Jens Du Four

Tag: 2025

  • EPM Automation with Adaptive Cards

    Introduction

    This is an update on a previous article.

    EPM automation with Adaptive Cards transforms how IT teams handle elevation requests in Microsoft Intune. By combining Azure Logic Apps with Teams Adaptive Cards, you can automate the entire Endpoint Privilege Management approval workflow, allowing approvers to act on requests without leaving Microsoft Teams. This EPM automation solution eliminates the need to constantly monitor the Intune portal.

    EPM automation Adaptive Cards showing an approved elevation request in Microsoft Teams.

    The Challenge with Manual EPM Approvals

    When EPM is configured in Microsoft Intune, end users can request elevation to run applications requiring administrator privileges. However, the traditional approval workflow requires IT administrators to:

    1. Navigate to the Intune portal
    2. Find the pending elevation request
    3. Review the request details
    4. Approve or deny the request

    This process, while secure, creates friction, especially when approvers are busy with other tasks or aren’t actively monitoring the Intune console.

    The result?

    Delayed approvals and frustrated users waiting for elevated access.

    How EPM Automation with Adaptive Cards Works

    Our EPM automation solution bridges Microsoft Intune and Microsoft Teams by creating an automated workflow that:

    • Polls for pending requests every 5 minutes using Microsoft Graph API
    • Posts Adaptive Cards to a designated Teams channel with all request details
    • Enables one-click approval or denial directly from Teams
    • Updates the Adaptive Card to show the final decision and who made it
    EPM automation Adaptive Cards displaying a denied elevation request with reviewer details

    Architecture for EPM Automation

    1. Logic App (Recurrence Trigger - every 5 minutes)
        │
        ├──> GET Microsoft Graph API
        │    /deviceManagement/elevationRequests
        │
        ├──> Filter requests with status = "pending"
        │
        ├──> For each pending request:
        │    └──> Post Adaptive Card to Teams channel
        │         ├──> Approve button
        │         └──> Deny button
        │
        └──> When button clicked:
             └──> POST approval/denial via Graph API
             └──> Update Adaptive Card with decision

    Key Components of the EPM Automation Solution

    Azure Logic App for EPM Automation

    The Logic App serves as the orchestration engine for EPM automation. Using a recurrence trigger, it periodically queries the Microsoft Graph API for pending EPM elevation requests and processes each one by posting an interactive Adaptive Card to Teams.

    Adaptive Cards for Approval Actions

    The Adaptive Cards display comprehensive request information:

    • Requester – Who’s requesting elevation
    • Device Name – Which device the request originates from
    • Application – The executable requesting elevation
    • File Path – Where the application is located
    • Publisher – The application’s publisher
    • Justification – Why the user needs elevation

    The card includes two action buttons: Approve (green) and Deny (red). Once clicked, the Adaptive Card updates to reflect the decision.

    Managed Identity for Secure EPM Automation

    Security is paramount. Instead of storing credentials or secrets, the EPM automation solution uses an Azure Managed Identity to authenticate to Microsoft Graph API. This eliminates secret management overhead and follows security best practices.

    Microsoft Graph API Integration

    The solution leverages the Graph API beta endpoint for EPM operations:

    • GET /deviceManagement/elevationRequests – Retrieve pending requests
    • POST /deviceManagement/elevationRequests/{id}/approve – Approve a request
    • POST /deviceManagement/elevationRequests/{id}/deny – Deny a request

    Infrastructure as Code with Bicep

    The entire EPM automation solution is defined using Azure Bicep, making it reproducible and version-controllable. Here’s a simplified look at the main resources:

    // Managed Identity for secure Graph API access
resource managedIdentity 'Microsoft.ManagedIdentity/userAssignedIdentities@2023-01-31' = {
  name: '${logicAppName}-identity'
  location: location
  tags: tags
}

// Teams API Connection
resource teamsConnection 'Microsoft.Web/connections@2016-06-01' = {
  name: 'teams-connection'
  location: location
  properties: {
    displayName: 'Teams Connection for EPM Approval'
    api: {
      id: subscriptionResourceId('Microsoft.Web/locations/managedApis', location, 'teams')
    }
  }
}

// Logic App with workflow definition
resource logicApp 'Microsoft.Logic/workflows@2019-05-01' = {
  name: logicAppName
  location: location
  identity: {
    type: 'UserAssigned'
    userAssignedIdentities: {
      '${managedIdentity.id}': {}
    }
  }
  properties: {
    definition: loadJsonContent('workflow.json').definition
    // ... parameters
  }
}

    Deploying Your EPM Automation with Adaptive Cards

    A PowerShell deployment script automates the entire setup process:

    # Deploy with default settings
.\deploy.ps1

# Or customize the deployment
.\deploy.ps1 -ResourceGroupName "rg-epm-approval" -Location "westeurope"

# Preview changes first
.\deploy.ps1 -WhatIf

    The script handles:

    • Prerequisites validation (Azure CLI, Bicep, login status)
    • Resource group creation
    • Bicep template deployment
    • Graph API permission assignment via Microsoft Graph PowerShell
    • Teams connection authorization prompt

    Required Graph API Permissions

    The Managed Identity needs the following application permissions:

    PermissionPurpose
    DeviceManagementConfiguration.ReadWrite.AllRead and update EPM elevation requests
    DeviceManagementManagedDevices.Read.AllRead device information

    Cost of EPM Automation

    One of the best aspects of this EPM automation solution is its cost-effectiveness:

    ResourceEstimated Monthly Cost
    Logic App (Consumption)~$0.50
    Managed IdentityFree
    Teams API ConnectionFree
    Log Analytics (optional)~$2-5

    Total: ~$2-6/month depending on the number of requests processed.

    Security Best Practices

    The EPM automation solution follows security best practices:

    • No secrets stored – Managed Identity handles authentication
    • Least privilege – Only required Graph permissions are assigned
    • Audit trail – All decisions are logged in both Intune and Logic App run history
    • Secure outputs – Sensitive data is protected in Logic App runs

    Extending the EPM Automation Solution

    The modular design allows for easy extensions:

    • Email notifications – Add email alerts for high-priority requests
    • ServiceNow integration – Create tickets for tracking purposes
    • Conditional logic – Auto-approve requests from specific applications
    • Escalation workflows – Escalate unanswered requests after a timeout

    Conclusion

    EPM automation with Adaptive Cards transforms the approval experience from a portal-centric task into a seamless Teams-based workflow. Approvers can now handle elevation requests without context-switching, leading to faster response times and improved user satisfaction.

    The solution is cost-effective (under $10/month), secure (no secrets, managed identity), and easy to deploy (Infrastructure as Code with automated deployment scripts).

    Ready to implement EPM automation with Adaptive Cards in your environment? Check out the full source code and detailed deployment instructions on GitHub!

  • Windows 365 Restore Points: A Guide to Long-Term Storage

    Windows 365 is a service that provides a Windows Cloud experience, allowing users to access a Windows desktop from anywhere. One of the key features of Windows 365 is the ability to create restore points, which are snapshots of the system at a specific point in time. Let’s take a look at what those mean!

    Overview of Windows 365 Restore Points

    Using restore points in Windows 365 offers several advantages. Firstly, they provide a safety net for system recovery, ensuring that users can quickly restore their system to a working state in case of any issues.

    Secondly, restore points help protect data by preserving user settings and installed applications. This means that even if a system crash occurs, users can recover their data without losing important information.

    Additionally, restore points can be used to test new software or updates, allowing users to revert to a previous state if the changes cause problems.

    How to adapt the automatic Windows 365 Restore Points in Microsoft Intune

    By default Microsoft Intune will create several restore points for each and every Cloud PC.

    The amount of restore points will never change and is two bi-weekly restore points and ten restore points you can adapt the recurrence of, this is done through a “User Setting”:

    Once you are here, you can adapt the recurrence.

    What about Storage Accounts?

    Storage accounts play a crucial role in managing restore points for Windows 365. These provide a secure solution for storing large amounts of data, including your restore points.

    By utilizing storage accounts, users can ensure that their restore points are safely stored and easily accessible when needed. One of the key benefits of using storage accounts is the ability to manage data efficiently, with options for redundancy and backup to protect against data loss.

    Additionally, storage accounts offer flexibility, allowing users to configure permissions and access controls to suit their needs. To use storage accounts for restore points, users can integrate their Windows 365 environment with Azure, setting up containers and blobs to store the restore points securely.

    This integration ensures that restore points are preserved long-term and can be retrieved quickly in case of system recovery needs.

    Creating the right Azure Storage Account

    There a few requirements to be met when creating a Storage Account for the Restore Points of the Cloud PC. They are listed below and we will go over the steps needed in Azure after these.

    • Instance details
      • Region: Same region as Cloud PC is recommended because of performance. There is no restriction on which region you should choose.
      • PerformancePremium (supports hot access tier) or Standard (supports all access tiers).
      • Premium account typePage blobs
    • Security
      • Minimum TLS version: Version 1.2.
      • Confirm Allow blob anonymous access is disabled (the default).
      • Disable Enable storage account key access.
    • Networking
      • Network accessEnable public access from all networks

    Creating a manual Restore Point in Microsoft Intune

    Once the Storage Account has been set up, you have the option to create a manual restore point in Microsoft Intune.

    If this option is not visible, verify the requirements above as the Storage Account will not be visible if it does not meet these.

    Conclusion

    In summary, Windows 365 restore points are an essential feature. They provide a reliable way to recover from system issues, preserve user settings, and test new software or updates.

    By creating and managing restore points effectively, users can safeguard their systems and minimize downtime.

    Additionally, utilizing storage accounts for long-term storage of restore points offers a scalable and secure solution for preserving these critical backups. I encourage everyone to take advantage of them in Windows 365 to enhance system management and data protection strategies.

  • Automating EPM Approvals with Teams and Azure Logic Apps

    Introduction

    Managing local admin rights across a modern workplace is a delicate balance between empowering users and maintaining security. With the introduction of Endpoint Privilege Management (EPM) in the Microsoft Intune Suite, organizations can now grant Just-In-Time (JIT) and/or rule-based elevation for standard users—without compromising control or compliance.

    However, when elevation requests require approval, IT teams need a fast and reliable way to respond.

    In this post, we’ll walk through how to integrate EPM with Microsoft Teams using Azure Logic Apps. The goal? Automatically notify IT or security teams when a user requests elevation, streamlining the approval process and improving visibility. Whether you’re managing a large enterprise or a hybrid workforce, this solution helps reduce friction while keeping your endpoints secure.

    What is Endpoint Privilege Management?

    Endpoint Privilege Management (EPM) is a feature in the Microsoft Intune Suite that allows organizations to manage and control local administrator rights on Windows devices—without granting permanent admin access. It enables rule-based and Just-In-Time (JIT) elevation, ensuring users can perform privileged tasks only when necessary, and only under defined conditions.

    Rules-Based Elevation: Three Options

    EPM supports three types of elevation rules:

    1. Automatic Elevation
      The application is elevated silently without user interaction, based on predefined rules.
    2. User-Confirmed Elevation
      The user is prompted to confirm the elevation request, typically with a business justification and/or Windows authentication.
    3. Support-Approved Elevation
      The user submits a request that must be approved by IT or support staff before elevation is granted. This is the model we’ll focus on in this post, as it allows integration with Microsoft Teams for real-time notifications and approvals.

    Just-In-Time Elevation with Support Approval

    Support-approved elevation is ideal for organizations that want to maintain strict control over admin rights while still enabling flexibility for end users. Essentially, when you are requesting elevation, the request is logged and routed for approval. Furthermore, by integrating this process with Microsoft Teams using Azure Logic Apps, IT teams can receive instant notifications and respond quickly—without switching tools or missing critical requests.

    Currently, when approved, these requests remain valid for 24 hours. However, this is something I would like to tackle in another blog post somewhere down the road.

    Benefits of Using EPM

    Implementing Endpoint Privilege Management offers several key advantages:

    • User Empowerment: Allows users to perform necessary tasks without waiting for manual intervention—when policies allow it.
    • Improved Security: Reduces the attack surface by eliminating standing admin rights.
    • Operational Efficiency: Automates elevation workflows and reduces helpdesk overhead.
    • Compliance and Auditing: Provides detailed logs of elevation activity for auditing and compliance reporting.

    Scenario Overview

    It’s essential that IT or security teams are notified as soon as a user submits a request. This ensures timely responses and keeps the approval workflow efficient.

    To achieve this, we use Azure Logic Apps to automate the process of sending a message to a Microsoft Teams channel the moment a request is made. The Logic App listens for elevation request events and posts a structured message (containing details like the user, device, application, and justification) directly into a designated Teams channel.

    To monitor these requests, we leverage the Microsoft Graph API, which allows us to query and react to EPM-related events. This integration ensures that the notification is both real-time and secure, and it can be extended to include approval workflows or logging mechanisms if needed.

    This setup bridges the gap between endpoint security and operational responsiveness, giving IT teams the visibility they need without manual overhead.

    Step-by-Step Guide

    Configure EPM

    In my demo environment I want to enable all the people for the “Mark 8 Project Team” to be able to open Wireshark as an elevated user. For this I will create a “Elevation Rules Policy”, I am assuming here that EPM was already configured beforehand.

    I start of in Microsoft Intune, where I navigate myself to the “Endpoint security”-blade. It is here we will find “Endpoint Privilege Management”. Where we will go to “Policies” and have the option to create a new “Elevation rules policy”.

    After going through the basics, we will have to fill in more detailed information about the package we are going to add to the rule. This information can be collected using the “EpmTools.dll”.

    Using this tool it is even possible to extract the publisher certificates out of the file. These can be added to the reusable library.

    Finally, we will fill in all the necessary details about the file.

    You can easily check if everything was configured correctly by checking it from a demo device. From the end-user perspective the “Run with elevated access”-option should be visible. After which, the elevation request should open.

    For the Intune administrator the request should come into the “Elevation requests”-tab almost immediately.

    This concludes the basic setup of EPM within this article. This is all we need to verify that there is date being picked up by the GraphAPI. To consume this data we will create an “App registration” in the next step.

    Create App registration with correct permissions

    First of all, we want to make sure that our data is being picked up in the GraphAPI. This should not be an issue as all components of the Intune Suite are connected to the GraphAPI.

    Through the Graph Explorer, you can easily check the date under “deviceManagement/elevationRequests”.

    Be aware to check that you are using the beta version of the api and that “DeviceManagementConfiguration.Read.All” has been granted to the Graph Explorer. Otherwise it will return a permission error.

    Creating an app registration is quite easy, but will allow us to grant these permissions there and not have to worry about authentication in our EPMChatbot.

    Once this is done, we will configure the API permissions. As said above, the only permission we need is the “DeviceManagementConfiguration.Read.All”.

    Make sure to also “Grant admin consent for <yourOrganisation>”.

    Our final step is to create the Client secret that can be used by our Azure Logic App.

    Make sure to take note of the value and secret, as these will be redacted after the creation.

    On to the last step, where we will create an Azure Logic App!

    Create Azure Logic App

    Finally, we will create an Azure Logic App that will poll the GraphAPI at a recurring interval for new approval requests. This will use the App registration we created before to make sure it has the right permissions. After this we get all the data from the GraphAPI, we will parse it and than use the Teams connector to send a formatted message in a Channel of our choice.

    First things first, creating the Logic app. This is done through the Azure Portal.

    We will opt for a Consumption-based Logic App to create our MVP.

    At last, we will use the Logic app designer. Here we will start by adding a trigger. Here we chose to go with a recurring moment. You can specify the time between this however you want.

    Afterwards, we will collect the data from the GraphAPI. Using the information we used in our test with the Graph Explorer. It is important here to also configure Authentication under the “Advanced parameters”. Otherwise, the Logic app will not have access to the right permissions.

    Afterwards, we will Parse the JSON that is in the Body of our HTTP request. Here you can use the “Use sample payload to generate schema” option. Creating the schema for the JSON can be tedious task. By using the example output from our Graph Explorer test, we can do this in a heartbeat. Finally, we will use the “Post message in a chat or channel”-option from the Teams connector. You can see there are quite a few options like the UserPrincipalName, file name and so on. We have just used a minimum in this demo to make sure everything works as it should.

    The result!

    After all of these steps, the following message should appear within your Teams channel of choice, with a link that can send you straight to Intune portal.

    Conclusion

    To conclude, you can see that it is perfectly possible to automate your EPM approvals with Teams. In this article we have built an MVP to look into the possibilities. However, there is much more to look into! In the next few months I’ll take a look at what options we have to further integrate this in Teams to completely remove Intune out of the equation. Let’s see how far we can go!

    As always, any questions, remarks or improvements spotted in here, feel free to reach out to me!

    Sources