What you’ll need
- A Microsoft 365 tenant with Intune licenses assigned.
- Global Administrator (or Intune Administrator) role to grant admin consent.
- Two minutes.
Set it up
Option A — one-click OAuth (recommended)
Open the Intune integration in Layer
In Layer, go to Integrations, find Microsoft Intune, and click Connect.
Sign in and grant consent
You’ll be redirected to Microsoft’s sign-in screen. Use a Global Admin or Intune Admin account and tick Consent on behalf of your organization, then click Accept.
Option B — manual credentials
Use this method if your organization requires a dedicated app registration instead of delegated OAuth.Register an app in Azure
In the Azure portal, go to App registrations → New registration.
- Name:
Axiom Layer — Intune - Supported account types: Single tenant
Create a client secret
Go to Certificates & secrets → New client secret. Copy the secret value — you won’t be able to see it again.
Grant API permissions
Go to API permissions → Add a permission → Microsoft Graph → Application permissions and add:
DeviceManagementManagedDevices.Read.All— read managed devicesDeviceManagementConfiguration.Read.All— read compliance and configuration policiesPolicy.Read.All— read conditional access policies
Paste credentials into Layer
In Layer, go to Integrations → Microsoft Intune → Connect and enter:
- Tenant ID
- Client ID
- Client Secret
What gets synced
| Object | Fields | Refresh cadence |
|---|---|---|
| Managed devices | name, serial number, model, OS, OS version, compliance state, encryption state, assigned user, last check-in | Every 6 hours |
| Compliance policies | name, platforms, last modified date | Every 6 hours |
| Conditional access policies | name, state (enabled/disabled), created and modified dates | Every 6 hours |
Token refresh
When you connect via OAuth, Microsoft access tokens expire approximately one hour after they are issued. Layer automatically refreshes tokens in the background each time a sync runs, so your connection stays active without any manual re-authorization. If a refresh fails — for example, because an admin revoked consent in the Azure portal — the connection status changes to needs re-auth and you can reconnect with one click.Use cases
- Device inventory — see every managed laptop, phone, and tablet in one place, with model, OS, and assigned user.
- Compliance monitoring — check which devices are compliant, non-compliant, or not evaluated, and track encryption status.
- Offboarding — identify devices assigned to departing employees so you can wipe or reassign them.
- Audit evidence — Intune data feeds into Axiom Codex as evidence for SOC 2 and ISO 27001 device-management controls.
Troubleshooting
Connection shows needs re-auth
Connection shows needs re-auth
This means Layer could not refresh the access token automatically. The most common cause is revoked consent or an expired client secret. Go to Integrations → Microsoft Intune and click Reconnect to re-authorize.
Zero devices after first sync
Zero devices after first sync
Verify that Intune licenses are assigned to users in your tenant and that devices are enrolled. If you used manual credentials, confirm the app registration has the correct API permissions and that admin consent was granted.
Compliance state shows 'not evaluated'
Compliance state shows 'not evaluated'
Devices that haven’t checked in recently or don’t have a compliance policy assigned will show as “not evaluated.” Assign a compliance policy in the Intune admin center and wait for the next device check-in.
I want to disconnect
I want to disconnect
Go to Integrations → Microsoft Intune → Disconnect in Layer. If you used OAuth, also remove the Axiom app from Enterprise Applications in the Azure portal. If you used manual credentials, delete or disable the app registration.