Collection of information for monitoring the status of connectors, certificates and tokens

This week is a follow-up on last week. Last week the focus was on providing an example for monitoring the Apple MDM push certificate with Azure Logic Apps and Adaptive Cards for Teams and this week the focus is on providing more endpoints in Microsoft Graph that can be used for monitoring all different connectors, certificates and tokens. This blog post will provide a collection of the different endpoints, the properties to verify and example queries to use. All summarized in tables, including links to the documentation. The following connectors, certificates and tokens are addressed within this post.

Note: This list of connectors, certificates and tokens is made based on the information available within Microsoft Endpoint Manager admin center (Tenant administration > Connectors and tokens). Please leave a comment when a connector, certificate, or token is missing and should be added.

Important: Most of the information provided in this post is verified and tested, but in some cases the connectors, certificates, or tokens were not available. In those case a few logic assumption are used – based on the documentation and experiences with other connectors, certificates, or tokens. Please leave a comment when information is not correct.

Connectors, certificates and tokens

Remote help

Remote help is provided as a connector in the Tenant administration > Connectors and tokens > Remote help overview. That connector is used for providing remote assistance in Microsoft Intune. However, as it’s directly integrated in Microsoft Intune there is no further status information. It also doesn’t contain a single endpoint that is queried to provide information.

Microsoft Store for Business

Microsoft Store for Business is provided as a connector in the Tenant administration > Connectors and tokens > Microsoft Store for Business overview. That connector is used for synchronzing apps from Microsoft Store for Business to Microsoft Intune and that page provides an overview about the connection status. The information below can be used to monitor if the last sync status of the apps was longer than a few days ago.

Connector (docs)Microsoft Store for Business
urlhttps://graph.microsoft.com/beta/deviceAppManagement
PropertyUse microsoftStoreForBusinessLastSuccessfulSyncDateTime to monitor the last successful sync
Example checkmicrosoftStoreForBusinessLastSuccessfulSyncDateTime is greater than addToTime(utcNow(),2,’day’) 

Windows enterprise certificate

Windows enterprise certificate is provided as a certificate in the Tenant administration > Connectors and tokens > Windows enterprise certificate overview. That certificate is used for sideloading LOB apps on Windows 10 devices and that page provides an overview of the status of the uploaded certificate. The information below can be used to monitor if the expiration date of that certificate near (within the next 30 days).

Connector (docs)Windows enterprise certificate
urlhttps://graph.microsoft.com/beta/deviceAppManagement/enterpriseCodeSigningCertificates
propertyUse expirationDateTime to monitor the expiration of the certificate
Example checkexpirationDateTime is less than addToTime(utcNow(),30,’day’)

Windows DigiCert certificate

Windows DigiCert certificate is provided as a certificate in the Tenant administration > Connectors and tokens > Windows DigiCert certificate overview. That certficate was required for distributing LOB apps to Windows 10 Mobile devices and that page provides an overview of the status of the uploaded certificate. The information below can be used to monitor if the expiration date of that certificate is near (within the next 30 days.

Connector (docs)Windows DigiCert certificate
urlhttps://graph.microsoft.com/beta/deviceAppManagement/symantecCodeSigningCertificate
propertyUse expirationDateTime to monitor the expiration of the certificate
Example checkexpirationDateTime is less than addToTime(utcNow(),30,’day’)

Windows side loading keys

Windows side loading keys are provided as keys in the Tenant administration > Connectors and tokens > Windows side loading keys overview. Those keys were used for deploying LOB apps to Windows 8.1 devices and that page provides an overview of the added keys and the total activations. There is no status to monitor of side loading keys.

Connector (docs)Windows side loading keys
urlhttps://graph.microsoft.com/beta/deviceAppManagement/sideLoadingKeys
property
Example check

Microsoft Endpoint Configuration Manager

Microsoft Endpoint Configuration Manager is provided as a connector in the Tenant administration > Connectors and tokens > Microsoft Endpoint Configuration Manager overview. That connector is used for getting device information of Configuration Manager and that page provides an overview of the status information of the attached Configuration Manager environment. The information, however, isn’t available via the Microsoft Graph.

Apple MDM push certificate

Apple MDM push certificate is provided as a certificate in the Devices > iOS/iPadOS devices > iOS/iPadOS enrollment > Apple MDM push certificate overview. That certificate is used for managing devices with Microsoft Intune and that page provides an overview of the status of the push certificate. The information below can be used to monitor if the expiration date of that certificate is near (within the next 30 days).

Connector (docs)Apple MDM push certificate
urlhttps://graph.microsoft.com/beta/deviceManagement/applePushNotificationCertificate
propertyUse expirationDateTime to monitor the expiration of the certificate
Example checkexpirationDateTime is less than addToTime(utcNow(),30,’day’)

Apple VPP tokens

Apple VPP tokens are provided as tokens in the Tenant administration > Connectors and tokens > Apple VPP tokens overview. Those VPP tokens are used for synchronizing apps (and licenses) from Apple to Microsoft Intune and that page provides an overview of the status of those tokens. The information below can be used to monitor if the last sync status is failed and to monitor if the expiration date of that token is near (within the next 30 days).

Connector (docs)Apple VPP tokens
urlhttps://graph.microsoft.com/beta/deviceAppManagement/vppTokens
propertiesUse lastSyncStatus to monitor the last sync status
Use expirationDateTime to monitor the expiration of the token
Example checkslastSyncStatus is equal to failed
expirationDateTime is less than addToTime(utcNow(),30,’day’)

Apple DEP tokens

Enrollment program tokens are provided as tokens in the Devices > iOS/iPadOS devices > iOS/iPadOS enrollment > Enrollment program tokens overview. Those enrollment program tokens are used synchronizing devices to Microsoft Intune and that page provides an overview of the (sync) status of those tokens. The information below can be used to monitor if the last sync status is not succesful and to monitor if the expiration date of that token is near (within the next 30 days).

Connector (docs)Apple DEP tokens
urlhttps://graph.microsoft.com/beta/deviceManagement/depOnboardingSettings
propertiesUse lastSyncErrorCode monitor the last sync status
Use expirationDateTime to monitor the expiration of the token
Example checkslastSyncErrorCode is not equal to 0
expirationDateTime is less than addToTime(utcNow(),30,’day’)

Managed Google Play

Managed Google Play is provided as a connector in the Tenant administration > Connectors and tokens > Managed Google Play overview. That connector is used for synchronzing apps from Managed Google Play to Microsoft Intune and that page provides an overview about the connection status. The information below can be used to monitor if the last sync status is not successful.

Connector (docs)Managed Google Play
urlhttps://graph.microsoft.com/beta/deviceManagement/androidManagedStoreAccountEnterpriseSettings
propertyUse lastAppSyncStatus to monitor the last sync status
Example checklastAppSyncStatus is not equal to success

Microsoft Defender for Endpoint

Microsoft Defender for Endpoint is provided as a connector in the Tenant administration > Connectors and tokens > Microsoft Defender for Endpoint overview. That connector is used for retrieving compliance information of Microsoft Defender for Endpoint in Microsoft Intune and that page provides an overview about the connection status. The information below can be used to monitor if the that connection is available and if the latest heartbeat is no longer than a few days ago.

Connector (docs)Microsoft Defender for Endpoint
urlhttps://graph.microsoft.com/beta/deviceManagement/mobileThreatDefenseConnectors
propertiesUse partnerState to monitor the state of the connection
Use lastHeartbeatDateTime to monitor the last heartbeat of the connection
Example checkspartnerState is not equal to enabled
lastHeartbeatDateTime is greater than addToTime(utcNow(),2,’day’)

Mobile Threat Defense

Mobile Threat Defense is provided as a connector in the Tenant administration > Connectors and tokens > Mobile Threat Defense overview. That connector is used for retrieving compliance information of the mobile threat defense partner in Microsoft Intune and that page provides an overview about the connection status. The information below can be used to monitor if the that connection is available and if the latest heartbeat is no longer than a few days ago.

Connector (docs)Mobile Threat Defense
urlhttps://graph.microsoft.com/beta/deviceManagement/mobileThreatDefenseConnectors
propertiesUse partnerState to monitor the state of the connection
Use lastHeartbeatDateTime to monitor the last heartbeat of the connection
Example checkspartnerState is not equal to enabled
lastHeartbeatDateTime is greater than addToTime(utcNow(),2,’day’)

Partner device management

Partner device management is provided as a connector in the Tenant administration > Connectors and tokens > Partner device management overview. That connector is used for retrieving compliance information of Jamf-managed macOS devices in Microsoft Intune and that page provides an overview about the connection status. The information below can be used to monitor if the that connection is available and if the latest heartbeat is no longer than a few days ago.

Connector (docs)Partner device management
urlhttps://graph.microsoft.com/beta/deviceManagement/deviceManagementPartners
propertiesUse partnerState to monitor the state of the connection
Use lastHeartbeatDateTime to monitor the last heartbeat of the connection
Example checkspartnerState is not equal to enabled
lastHeartbeatDateTime is greater than addToTime(utcNow(),2,’day’)

Partner compliance management

Partner compliance management is provided as a connector in the Tenant administration > Connectors and tokens > Partner compliance management overview. That connector is used for retrieving compliance information of partner-managed devices in Microsoft Intune and that page provides an overview about the connection status. The information below can be used to monitor if the that connection is available and if the latest heartbeat is no longer than a few days ago.

Connector (docs)Partner compliance management
urlhttps://graph.microsoft.com/beta/deviceManagement/complianceManagementPartners
propertiesUse partnerState to monitor the state of the connection
Use lastHeartbeatDateTime to monitor the last heartbeat of the connection
Example checkspartnerState is not equal to enabled
lastHeartbeatDateTime is greater than addToTime(utcNow(),2,’day’)

TeamViewer connector

TeamViewer connector is provided as a connector in the Tenant administration > Connectors and tokens > TeamViewer connecctor overview. That connector is used for integrating TeamViewer remote assistance with Microsoft Intune and that page provides an overview about the connection status. The information below can be used to monitor if the last connection was longer than a few days ago.

Connector (docs)TeamViewer connector
urlhttps://graph.microsoft.com/beta/deviceManagement/remoteAssistancePartners
propertyUse onboardingStatus to monitor the status of the onboarding
Use lastConnectionDateTime to monitor the moment of the last connection
Example checklastConnectionDateTime is greater than addToTime(utcNow(),2,’day’)

Certificate connectors

Certificate connector is provided as a connector in the Tenant administration > Connectors and tokens > Certificate connecctor overview. That connector is used for integrating certificate deployment via NDES with Microsoft Intune and that page provides an overview about the connection status. The information below can be used to monitor if the state of that connection is active.

Connector (docs)Certificate connectors
urlhttps://graph.microsoft.com/beta/deviceManagement/ndesConnectors
propertyUse state to monitor the state of the connector
Example checkstate is not equal to active

Telecom expense management

Telecom expense management is provided as a connector in the Tenant administration > Connectors and tokens > Telecom expense management overview. That connector is used for integrating telecom roaming data with Microsoft Intune and that page provides an overview about the connection status. The information below can be used to monitor if the last connection was longer than a few days ago.

Connector (docs)Telecom expense management
urlhttps://graph.microsoft.com/beta/deviceManagement/telecomExpenseManagementPartners
propertyUse lastConnectionDateTime to monitor the moment of the last connection
Example checklastConnectionDateTime is greater than addToTime(utcNow(),2,’day’)

Windows Autopilot

Windows Autopilot is provided as a connector in the Devices > Windows devices > Windows enrollment > Devices overview. That connector is used for integrating Autopilot device information with Microsoft Intune and that page provides an overview about the connection status. The information below can be used to monitor if the sync state is something positive.

Connector (docs)Windows Autopilot
urlhttps://graph.microsoft.com/beta/deviceManagement/windowsAutopilotSettings
propertyUse syncStatus to monitor the status of the last sync
Example checksyncStatus is not equal to completed or syncStatus is not equal to inProgress

6 thoughts on “Collection of information for monitoring the status of connectors, certificates and tokens”

  1. Hi, this is really nice and helpful. In the case of VPP or enrolment, does it apply for one only or all the registered certificates!?

    Reply
  2. With the Windows Autopilot one, the example check should be syncStatus is not equal to completed OR syncStatus is not equal to inProgress, otherwise it will always be false as I’ve just found out. 🙂

    Reply

Leave a Comment

This site uses Akismet to reduce spam. Learn how your comment data is processed.