Custom Admin Notifications for New Intune Enrollments
As of now there’s no native way to send notifications to your admins when new devices join Intune, which is quite odd.
This script changes this and lets you send custom notifications to recipients of your choice when a new device joins Intune.
Github: https://github.com/moltenbit/IntuneAdminNotifications
Overview on what’s needed:
- Linux server / Raspberry Pi
- mail account acting as a relay for sending mails
- Entra Admin center access
Sending mails
First of all you need to set up sending mail from your Linux server. For this you can follow this great article from Decatec.
In short you install msmtp:
apt-get install msmtp msmtp-mta mailutils
Then change the config file:
nano /etc/msmtprc
defaults
port 587
tls on
account: your@mailaccount.com
host smtp.your-mailserver.com
set_from_header on
from your@mailaccount.com
user your@mailaccount.com
password YourPassword123
account defautl: your@mailaccount.com
aliases /etc/aliases
Change the permissions on the config file:
chmod 600 /etc/msmtprc
Define your mail software:
nano /etc/mail.rc
set sendmail="/usr/bin/msmtp -t"
Send a testmail:
echo "Testmail" | mail -s "Testsubject" your@mail.com
Creating an Entra enterprise application
This app will be used to authenticate our script later on.
Go into your Entra Admin center and choose Applications > Enterprise Applications.
Click on New application > Create your own application.
Give it a name and choose the third option:
When the app is created, go back to its settings page and choose the properties tab.
Make sure the following settings are set:
- “Enabled for users to sign-in?” > Yes, otherwise no login tokens will be created
- “Assignment required?” > Yes, so only accounts you choose can use this app
- “Visible to users?” > No, so the app does not show up in the company portal
Now click on Applications > App registrations, choose your app and go to API permissions.
Click on Add a permission, choose Microsoft Graph and as a permission add the following:
DeviceManagementManagedDevices.Read.All
After saving, click on Grant admin consent for (your company name).
As a next step, still on your app registration settings page, go to Certificates & secrets.
Disclaimer: In this guide I use a client secret. It would be advisable from a security perspective to use a client certificate.
Create a new client secret and note down the “Value”, which will only be shown to you once. We need this in a later step.
Still on your app registration settings page go to Overview and note down your Application (client) ID and Directory (tenant) ID:
Preparing the Linux server
You can use any device which runs 24/7 (or rather as often as you want the script to run) and where you can run the script on via crontab / task scheduler, in my case the easiest was a Linux server but you can also use a Raspberry Pi or whatever else you want.
Create a working directory:
mkdir /opt/intune && cd /opt/intune
Download the script:
wget https://github.com/moltenbit/IntuneAdminNotifications/blob/main/IntuneAdminNotifications.sh
Change the following variables:
nano IntuneAdminNotifications.sh
TENANT_ID="" //the "Directory (tenant) ID" you noted down earlier
CLIENT_ID="" //the "Application (client) ID"
CLIENT_SECRET="" //the client secret "value"
Also change your e-mail variables:
EMAIL_TO="" //your e-mail recipients, can also be a distribution list
EMAIL_FROM="" //mail sender as set in the msmtp settings
Preferably you run the script as a service user. Change the permissions:
chown user:user IntuneAdminNotifications.sh
chmod 700 IntuneAdminNotifications.sh
And add it to the crontab of the user. I run it every 5 minutes:
crontab -e
*/5 * * * * /opt/intune/IntuneAdminNotifications.sh
That’s it!
The script works by downloading the list of names of known devices and comparing it to the one downloaded 5 minutes later. If differences are found it sends an e-mail to your recipients.