Intune Logs: How to Monitor and Track Events in Microsoft Intune

Microsoft Intune allows organizations to provide their employees with access to corporate applications, data, and resources from virtually anywhere, on almost any device, while helping to keep corporate information secure. However, those tasks come with a lot of overhead. Making sure that your Intune applications and devices are running as they should in Microsoft 365 is one of the key responsibilities of a system administrator.

‍

Monitoring and tracking events in Microsoft Intune is crucial for maintaining the security and efficiency of an organization's mobile device environment. By effectively utilizing Intune's built-in logs and integrating with Azure Monitor, organizations can gain valuable insights into device enrollment, policy changes, app management, and more.

‍

In this beginner's guide to Intune logs, we'll explore the right way to monitor and track events and activities in Microsoft Intune. We'll learn about the different tools available for this task, best practices for seamless execution, and ways to automate the management process for minimal hassle for your tech department.

‍

What Are Microsoft Intune Logs?

Intune logs are records of events and activities that occur within the Microsoft Intune environment. They are crucial for monitoring, troubleshooting, and auditing purposes. There are several types of logs that Intune provides:

‍

1. Audit Logs: These logs track and monitor activities such as policy changes, device enrollment, and app management. They provide a record of actions taken by users and administrators, offering insights into who did what and when.
2. Operational Logs: These logs provide information about the success or failure of users and devices that enroll in Intune. They can help identify issues with device enrollment and provide details on non-compliant devices.
3. Device Compliance Organizational Logs: These logs provide information about device compliance in Intune, detailing which devices are compliant with the organization's policies and which are not.

‍

These logs can be viewed directly within the Intune console or can be integrated with Azure Monitor for more advanced analytics and visualizations. They are crucial for maintaining the security and efficiency of an organization's mobile device environment.

‍

Now let's take a look at the step-by-step process needed to monitor and track events using Intune logs.

‍

Step 1: Enable Intune Diagnostics

To start tracking and monitoring events, you need to enable diagnostics in Intune. Intune Diagnostics is a feature within Microsoft Intune that allows administrators to collect and analyze data about the operation of the Intune service.

‍

This data, often referred to as telemetry or diagnostic data, can provide valuable insights into the performance and health of your Intune environment in M365.

‍

Here's how to enable Intune Diagnostics:

‍

1. Sign in to the Azure portal.
2. Navigate to Intune.
3. Under Monitoring, select Diagnostic settings.
4. If this is your first time, turn on diagnostics. If not, you can add a new setting.
5. Configure the diagnostic settings to send logs to a Log Analytics workspace.

‍

Step 2: Use Azure Monitor

Once diagnostics are enabled, the Intune app logs can be sent to Azure Monitor. Azure Monitor collects, analyzes, and acts on telemetry from your cloud and on-premises environments. It helps you understand how your applications are performing and proactively identifies issues affecting them and the resources they depend on.

‍

Azure Monitor collects data from various sources, including application logs, operating system logs, and performance data. This data can be used to create comprehensive analytics, allowing you to gain insights, detect anomalies, and set up alerts for specific conditions.

‍

Step 3: Access Logs in the Log Analytics Workspace

In the log analytics workspace, you can find the logs. Here's how:

‍

1. Sign into the Azure portal.
2. Select Log Analytics workspaces.
3. Select the workspace containing Intune diagnostics that you just set up.
4. Under General, select Logs.
5. Scroll down the list of logs until you see the Intune related ones: IntuneAuditLogs and IntuneOperationalLogs.

‍

Step 4: Create Queries to Analyze Logs

You can create queries to filter and analyze the logs. This provides a more detailed and customized view of the Intune logs. For example, you can create a query to show all the successful device enrollments in the past twenty-four hours.

‍

Step 5: Create Visualizations for Your Dashboard

In the log analytics workspace, you can create visualizations for your dashboard. This allows you to visualize the data in a more understandable and digestible format. You can create charts, graphs, and other visualizations based on the queries you have created.

‍

Step 6: Set Up Alerts

You can set up alerts based on specific conditions in the logs. For example, you can set an alert to notify you when a device fails to enroll. This allows you to proactively address issues as they arise.

‍

Step 7: Regularly Review and Analyze Logs

Regularly reviewing and analyzing the logs can help you identify trends, spot potential issues, and gain insights into the activities in your Intune environment. This can help you make informed decisions and take appropriate actions to maintain the security and efficiency of your mobile device environment.

‍

Step 8: Integration with SIEM Tools (Optional)

Security Information and Event Management (SIEM) tools provide real-time analysis of security alerts generated by applications and network hardware. They are used for threat detection, tracking user activities, and compliance reporting. Here's how you can integrate Intune with SIEM tools:

‍

1. Stream Logs to Azure Event Hub: Azure Event Hubs is a big data streaming platform and event ingestion service. It can receive and process millions of events per second. To send your Intune logs to a SIEM solution, you first need to stream them to an Azure Event Hub.
2. Push Logs to SIEM Solution: From the Azure Event Hub, you can then push the logs to your SIEM solution. The specific steps for this will depend on the SIEM solution you are using. Examples of SIEM tools include Splunk, IBM QRadar, and LogRhythm.
3. Configure SIEM Solution: Once the logs are in your SIEM solution, you can configure it to analyze the logs, generate alerts, and create reports. This allows you to have a comprehensive view of security-related activities across your organization.

‍

Step 9: Use Power BI for Advanced Analytics (Optional)

Power BI is a business analytics tool developed by Microsoft. It provides interactive visualizations and business intelligence capabilities. Here's how you can use Power BI with Intune logs:

‍

1. Export Intune Log Data: The first step is to export your Intune log data. This can be done from the Azure portal. You can export the data to a CSV file, which can then be imported into Power BI.
2. Import Data into Power BI: Once you have your data exported, you can import it into Power BI. This can be done by opening Power BI, clicking on "Get Data", and then selecting the CSV file that you exported.
3. Create Reports and Dashboards: After importing the data, you can use Power BI's features to create reports and dashboards. You can create various types of visualizations such as charts, graphs, and maps. You can also use Power BI's data analysis functions to gain insights from your data.
4. Share and Collaborate: One of the advantages of Power BI is that it allows you to share your reports and dashboards with others. You can also collaborate with others on the same report or dashboard. This makes it easier to share insights and make data-driven decisions.

‍

Using Simeon to Monitor Intune Company Portal Logs

Simeon Cloud is a configuration management platform designed to simplify the administration of Microsoft 365, including tracking events in Microsoft Intune. It provides a single pane of glass for visibility and management of your Microsoft 365 environments, allowing you to document and search all changes to maintain best practices.

‍

Here's how Simeon can help automate the process of monitoring and reporting on logs with Intune:

‍

• Device Enrollment: Simeon Cloud can automate the provisioning of devices, enabling IT admins to quickly and easily set up and manage company-owned devices with Intune. This eliminates manual setup processes and ensures that all mobile devices are configured according to your organization's security policies.
• Policy Management: Simeon allows IT admins to centrally manage all Intune policies across multiple platforms. This ensures that all devices are compliant with corporate security requirements and reduces the amount of time spent manually configuring individual settings on each device.
• Software Deployment: It can simplify software deployment by enabling IT admins to quickly deploy applications across multiple platforms using Intune's cloud-based delivery model. This eliminates the need for manual installation of applications on each device, saving time and reducing the risk of errors.
• Security Management: Simeon provides real-time threat detection capabilities that alert administrators if any malicious activity is detected on any managed device within the organization's network. This helps admins quickly identify and address any potential threats before they become serious issues that could cause loss of company data.
• Application Packaging: Simeon comes with a robust application packaging tool for Intune. It lets you easily deploy applications across company-owned devices and takes care of application updates without requiring you to package the application again from scratch.
• Configuration Management: Simeon Cloud helps configure and modify a range of app and device management policies inside Intune — all with detailed audit logging and one-click backup restoration — using a single unified dashboard.

‍

Want to know more? Sign up for a demo with our sales team to learn about Simeon's monitoring and reporting features for Intune in detail.

‍