SimpleAMS
EN English BG Български
Get started
setup integrations mdm

Connect Microsoft Intune to sync Windows devices

Pull Windows + cross-platform managed devices from Intune via Microsoft Graph. Three steps in Azure AD, three in SimpleAMS.

May 27, 2026 6 min read SimpleAMS

Intune device sync uses the Microsoft Graph API with the client-credentials OAuth flow. You'll create an Azure AD App Registration, grant it one Graph permission, and paste three values into SimpleAMS.

1. Register an app in Azure AD

  1. Sign into the Azure portal as a Global Admin (or someone with App Registration rights).
  2. Go to Microsoft Entra ID → App registrations → New registration.
  3. Name: "SimpleAMS Intune Sync". Supported account types: Single tenant. Leave Redirect URI blank.
  4. Click Register. From the overview page, copy two values:
    • Application (client) ID
    • Directory (tenant) ID

2. Grant the Graph permission

  1. From the app, click API permissions → Add a permission → Microsoft Graph → Application permissions.
  2. Search and tick DeviceManagementManagedDevices.Read.All.
  3. Click Add permissions.
  4. Click Grant admin consent for <your tenant>. This is the step most setups forget.

3. Create a client secret

  1. From the app, click Certificates & secrets → New client secret.
  2. Description: "SimpleAMS". Expiry: 24 months recommended.
  3. Click Add. Copy the secret value immediately - Azure hides it after you leave the page.

4. Plug into SimpleAMS

  1. Go to Settings → Integrations → Microsoft Intune.
  2. Paste:
    • Azure AD tenant ID: the Directory ID from step 1.
    • App registration client ID: the Application ID from step 1.
    • App registration client secret: the value from step 3.
  3. Tick Enable this integration and save.

5. Run a sync

Click Sync now. SimpleAMS exchanges the client credentials for a short-lived Graph token, then pages through deviceManagement/managedDevices. Daily after that.

6. What gets imported

  • Every Intune-managed device the app can see (Windows, macOS, iOS, Android).
  • Asset tag = Intune's serial if present, else INT-<device-id> as a stable fallback.
  • Manufacturer comes from the device record, else heuristic from the OS field (Windows → Microsoft, macOS → Apple, Android → Google).
  • Compliance state maps to asset status: compliant → Deployed, noncompliant/error → Broken.

Troubleshooting

  • 403 from Graph: forgot the admin consent step. Re-visit API permissions and click Grant admin consent.
  • Token exchange returned no access_token: client secret is wrong (often: you copied the secret ID instead of the secret value).
  • Slow first sync: large fleets paginate 100 devices at a time. The job is bound by Graph throttling - typically completes within 5 minutes for 5,000 devices.
Share this article

Cookies on this site. We use strictly-necessary cookies to keep you signed in. With your permission we also use analytics and marketing cookies. You can change this any time. Cookie Policy.