There’s a feature within Microsoft Defender Advanced Threat Protection (MDATP) and Microsoft Intune where MDATP security recommendations can be sent to Intune as a security task. This is helpful if security admins and MDM admins are separate and need to pass information for endpoint management teams to work on. Even if you work on a small team or are a one-person shop, sending security tasks to Intune provides a work item, so if you’re forgetful or get pulled in many directions, you’ll have a task sitting for you. For more details on this feature please visit: https://techcommunity.microsoft.com/t5/Enterprise-Mobility-Security/Microsoft-Intune-security-tasks-extend-Microsoft-Defender-ATP-s/ba-p/369857
The purpose of this post is to create a method to signal and/or alert that there is a new pending security task in Intune. Currently admins need to access the Intune console and check for tasks which is a manual process. I prefer automation and I created a Flow to post a message in a Teams channel and send an email about new, pending Intune tasks sent from WDATP. If you’re thinking, “I’m not a developer…” well the good news is, neither am I! I love Microsoft Flow because it makes creating workflows and automation easy (and I create a lot of Flows to automate tasks).
Let’s get started
- Microsoft Defender ATP
- Microsoft Intune
- Microsoft Flow
- Microsoft Teams
- A Windows 10 device enrolled with Intune and managed by Microsoft Defender ATP
Viewing a security recommendation and sending a task to remediate to Intune
Navigate to https://securitycenter.windows.com/tvm_dashboard (note if you don’t have a subscription or haven’t set up MDATP, you’ll need to do this first). Look at the Top security recommendation on the right and select one.
Here I see a list of security recommendations.
When “Update Chrome” is selected we can see the number of devices exposed and CVEs (Common Vulnerabilities and Exposures) the update will address.
Select “Remediation options”
Check the box next to “Open a ticket in Intune (for AAD joined devices)”, select a due date, and add notes if necessary.
When finished, select “Submit request”
Head over the devicemanagement.microsoft.com > Security baselines > Security tasks and there should be a pending task. In this case I have two that have a status = Pending.
Select a task and Assign or Reject it, however, don’t do this yet, because we want to get a notification of pending security task in Intune.
Notifications of new pending tasks
Now we know how to send a task from MDATP to Intune, however what would be better is to be informed a task is waiting for us to address, and to set up notifications I use Microsoft Flow.
Creating a new Flow
Navigate to https://flow.microsoft.com, select My flows from the left hand navigation and select New -> Instant-from blank. Give the Flow a name and select create.
Schedule the Flow to run
Search for the “Recurrence” trigger and add it to the beginning of the Flow. Populate the fields to meet your requirements. I set my schedule to kick off everyday at 8 AM mountain time.
Azure AD Authorization to call Graph
This process requires multiple steps so I’ll refer you to a couple sources that may be utilized to configure the authorization steps:
- Create a custom connector: https://docs.microsoft.com/en-au/graph/tutorials/flow
- Calling Microsoft Graph from Microsoft Flow (and other daemon apps) with delegated permissions: https://laurakokkarinen.com/calling-microsoft-graph-from-microsoft-flow-and-other-daemon-apps-with-delegated-permissions/
Search for and add the HTTP Flow action. Method = GET, URI = https://graph.microsoft.com/beta/deviceAppManagement/deviceAppManagementTasks
In the header I utilize the authorization info compiled in previous steps.
The next three Flow actions take the information from the graph call and parse it out based on the JSON schema
- Search for and add a Compose action and as the “Input” add the Body from the Http action above.
- Search for an add a Initialize variable action, Name = JSONObject, Type = Object, Value is the Value from the Compose 2 output in the previous action.
- Next we need to parse the JSON so we can select JSON fields to be added to an email and Teams posts. Search for an add a Parse JSON action, Content = JSONObject from the variable above the Parse action. The Schema is generated easily by going to Graph Explorer and querying Graph as shown below. Copy the JSON returned from the response preview pane and in the Parse JSON action, select “Use sample payload to generate schema” and past the JSON output and select done. This will construct your schema.
Send to Teams and/or email
Here I walkthrough sending to Microsoft Teams; however, an email trigger is roughly the same process.
- Search for and add a “Apply to each” trigger, Select an output from previous steps = the value from the Parse JSON action above.
- I only want task with a status of “Pending” so I added a Condition trigger where search for a status equal to “pending”. The Status object comes from the JSON we parsed above.
- If status of pending = yes, I send an email and post to Teams, if status is anything other than pending, the Flow terminates.
- Search for and add “Post a message” action. Search for the Team site, Channel, and then craft your message. More on this below.
The reason we need to add a schema and parse the JSON returned from the Graph call is so we can select the variables returned individually. Below is an example of the fields I selected for my messages sent to Teams.
Viewing Teams posts
The following is an example of an Intune Task sent to teams with the Flow constructed above. If there is more than one pending task, the Flow will post individual messages for each pending task (same goes for emails). As shown below, I happen to have two tasks that are pending, one to Update Chrome and the other to Update Windows 10, lucky me!
That’s it! If you’re utilizing Microsoft Defender ATP and Intune, integrate the two and start sending tasks to Intune today. Use Flow to schedule notifications and send to Microsoft Teams, email, or whatever method Microsoft Flow supports.
Logic apps docs: https://docs.microsoft.com/en-us/azure/logic-apps/logic-apps-perform-data-operations#join-action
Use data operations with Microsoft Flow: https://docs.microsoft.com/en-us/flow/data-operations
Follow me on Twitter @mscloudinfa