Intune Endpoint Security Compliance

Introduction

Teams that manage endpoint security through Defender XDR security settings management see policies in the Defender portal, but per-device deployment state lives in the Intune backend. When policies stall in Pending, Conflict, or Error, the SOC often finds out only after users report protection gaps.

This solution runs on a schedule in Azure Automation, reads endpoint security policy deployment status through Microsoft Graph, and creates a Microsoft Sentinel incident when problems are found. Built and verified by a Microsoft MVP with an admin-first mindset: deploy, validate, and operate with confidence.

Why This Exists

Defender XDR and Intune share the same policy engine for endpoint security templates. The gap is operational visibility in Sentinel:

• Defender portal focuses on policy authoring, not fleet-wide deployment health in your SOC queue
• Intune admin center shows per-policy status, but not as a Sentinel incident your team triages daily
• Devices in Pending or Conflict can sit unnoticed while analysts assume protection is applied
• No native alert when endpoint security policies fail at scale across the fleet

What's in the Solution

1. Scheduled Deployment Monitoring

Azure Automation runbook discovers endpoint security policies and pulls per-device assignment status from Microsoft Graph on a recurring schedule. Managed identity throughout, with no stored secrets in runbook settings.

2. Problem Detection

Identifies devices in Error, Conflict, or Pending states across Antivirus, ASR, EDR, Firewall, and related endpoint security profiles. Optional scoping by policy name filter when you do not want to scan the full fleet.

3. Microsoft Sentinel Incident

When problems are found, creates one Sentinel incident per run with severity, summary counts, and an HTML comment table grouped by policy. Your SOC sees deployment failures alongside other security signals.

4. Least-Privilege Permissions

Uses a custom Sentinel incident creator role with minimum ARM permissions instead of Microsoft Sentinel Contributor. Graph read access only for Intune configuration and reporting.

5. Structured Run Logging

JSON job output with TraceLog, policy counts, and incident ID so you can confirm each scheduled run succeeded before relying on the results.

Key Benefits

• SOC-visible deployment failures: Sentinel incidents when endpoint security policies fail on devices
• Defender XDR gap closed: backend Intune status surfaced where your analysts already work
• Policy-level breakdown: see Error, Conflict, and Pending counts per policy in the incident comment
• Production deployment package: a complete, repeatable install for your tenant, not a one-off proof of concept
• Configurable scope: scan all endpoint security policies or limit by name filter
• Least-privilege baseline: custom Sentinel role and Graph read permissions only

Requirements

The solution integrates with standard Microsoft 365 and Azure environments:

• Microsoft Intune with endpoint security policies (Defender XDR security settings management or Intune admin center)
• Microsoft Sentinel workspace for incident creation
• Azure Automation account with system-assigned managed identity
• Microsoft Graph application permission for Intune configuration read access
• Custom Azure RBAC role for Sentinel incident and comment creation at subscription scope
• PowerShell 7.x runtime environment in Azure Automation with Azure and Graph modules

What's Included

When you access this solution through membership, you receive:

• Complete deployment package: production-ready Azure Automation runbook for your tenant
• Implementation documentation: permissions, setup, scheduling, scoping, and troubleshooting (membership access)
• Shared permission patterns: links to reusable automation and Sentinel RBAC guidance
• Direct access to the author: Microsoft MVP support through membership