the most common SMB Intune signal worth acting on.
Troubleshooting
403 Forbidden The most common cause: your Intune license is not assigned or not active. Verify in the Microsoft 365 admin center that Intune licenses are assigned to your tenant and that the service is active. Also confirm the DeviceManagementManagedDevices.Read.All permission shows "Granted" status.
401 Unauthorized Admin consent was not granted for the device management permission specifically. Even if you granted consent for Entra ID permissions before, you need to re-grant after adding the Intune permission. Go to API permissions and click Grant admin consent again.
400 Bad Request Verify your Tenant ID and Client ID are correct. If you're reusing credentials from the Entra ID adapter, double-check that you're entering the same values — a common mistake is mixing up credentials from different app registrations.
No devices appearing after sync If the connection succeeds but no devices show up, verify that devices are actually enrolled in Intune. Check the Intune admin center at intune.microsoft.com → Devices to confirm your fleet is enrolled.
Client secret expired Client secrets in Entra ID expire (12 or 24 months by default). When the secret expires, the connection fails with a 401 and Clariti's adapter card turns red. To rotate: go back to Certificates & secrets in the app registration, click New client secret, copy the new value, and paste it into Clariti's adapter settings. Old secret can be deleted after the new one is verified working.
API rate limits and polling cadence
Microsoft Graph rate-limits its tenant-wide endpoints at roughly 6,000 requests per 5 minutes per app per tenant. Clariti polls Intune once per hour by default. A poll for a 200-device tenant uses ~3 requests (devices paginated 100 at a time + a compliance-policy lookup), so even with all five Microsoft adapters polling on the same schedule you'd use ~25 requests every 60 minutes — about 0.4% of the rate-limit ceiling.
If you hit a 429 (rate limited) response — almost always from running other Graph-API tools alongside Clariti — the adapter honours Microsoft's Retry-After header (capped at 60 seconds, up to 3 retries per request) so a transient throttle doesn't drop the poll cycle's data or burn an ERROR-state slot. The same retry behaviour applies to 503 responses during Graph regional maintenance. If throttling persists across the full retry budget, the request surfaces a recognisable 429 in the run log; 5 consecutive failed polls move the adapter to ERROR state and the catalog card turns red. To recover, wait an hour for the throttle window to clear, then click Reconnect in the adapter settings.
If you want a tighter polling cadence (e.g. every 15 minutes for change-heavy environments), speak to support before changing it — aggressive polling across a fleet of tenants is what gets app registrations throttled by Microsoft.
Devices that are offline (powered off, on a plane, lost) don't disappear from the inventory — Intune keeps the last-known state and last_seen timestamp. Clariti surfaces devices that haven't checked in for over 30 days as stale assets so they show up in your housekeeping queue without being noise.