Here is what is deployed for the DEMO you saw in our lab. 

  • Power BI Pro Licenses – Used to publish online and share results
  • Power BI Gateway server – Used to complete scheduled refreshes of data in the dataset
  • Azure Active Directory P1 or higher – Used for pulling data and housing the enterprise application exposing graph API
  • Application Registration configured in Azure AD – Used for securely querying Managed Device and Azure AD data the following permissions are required:
    • GraphAPI – Delegated Permissions
      • “DeviceManagementApps.Read.All”,
      • “DeviceManagementConfiguration.Read.All”,
      • “DeviceManagementManagedDevices.Read.All”,
      • “DeviceManagementRBAC.Read.All”,
      • “DeviceManagementServiceConfig.Read.All”,
      • “DeviceManagementConfiguration.ReadWrite.All”,
      • “Group.Read.All”,
      • “User.Read”,
      • “User.Read.All”,
      • “Device.Read.All”,
      • “Reports.Read.All”,
      • “Policy.Read.ConditionalAccess”,
      • “Policy.Read.PermissionGrant”
    • Intune – delegated permissions
      • “Get_Data_warehouse”
    • Log Analtyics API – delegated permissions
      • “Data.read”
    • WindowsDefenderATP – delegated permissions
      • “advancedquery.read”
      • “alert.read”
      • “file.read.all”
      • “ip.read.all”
      • “machine.read”
      • “remediationtasks.read”
      • “score.read”
      • “securityconfiguration.read”
      • “securityrecommendation.read”
      • “software.read”
      • “user.read.all”
      • “vulnerability.read”
  • Permissions for the user authenticating
    • Rights to the AAD Enterprise application
    • PowerBI Pro License
    • Intune License
  • Microsoft Endpoint Manager (Intune) – Used for managing devices in the environment, populating the managed devices data from Graph API and inventory data from the devices
  • Defender for Endpoint Plan 2
  • WaaSUpdateInsights (update compliance) solution configured within Log Analytics – used for pulling update information for managed devices
    • With Telemetry set to pull the PC Name

To configure the report template into the PBIX for consumption of data you’ll need: 

  • Organization accounts with rights to:
    • Graph API Enterprise Application
    • Log Analytics WaaSUpdateInsights solution (update compliance)
    • Security API from Defender for Endpoint P2
  • The AppID from the Graph API Enterprise application
  • The Log Analytics workspace ID