Collection of information for monitoring the status of connectors, certificates and tokens

This week is a follow-up on last week. Last week the focus was on providing an example for monitoring the Apple MDM push certificate with Azure Logic Apps and Adaptive Cards for Teams and this week the focus is on providing more endpoints in Microsoft Graph that can be used for monitoring all different connectors, certificates and tokens. This blog post will provide a collection of the different endpoints, the properties to verify and example queries to use. All summarized in tables, including links to the documentation. The following connectors, certificates and tokens are addressed within this post.

Note: This list of connectors, certificates and tokens is made based on the information available within Microsoft Endpoint Manager admin center (Tenant administration > Connectors and tokens). Please leave a comment when a connector, certificate, or token is missing and should be added.

Important: Most of the information provided in this post is verified and tested, but in some cases the connectors, certificates, or tokens were not available. In those case a few logic assumption are used – based on the documentation and experiences with other connectors, certificates, or tokens. Please leave a comment when information is not correct.

Connectors, certificates and tokens

Remote help

Remote help is provided as a connector in the Tenant administration > Connectors and tokens > Remote help overview. That connector is used for providing remote assistance in Microsoft Intune. However, as it’s directly integrated in Microsoft Intune there is no further status information. It also doesn’t contain a single endpoint that is queried to provide information.

Microsoft Store for Business

Microsoft Store for Business is provided as a connector in the Tenant administration > Connectors and tokens > Microsoft Store for Business overview. That connector is used for synchronzing apps from Microsoft Store for Business to Microsoft Intune and that page provides an overview about the connection status. The information below can be used to monitor if the last sync status of the apps was longer than a few days ago.

Connector (docs)Microsoft Store for Businessurlhttps://graph.microsoft.com/beta/deviceAppManagementPropertyUse microsoftStoreForBusinessLastSuccessfulSyncDateTime to monitor the last successful syncExample checkmicrosoftStoreForBusinessLastSuccessfulSyncDateTime is greater than addToTime(utcNow(),2,’day’) 

Windows enterprise certificate

Windows enterprise certificate is provided as a certificate in the Tenant administration > Connectors and tokens > Windows enterprise certificate overview. That certificate is used for sideloading LOB apps on Windows 10 devices and that page provides an overview of the status of the uploaded certificate. The information below can be used to monitor if the expiration date of that certificate near (within the next 30 days).

Connector (docs)Windows enterprise certificateurlhttps://graph.microsoft.com/beta/deviceAppManagement/enterpriseCodeSigningCertificatespropertyUse expirationDateTime to monitor the expiration of the certificateExample checkexpirationDateTime is less than addToTime(utcNow(),30,’day’)

Windows DigiCert certificate

Windows DigiCert certificate is provided as a certificate in the Tenant administration > Connectors and tokens > Windows DigiCert certificate overview. That certficate was required for distributing LOB apps to Windows 10 Mobile devices and that page provides an overview of the status of the uploaded certificate. The information below can be used to monitor if the expiration date of that certificate is near (within the next 30 days.

Connector (docs)Windows DigiCert certificateurlhttps://graph.microsoft.com/beta/deviceAppManagement/symantecCodeSigningCertificatepropertyUse expirationDateTime to monitor the expiration of the certificateExample checkexpirationDateTime is less than addToTime(utcNow(),30,’day’)

Windows side loading keys

Windows side loading keys are provided as keys in the Tenant administration > Connectors and tokens > Windows side loading keys overview. Those keys were used for deploying LOB apps to Windows 8.1 devices and that page provides an overview of the added keys and the total activations. There is no status to monitor of side loading keys.

Connector (docs)Windows side loading keysurlhttps://graph.microsoft.com/beta/deviceAppManagement/sideLoadingKeysproperty–Example check–

Microsoft Endpoint Configuration Manager

Microsoft Endpoint Configuration Manager is provided as a connector in the Tenant administration > Connectors and tokens > Microsoft Endpoint Configuration Manager overview. That connector is used for getting device information of Configuration Manager and that page provides an overview of the status information of the attached Configuration Manager environment. The information, however, isn’t available via the Microsoft Graph.

Apple MDM push certificate

Apple MDM push certificate is provided as a certificate in the Devices > iOS/iPadOS devices > iOS/iPadOS enrollment > Apple MDM push certificate overview. That certificate is used for managing devices with Microsoft Intune and that page provides an overview of the status of the push certificate. The information below can be used to monitor if the expiration date of that certificate is near (within the next 30 days).

Connector (docs)Apple MDM push certificateurlhttps://graph.microsoft.com/beta/deviceManagement/applePushNotificationCertificatepropertyUse expirationDateTime to monitor the expiration of the certificateExample checkexpirationDateTime is less than addToTime(utcNow(),30,’day’)

Apple VPP tokens

Apple VPP tokens are provided as tokens in the Tenant administration > Connectors and tokens > Apple VPP tokens overview. Those VPP tokens are used for synchronizing apps (and licenses) from Apple to Microsoft Intune and that page provides an overview of the status of those tokens. The information below can be used to monitor if the last sync status is failed and to monitor if the expiration date of that token is near (within the next 30 days).

Connector (docs)Apple VPP tokensurlhttps://graph.microsoft.com/beta/deviceAppManagement/vppTokenspropertiesUse lastSyncStatus to monitor the last sync status
Use expirationDateTime to monitor the expiration of the tokenExample checkslastSyncStatus is equal to failed
expirationDateTime is less than addToTime(utcNow(),30,’day’)

Apple DEP tokens

Enrollment program tokens are provided as tokens in the Devices > iOS/iPadOS devices > iOS/iPadOS enrollment > Enrollment program tokens overview. Those enrollment program tokens are used synchronizing devices to Microsoft Intune and that page provides an overview of the (sync) status of those tokens. The information below can be used to monitor if the last sync status is not succesful and to monitor if the expiration date of that token is near (within the next 30 days).

Connector (docs)Apple DEP tokensurlhttps://graph.microsoft.com/beta/deviceManagement/depOnboardingSettingspropertiesUse lastSyncErrorCode monitor the last sync status
Use expirationDateTime to monitor the expiration of the tokenExample checkslastSyncErrorCode is not equal to 0
expirationDateTime is less than addToTime(utcNow(),30,’day’)

Managed Google Play

Managed Google Play is provided as a connector in the Tenant administration > Connectors and tokens > Managed Google Play overview. That connector is used for synchronzing apps from Managed Google Play to Microsoft Intune and that page provides an overview about the connection status. The information below can be used to monitor if the last sync status is not successful.

Connector (docs)Managed Google Playurlhttps://graph.microsoft.com/beta/deviceManagement/androidManagedStoreAccountEnterpriseSettingspropertyUse lastAppSyncStatus to monitor the last sync statusExample checklastAppSyncStatus is not equal to success

Microsoft Defender for Endpoint

Microsoft Defender for Endpoint is provided as a connector in the Tenant administration > Connectors and tokens > Microsoft Defender for Endpoint overview. That connector is used for retrieving compliance information of Microsoft Defender for Endpoint in Microsoft Intune and that page provides an overview about the connection status. The information below can be used to monitor if the that connection is available and if the latest heartbeat is no longer than a few days ago.

Connector (docs)Microsoft Defender for Endpointurlhttps://graph.microsoft.com/beta/deviceManagement/mobileThreatDefenseConnectorspropertiesUse partnerState to monitor the state of the connection
Use lastHeartbeatDateTime to monitor the last heartbeat of the connectionExample checkspartnerState is not equal to enabled
lastHeartbeatDateTime is greater than addToTime(utcNow(),2,’day’)

Mobile Threat Defense

Mobile Threat Defense is provided as a connector in the Tenant administration > Connectors and tokens > Mobile Threat Defense overview. That connector is used for retrieving compliance information of the mobile threat defense partner in Microsoft Intune and that page provides an overview about the connection status. The information below can be used to monitor if the that connection is available and if the latest heartbeat is no longer than a few days ago.

Connector (docs)Mobile Threat Defenseurlhttps://graph.microsoft.com/beta/deviceManagement/mobileThreatDefenseConnectorspropertiesUse partnerState to monitor the state of the connection
Use lastHeartbeatDateTime to monitor the last heartbeat of the connectionExample checkspartnerState is not equal to enabled
lastHeartbeatDateTime is greater than addToTime(utcNow(),2,’day’)

Partner device management

Partner device management is provided as a connector in the Tenant administration > Connectors and tokens > Partner device management overview. That connector is used for retrieving compliance information of Jamf-managed macOS devices in Microsoft Intune and that page provides an overview about the connection status. The information below can be used to monitor if the that connection is available and if the latest heartbeat is no longer than a few days ago.

Connector (docs)Partner device managementurlhttps://graph.microsoft.com/beta/deviceManagement/deviceManagementPartnerspropertiesUse partnerState to monitor the state of the connection
Use lastHeartbeatDateTime to monitor the last heartbeat of the connectionExample checkspartnerState is not equal to enabled
lastHeartbeatDateTime is greater than addToTime(utcNow(),2,’day’)

Partner compliance management

Partner compliance management is provided as a connector in the Tenant administration > Connectors and tokens > Partner compliance management overview. That connector is used for retrieving compliance information of partner-managed devices in Microsoft Intune and that page provides an overview about the connection status. The information below can be used to monitor if the that connection is available and if the latest heartbeat is no longer than a few days ago.

Connector (docs)Partner compliance managementurlhttps://graph.microsoft.com/beta/deviceManagement/complianceManagementPartnerspropertiesUse partnerState to monitor the state of the connection
Use lastHeartbeatDateTime to monitor the last heartbeat of the connectionExample checkspartnerState is not equal to enabled
lastHeartbeatDateTime is greater than addToTime(utcNow(),2,’day’)

TeamViewer connector

TeamViewer connector is provided as a connector in the Tenant administration > Connectors and tokens > TeamViewer connecctor overview. That connector is used for integrating TeamViewer remote assistance with Microsoft Intune and that page provides an overview about the connection status. The information below can be used to monitor if the last connection was longer than a few days ago.

Connector (docs)TeamViewer connectorurlhttps://graph.microsoft.com/beta/deviceManagement/remoteAssistancePartnerspropertyUse onboardingStatus to monitor the status of the onboarding
Use lastConnectionDateTime to monitor the moment of the last connectionExample checklastConnectionDateTime is greater than addToTime(utcNow(),2,’day’)

Certificate connectors

Certificate connector is provided as a connector in the Tenant administration > Connectors and tokens > Certificate connecctor overview. That connector is used for integrating certificate deployment via NDES with Microsoft Intune and that page provides an overview about the connection status. The information below can be used to monitor if the state of that connection is active.

Connector (docs)Certificate connectorsurlhttps://graph.microsoft.com/beta/deviceManagement/ndesConnectorspropertyUse state to monitor the state of the connectorExample checkstate is not equal to active

Telecom expense management

Telecom expense management is provided as a connector in the Tenant administration > Connectors and tokens > Telecom expense management overview. That connector is used for integrating telecom roaming data with Microsoft Intune and that page provides an overview about the connection status. The information below can be used to monitor if the last connection was longer than a few days ago.

Connector (docs)Telecom expense managementurlhttps://graph.microsoft.com/beta/deviceManagement/telecomExpenseManagementPartnerspropertyUse lastConnectionDateTime to monitor the moment of the last connectionExample checklastConnectionDateTime is greater than addToTime(utcNow(),2,’day’)

Windows Autopilot

Windows Autopilot is provided as a connector in the Devices > Windows devices > Windows enrollment > Devices overview. That connector is used for integrating Autopilot device information with Microsoft Intune and that page provides an overview about the connection status. The information below can be used to monitor if the sync state is something positive.

Connector (docs)Windows Autopiloturlhttps://graph.microsoft.com/beta/deviceManagement/windowsAutopilotSettingspropertyUse syncStatus to monitor the status of the last syncExample checksyncStatus is not equal to completed and syncStatus is not equal to inProgress