Connect Microsoft Intune

• Managed devices — device name, OS platform and version, enrollment date, primary user (UPN), management agent type, and last sync timestamp.
• Compliance state — per-device state: Compliant, Non-compliant, In grace period, Not applicable, Unknown, or Config manager managed.

Intune runs on the same publisher app and consent as the M365 connector. There is no separate Entra app registration for Intune — you simply enable the feature toggle once the M365 tenant is already connected.

This works because DeviceManagementManagedDevices.Read.All is a Microsoft Graph permission, and Vectis uses the same publisher app that already holds the M365 Graph token.

The following permissions must be granted on the Vectis publisher app (in addition to any already granted for M365 or GDAP):

• DeviceManagementManagedDevices.Read.All — read managed device inventory and compliance state
• DeviceManagementConfiguration.Read.All — read device configuration profiles and compliance policies

1. Open the Azure portal and navigate to Microsoft Entra ID → App registrations.
2. Find the Vectis publisher app (the app registered for the M365 connector), then go to API permissions → Add a permission.
3. Choose Microsoft Graph → Application permissions.
4. Search for and add DeviceManagementManagedDevices.Read.All and DeviceManagementConfiguration.Read.All.
5. Click Grant admin consent for [your tenant] and confirm. The app will now be able to read Intune data across all consented customer tenants.

1. Open the customer's hub and go to the Integrations tab.
2. On the Microsoft 365 card, click Manage features.
3. Toggle Microsoft Intune device compliance on and save.
4. The Intune sync will run on its next 30-minute cycle. The compliance card below will populate once the first sync completes.

• Donut chart — shows the percentage of devices in a Compliant state. Green ≥ 90%, amber 60–89%, red below 60%.
• Breakdown pills — counts per state. Only states with at least one device appear.
• Non-compliant devices table — top 10 devices in the Non-compliant state, ordered by oldest last-sync first (the devices most likely to need attention).

• “Tenant does not appear to have an Intune license”: the tenant has not been assigned Intune (or Microsoft 365 Business Premium / EMS E3 or above). Confirm the customer's license in the Microsoft 365 admin center under Billing → Licenses.
• No devices appear after enabling: allow one 30-minute sync cycle. If still empty after 30 minutes, check that the publisher app permissions include DeviceManagementManagedDevices.Read.All and that admin consent was granted (not just the permissions added).
• 403 on the sync: most often means the Graph permissions were added but admin consent was not granted. In the Entra app, go to API permissions and click Grant admin consent.
• Compliance state shows Unknown for all devices: no compliance policy has been assigned in the customer's Intune tenant. Unmanaged devices show Unknown until a policy is assigned and evaluated.