In an environment where you have multiple admin users it’s useful to audit admin activities so everyone can be aware of changes that others have made. I do this for Endpoint Configuration Manager with a daily email report built from admin status messages, so I decided to create something similar for Intune / MEM.
Admin actions are already audited for you in MEM (Tenant Administration > Audit logs) so it’s simply a case of getting that data into an email report. You can do this with Graph (which gives you more data actually) but I decided to use Log Analytics for this instead.
You need a Log Analytics workspace, and you need to configure Diagnostics settings in the MEM portal to send AuditLogs to the workspace.
Then, in order to automate sending a daily report create a service principal in Azure AD with just the permissions necessary to read data from the Log Analytics workspace. You can do this easily from the Azure portal using CloudShell. In the example below, I’m creating a new service principal with the role “Log Analytics Reader” scoped just to the Log Analytics workspace where the AuditLogs are sent to.
Of course, if you prefer you can use certificate authentication instead of using the secret key.
Below is a PowerShell script that uses the Az PowerShell module to connect to the log analytics workspace as the service principal, query the IntuneAuditLogs for entries in the last 24 hours, then send them in an HTML email report. Run it with your favourite automation tool.
You’ll need the app Id and secret from the service principal, your tenant Id, your log analytics workspace Id, and don’t forget to update the email parameters.
Sample email report
# Script to send a daily audit report for admin activities in MEM/Intune
# Requirements:
# – Log Analytics Workspace
# – Intune Audit Logs saved to workspace
# – Service Principal with 'Log Analytics reader' role in workspace
# – Azure Az PowerShell modules
# Azure resource info
$ApplicationId="abc73938-0000-0000-0000-9b01316a9123"# Service Principal Application Id
$Secret="489j49r-0000-0000-0000-e2dc6451123"# Service Principal Secret
$TenantID="abc894e7-00000-0000-0000-320d0334b123"# Tenant ID
$LAWorkspaceID="abcc1e47-0000-0000-0000-b7ce2b2bb123"# Log Analytics Workspace ID
$Columns=@("Date","Initiated by (actor)","Application Name","Activity","Operation Status","Target Name","Target ObjectID")
foreach ($Columnin$Columns)
{
[void]$DataTable.Columns.Add($Column)
}
foreach ($resultin$ResultsArray)
{
$Properties=$Result.Properties|ConvertFrom-Json
[void]$DataTable.Rows.Add(
$Properties.ActivityDate,
$result.Identity,
$Properties.Actor.ApplicationName,
$result.OperationName,
$result.ResultType,
$Properties.TargetDisplayNames[0],
$Properties.TargetObjectIDs[0]
)
}
# Send an email
If ($DataTable.Rows.Count-ge1)
{
$HTML=$Datatable|
ConvertTo-Html–Property "Date","Initiated by (actor)","Application Name","Activity","Operation Status","Target Name","Target ObjectID"–Head $Style–Body "<h2>MEM Admin Activities in the last 24 hours</h2>"|