Hi Community
Straight from the start i’ve been complaining on how Microsoft handles the notifications for EPM. This is done with toast notifications for the end user, with this type of notification al lot of stuff can happen that nobody is aware of the approval or deny of the request. For admins, the need to look to the intune portal to check is there is a request.
In this step by step guide i will describe how to get the notification in Teams by using Azure Logic apps. The reason i’m writing this blog is because i’ve found a lot of info scattered on the internet on this and i wanted to bundle this into 1 easy to follow blogpost.
Also check out these guides below for more detaild info:
Get an EPM elevation request notification! – Just about the Modern Workplace (joostgelijsteen.com)
I will be using Jose Schenardie’s template to configure this. With this template you will have this setup done in minutes.
Prequisites
- Intune Suite license or EPM Addon
- Admin Access to the Azure portal
- Azure subscription
- Teams (Admin) Access
- EPM Configured (Check my previous post on how to configure this here)
- Enough access to Slack / Teams to create and configure webhooks – allow the logic app to send notifications to your favorite IM tool
The Configuration
Run the Teams ARM Template
Go to the Azure Portal for the custom template or just the buttom below
You will be presented with this screen:
I will go over the things you need to fill in.
- Subscription: Choose your Azure subscription for the deployment.
- Resource Group: Choose or create a new resource group e.g: rg-EPMApprovalTeams.
- Region: Choose your region, in my case West Europe.
- Key Vault Name: Set a keyvault name e.g.: kv-EPMApprovalMessages.
- Logic App Name: Set a Logic App name e.g.: la-EPMApprovalMessages.
- Teams Webhook: We will get there just after this part, you will need to create this in teams and copy it here.
- Location: Don’t change this.
- Timezone: Fill in your time zone, this needs to be correct. You can find the correct naming here.
- Recurrence: How often (in minutes) you want the logic app to run and send notifications on the chosen channel, I left it on the default 5mins.
Leave this screen open, we now are going to continue to the creation of the webhook we need.
Get the Webhook
I already have deployed this so for the sake of taking screenshots i will do this again but cancel the Teams Channel setup at the end. You will see my config in the background buyt just ignore this. 😉
In your teams client click the down arrow and select New channel.
Now pick a Team to add the channel to. Give it a name, set a description if you want and choose the channel type and click create.
When the channel is created click on the more options button on the right of the channel and choose workflows.
In the workflows page we need to search for Post to a channel when a webhook request is received, click on the search result.
On the next screen just click next.
In my case the Microsoft Teams Team and the Microsoft Teams Channel where filled in automatically. Click Add workflow.
Your workflow is now being created. Copy the url somewhere, this is what we need to fill in into the the custom Azure template in the Webhook section. After you copied it click done.
Now go back to the Azure portal to finish the custom template with the webhook. After you paste this click review and create.
Wait untill all is created and then we need to set permissions.
The permissions
Your logic app requires read access to specific Graph scopes to retrieve Intune EPM logs, this can be achieve by using powershell. I’ve already compiled a script for your convenience that you can download here.
The only thing you need to change is the $MI variable to your Logic app name.
Open this script in an editor of your choice as an admin and run it. you will need to login with admin credentials also.
The result
Now to test this all out, just browse to file, right click it and choose Run with elevated access. For this test i’m using PowerShell-7.4.6-win-x64.msi.
Give the business justification and click send.
The request will show up in the EPM pane in your Intune portal.
Now remember that we have set the 5 minutes runtime for the Logic app. Now go to your Teams channel and you will see that the message is there.
We can also check the Azure portal and we can see the of the runs where successful or not.
So when you see no publisher in your EPM requests, these requests did not trigger a Teams notification.
I hope this write up will get your EPM notifications in a beter way. Have fun with it.
And as always if you feel there is something in error or you want to add some stuff from your own experience don’t hesitate to contact me!
How much does the logic app cost to run or can you provide some figures to put into the cost estimator tool?
Microsoft’s cost calculator given it’s like licensing is clear as mud
We’d probably have maybe 10-15 EPM requests per day once it’s rolled out and we’d host the app either in Aus East or Aus Southeast
I just checked for you. For my testing i approved like 20 requests and i’m just over 1,3euros