Automatically be notified by mail or Teams when local admin accounts have been created on Intune devices
In this post I will show you a way to be notified by Teams or mail as soon as local admin account(s) have been added on Intune devices.
Prerequisite
There are two prerequisites for this solution:
- Run remediation script
- Access to send data to Log Analytics
The first step is to run the script to check if local admin account(s) have been created on all devices using a remediation script.
The script will then send info to a Log Analytics.
For that check my post here.
This will resume in few steps:
- Creating a Remediation script
- Script is executed on all devices
- Checks if local accounts exist
- If yes, check who added them and when
- Send info to Log Analytics
Get the script
Click on the below GitHub picture to get scripts.
Creating the automation account
1. Go to Azure
2. Go to Automation accounts
3. Click on Create
4. Type a name
5. Choose a Subscription
6. Choose the Resource group
7. Choose your region
8. Click on Create
9. Click on Go to resource
Set Managed Identity
Here we want to set a managed identity to our Azure Automation account.
It will automatically created a new Enterprise application which will be used to authenticate and run Graph API calls.
1. Go to the automation account
2. Go to Identity
3. Go to System assigned
4. Select On
5. Click on Save
6. Click on Yes
Set role for Log Analytics
Here we need to set role on the managed identity to query the log created by the local admin report.
We need to schedule a KQL query to check if local admin accounts have been created during the last 2 days.
For that we will proceed as below:
1. Go to the Log Analytics workspace
2. Go to Access control (IAM)
3. Click on Add > Add role assignment
4. Go to Roles > Log Analytics Reader > Next
5. Select the managed identity
6. Click on Review + Assign
Adding module
In case you want to send list of local admin by mail.
For that we will proceed as below:
1. Go to your automation account
2. Click on Modules gallery
3. Import the following modules
Microsoft.Graph.Users.Actions
Microsoft.Graph.Authentication
Permission to send mail
In case you want to send list of local admin by mail.
Here we want to set a permission on the managed identity to send a mail.
It can only be done through PowerShell.
For that we will proceed as below:
1. Edit the script Set_permission.ps1
2. Set variables: $TenantID and $DisplayNameOfMSI
3. Run the script with a global admin account
4. Go to Enterprise application
5. Filter on Managed identity
6. Select your application
7. Go to Permissions
8. You will see the mail.send permission
Creating the Runbook
1. Go to your Automation accounts
2. Go to Runbooks
3. Click on Create a runbook
4. Type a name
5. In Runbook type, select PowerShell
6. Click on Create
7. Script to use is LocalAdmin_Runbook.ps1
8. Click on Edit
9. Copy script content
Configure the notif
The script to use is LocalAdmin_Runbook.ps1
To change text in notif, set the following variable $Notif_Title and $Notif_Message.
Send notif by mail
If you want to send the list of local admin by mail, proceed as below:
1. Set variable $Send_mail to $True.
2. Set following variables: $Mail_From and $Mail_To.
See below how looks like the mail:
Send notif by Teams
First step is to set a webhook on a Teams channel. For that proceed as below:
1. Go to your channel
2. Click on the ...
3. Click on Connectors
4. Go to Incoming Webhook
5. Type a name
6. Click on Create
7. Copy the Webhook path in variable $Webhook_URL
Set variable $Send_TeamsNotif to $True.
See below how looks like the Teams notif:
Schedule the runbook
1. Go to the runbook
2. Click on Publish
3. Click on Yes
4. Click on Schedules
5. Click on Add a schedule
6. Click on Link a schedule to your runbook
7. Click on Add a schedule
8. Type a name
9. In Recurrence, select Recuring
10. Select every day
11. Click on Create
1 commentaire
I can't seem to find Set_permission.ps1 on your GitHub! :)
Enregistrer un commentaire