Microsoft Intune + Azure Active Directory
Automate Device Management and Identity Governance with Microsoft Intune + Azure Active Directory
Connect endpoint security and identity management by integrating Intune and Azure AD through tray.ai's no-code automation platform.
Why integrate Microsoft Intune and Azure Active Directory?
Microsoft Intune and Azure Active Directory are the two load-bearing pieces of Microsoft's modern endpoint and identity management stack. Intune handles how devices are enrolled, configured, and secured. Azure AD controls who has access, under what conditions, and with which privileges. Together, they enforce a Zero Trust security posture — but without automation, keeping user identities, group memberships, device compliance states, and access policies in sync requires constant manual work across both portals.
Automate & integrate Microsoft Intune & Azure Active Directory
Use case
Automated User Onboarding with Device Enrollment
When a new user is provisioned in Azure Active Directory, tray.ai can automatically trigger an Intune enrollment invitation, assign the correct device compliance profile based on the user's department or role group, and add the device to the appropriate Intune device group. This removes the manual coordination between HR, IT provisioning, and endpoint management teams that typically delays new-hire productivity.
Use case
Offboarding and Device Wipe Automation
When a user account is disabled or deleted in Azure AD — triggered by an HR system or manual action — tray.ai can automatically initiate a remote wipe or retire action on all Intune-managed devices tied to that user. The workflow can also revoke app licenses, remove the device from Intune groups, and log the offboarding action for compliance auditing.
Use case
Conditional Access Policy Enforcement Based on Device Compliance
tray.ai can monitor Intune device compliance status changes and automatically update Azure AD Conditional Access policy assignments or named locations when devices fall out of compliance. Non-compliant devices get flagged, access gets blocked, and IT teams get notified — all without manual policy review cycles.
Use case
Role-Based Device Group Management
As users change roles or departments in Azure AD, tray.ai can automatically move their managed devices into the appropriate Intune device groups, so configuration profiles, app deployments, and compliance policies always reflect the user's current organizational context. Device configurations stay accurate with business role changes without anyone manually re-grouping them.
Use case
Security Incident Response and Device Isolation
When Azure AD Identity Protection detects a risky sign-in or a compromised account, tray.ai can trigger an Intune workflow to isolate the associated device, force a compliance re-check, or push an emergency configuration profile while the security team investigates. You get an automated first-response layer between identity threat detection and endpoint action.
Use case
App Assignment Automation Based on Azure AD Group Membership
tray.ai can watch for Azure AD group membership changes and automatically update Intune application assignments so users always have the apps they need based on their current group affiliations. When a user joins a project team or moves to a new department, their managed app portfolio updates automatically across their enrolled devices.
Use case
Device Compliance Reporting and Audit Sync
tray.ai can periodically pull device compliance data from Intune and cross-reference it against Azure AD user and group records to generate unified compliance reports, flag discrepancies, and push summary data to a SIEM, data warehouse, or ticketing system. Security and audit teams get a consolidated view without manual exports from two separate admin portals.
Get started with Microsoft Intune & Azure Active Directory integration today
Microsoft Intune & Azure Active Directory Challenges
What challenges are there when working with Microsoft Intune & Azure Active Directory and how will using Tray.ai help?
Challenge
Real-Time Sync Between Identity Events and Device Actions
Azure AD user lifecycle events — provisioning, role changes, deactivation — happen continuously and need to show up immediately in Intune device policies and group assignments. Polling for changes manually or relying on native sync intervals introduces dangerous lag, especially during offboarding where every minute of delay is a security risk.
How Tray.ai Can Help:
tray.ai uses event-driven triggers connected to Azure AD webhooks and Microsoft Graph API event notifications to detect identity changes in near real time and immediately execute corresponding Intune actions, cutting the latency that comes with scheduled sync jobs or manual processes.
Challenge
Complexity of Multi-Step Onboarding and Offboarding Workflows
Properly onboarding or offboarding a user across Intune and Azure AD involves many sequential and conditional steps — enrollment invitations, policy assignments, group placements, license allocation, device wipes — that span both platforms and often depend on user attributes like department and location. Managing this manually across two admin portals is error-prone and inconsistent.
How Tray.ai Can Help:
tray.ai's visual workflow builder lets IT teams build multi-step, conditional logic workflows that read user attributes from Azure AD and use them to drive the correct sequence of Intune actions. Every onboarding and offboarding comes out complete, consistent, and auditable regardless of who runs it.
Challenge
Microsoft Graph API Authentication and Token Management
Both Intune and Azure AD are managed via the Microsoft Graph API, which requires careful OAuth 2.0 token management, correct permission scoping, and handling of token expiration across long-running or scheduled workflows. Teams managing these integrations manually have to build and maintain their own token refresh logic and permission grant processes.
How Tray.ai Can Help:
tray.ai's pre-built Microsoft Intune and Azure Active Directory connectors handle OAuth 2.0 authentication, token refresh, and permission scoping natively, so IT teams can build and run workflows without writing or maintaining a single line of authentication code.
Challenge
Mapping Conditional Logic Across Two Independent Data Models
Azure AD and Intune use overlapping but distinct data models — users, groups, devices, and policies are represented differently in each system. Creating correct mappings between Azure AD group types and Intune device groups or compliance policies requires deep knowledge of both platforms and careful data transformation logic.
How Tray.ai Can Help:
tray.ai has a data mapping and transformation layer that lets teams visually define how Azure AD attributes and object types translate to corresponding Intune constructs, making it straightforward to build accurate, maintainable cross-platform logic without custom scripting.
Challenge
Audit Logging and Compliance Evidence Across Both Platforms
Enterprise compliance frameworks like SOC 2, ISO 27001, and NIST require organizations to show that device management and identity access controls are consistently enforced and that all changes are logged. Manually exporting and reconciling audit logs from both the Azure AD and Intune admin portals is time-consuming and leaves gaps in coverage.
How Tray.ai Can Help:
tray.ai automatically logs every workflow execution, trigger event, and API action taken across both Intune and Azure AD, producing a unified, immutable audit trail that compliance teams can reference directly or export to a SIEM or GRC platform as evidence of control enforcement.
Start using our pre-built Microsoft Intune & Azure Active Directory templates today
Start from scratch or use one of our pre-built Microsoft Intune & Azure Active Directory templates to quickly solve your most common use cases.
Microsoft Intune & Azure Active Directory Templates
Find pre-built Microsoft Intune & Azure Active Directory solutions for common use cases
Template
New Azure AD User → Intune Enrollment and Policy Assignment
Automatically detects new user creation events in Azure Active Directory and triggers an Intune device enrollment invitation, assigns the appropriate compliance policy based on the user's department attribute, and adds the user to the correct Intune device group.
Steps:
- Trigger on new user creation event in Azure Active Directory
- Read user attributes (department, role, location) from Azure AD profile
- Send Intune enrollment invitation to the new user's email
- Assign compliance policy and configuration profile based on department
- Add user and device to the appropriate Intune device group
Connectors Used: Azure Active Directory, Microsoft Intune
Template
Azure AD User Disable → Intune Device Retire and Wipe
When a user account is disabled or deleted in Azure AD, this template automatically locates all Intune-managed devices tied to that user, initiates a remote wipe or retire action, removes the user from Intune groups, and logs the offboarding event to a designated compliance record store.
Steps:
- Trigger on user account disable or delete event in Azure AD
- Query Intune for all devices managed under the affected user account
- Initiate remote wipe or retire action for each enrolled device
- Remove user from all associated Intune device and user groups
- Log offboarding action with timestamp for compliance audit trail
Connectors Used: Azure Active Directory, Microsoft Intune
Template
Intune Device Non-Compliance → Azure AD Conditional Access Block
Monitors Intune device compliance state changes and, when a device goes non-compliant, automatically updates the associated Azure AD user's conditional access state, triggers an alert to the IT helpdesk, and notifies the device owner to remediate the issue.
Steps:
- Trigger on Intune device compliance status change to non-compliant
- Identify the Azure AD user associated with the non-compliant device
- Update Azure AD Conditional Access named location or policy assignment
- Send automated notification to device owner with remediation instructions
- Create helpdesk ticket and assign to IT support queue for follow-up
Connectors Used: Microsoft Intune, Azure Active Directory
Template
Azure AD Group Membership Change → Intune App Assignment Sync
Detects changes to Azure AD group membership and automatically syncs Intune app assignments so that when users join or leave a group, their managed app portfolio updates across all enrolled devices without manual IT intervention.
Steps:
- Trigger on Azure AD group membership add or remove event
- Determine which Intune app assignments are mapped to the affected group
- Add or remove app assignments in Intune based on group membership direction
- Verify assignment propagation and log change to audit system
Connectors Used: Azure Active Directory, Microsoft Intune
Template
Azure AD Identity Protection Risk Event → Intune Device Isolation
When Azure AD Identity Protection flags a user as high-risk or detects a risky sign-in, this template automatically locates the user's Intune-managed devices, pushes a restrictive compliance policy, and notifies the security operations team with full context for investigation.
Steps:
- Trigger on Azure AD Identity Protection high-risk user or sign-in event
- Retrieve all Intune-managed devices registered to the at-risk user
- Push restrictive emergency compliance policy to affected devices
- Force device compliance re-evaluation in Intune
- Send incident alert with user, device, and risk details to security team channel
Connectors Used: Azure Active Directory, Microsoft Intune
Template
Scheduled Intune Compliance + Azure AD User Audit Report
Runs on a configurable schedule to pull current device compliance data from Intune and active user records from Azure AD, joins the data to identify compliance gaps, orphaned devices, and unlicensed users, and delivers a unified audit report to designated stakeholders.
Steps:
- Trigger on scheduled interval (daily, weekly, or custom)
- Pull all device compliance records from Microsoft Intune via API
- Pull all active user and group records from Azure Active Directory
- Cross-reference data to identify non-compliant devices, orphaned enrollments, and stale accounts
- Generate consolidated audit report and distribute to IT and compliance stakeholders
Connectors Used: Microsoft Intune, Azure Active Directory