# Intune

<figure><img src="/files/Gb4AY8wPsY7lMEyGd5XQ" alt=""><figcaption></figcaption></figure>

### What you get

* **Live device inventory** — every Intune-enrolled device appears in Siit with model, OS, serial number, and compliance status.
* **Ownership mapping** — Intune's primary user populates the Siit Equipment owner automatically.
* **One-click actions from any request** — Lock, Wipe, and Open in Intune, directly from the request side panel.
* **Multi-OS coverage** — Windows, macOS, iOS, iPadOS, and Android devices all sync into the same Equipment inventory.
* **Audit trail** — every action triggered from Siit is logged on the request timeline.

### What syncs from Intune

| Fields                                                                  |
| ----------------------------------------------------------------------- |
| Device name, serial number, Intune device ID, Entra ID device object ID |
| Model, manufacturer, processor, memory, storage                         |
| OS (Windows / macOS / iOS / iPadOS / Android), OS version, build        |
| Primary user (UPN / email), enrollment type (corporate / personal)      |
| Enrollment state, compliance state, last sync time                      |
| Encryption status, compliance policy status, jailbreak / root detection |

Devices are matched to Siit People using the primary user's work email (UPN or mail attribute).

### Actions available

Available from the request side panel on any device:

* **Lock device** — sends a remote lock command via Intune (Windows, iOS, iPadOS, Android).
* **Wipe device** — sends a remote wipe command via Intune (irreversible).
* **Open in Intune** — deep-links to the full device record in the Microsoft Intune admin center.

> **Heads up** — Wipe is irreversible and immediate. Intune offers two wipe modes (Retire: removes corporate data only; Wipe: full factory reset). Siit currently exposes the full Wipe action — confirm the device, requester, and context carefully before running it.

### Before you connect

* You'll need a Microsoft **Global Administrator** (or Intune Administrator + Privileged Role Administrator) to grant admin consent.
* Siit is installed as an Enterprise Application in your Entra tenant via OAuth consent — no manifests, certificates, or manual app registrations required.
* If your tenant blocks user consent for third-party apps, admin consent must be granted explicitly during the install flow.

{% hint style="info" %}
The steps below give you the full flow. For screenshots and the detailed walkthrough, see our Help Center guide: [Intune integration setup](https://help.siit.io/intune-integration).
{% endhint %}

### Connect Intune

1. In Siit, go to **Settings → Integrations**.
2. Find **Microsoft Intune** in the MDM section and click **Connect**. You'll be redirected to Microsoft.
3. Sign in with a Global Administrator (or Intune Administrator) account.
4. Review and grant admin consent for the requested Microsoft Graph permissions:
   * `DeviceManagementManagedDevices.Read.All` — read managed device inventory
   * `DeviceManagementManagedDevices.PrivilegedOperations.All` — required for Lock and Wipe actions
   * `User.Read.All` — read user profiles (for owner mapping)
   * `Directory.Read.All` — read basic directory info
5. Once consent is granted, Microsoft redirects you back to Siit.
6. Siit runs an initial device import.
7. Review the imported devices and click **Finish setup**.

> **Tip** — The OAuth grant is tenant-wide and survives the installing admin leaving the company. Install with a dedicated break-glass Global Admin account if your security policy prefers it.

### After the connection

* **Check your Equipment inventory** — go to **Resources → Equipment** and confirm the device count matches your active Intune devices.
* **Scope the sync** — in **Settings → Integrations → Microsoft Intune**, you can filter by device category, enrollment type (corporate vs. personal), or OS family.
* **Map device types** — confirm Windows and Mac devices map to "Computer"; iOS, iPadOS, and Android map to "Smartphone" / "Tablet".
* **Try an action** — open any request and run **Open in Intune** from the side panel to confirm the deep link works.

### Sync frequency

Intune device data refreshes automatically every few hours. Trigger an immediate refresh from **Settings → Integrations → Microsoft Intune → Sync now**. Actions (Lock, Wipe) execute on demand, immediately.

### Common scenarios

* **Lost device.** An employee reports a missing device in Teams. The agent opens the request, sees the device in the side panel (synced from Intune), and locks it in one click.
* **Mixed-platform fleet.** Support agents see whether a device is Windows, Mac, iOS, or Android directly on the request — essential for fleets where troubleshooting varies by OS.
* **Offboarding.** On an employee's end date, an agent wipes the returned corporate device directly from the request side panel, then confirms completion in the Intune admin center.
* **Compliance context.** Agents see a device's compliance state on the request — useful when troubleshooting access issues that stem from a non-compliant device rather than an identity problem.

### Pair with Entra ID

If you're also using Entra ID for IAM, you get a unified Microsoft stack in Siit: directory + apps + devices. On any request, agents see the requester's account, group memberships, app assignments, and every device they own — all without leaving Siit.

### Troubleshooting

**Admin consent error during install.** The signing admin lacks Global Admin or Intune Administrator rights, or the tenant blocks third-party consent. Retry with a Global Admin account.

**"Insufficient privileges" when running Lock or Wipe.** The `DeviceManagementManagedDevices.PrivilegedOperations.All` scope wasn't granted. Reconnect Intune and approve the full permission set.

**Devices missing from Siit.** Check scoping in **Settings → Integrations → Microsoft Intune** (device category, enrollment type, OS filters). Also confirm the devices are actively checking in to Intune.

**Owner field is empty.** The device has no primary user assigned in Intune, or the primary user's UPN doesn't match a Siit person. Assign a primary user in Intune and confirm the UPN / email matches.

**Open in Intune returns "access denied".** The admin opening the link doesn't have an Intune role with access to that device. Check their role assignment in the Intune admin center.

**Recent action didn't reach the device.** MDM commands can queue for hours if the device is offline. Check the device's last check-in time, and monitor the command status in the Intune admin center.

**Connection shows as "needs reauthorization".** An admin revoked the Siit Enterprise Application's consent, or a conditional access policy is blocking the token refresh. Reconnect the integration.


---

# Agent Instructions: Querying This Documentation

If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter:

```
GET https://docs.siit.io/integrations/mdm/intune.md?ask=<question>
```

The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.