MS Intune Integration Guide – How to integrate Microsoft Intune with Reftab

Intune Integration feature image

Reftab can integrate with Microsoft Intune to populate your Reftab account with managed devices like Laptops and Desktops. Devices can be automatically checked out to users in Reftab. By doing so, you’ll have a convenient, single pane of glass to see all devices together in one application.

In this guide, we’ll cover:

Setting up the Integration

You’ll need a Reftab account on the Business plan or an account on trial of Business Plan to set this up.

  1. Log into Microsoft Azure and click “App Registrations” > “New Registration

2. Click “Add” > “App Registration

3. Next, name the app “Reftab” and click “Register

4. Next, on the left side under Manage , click “API Permissions

5. Next, select “Microsoft Graph

6. Next, select the option “Application Permissions”.

7. Next, expand the section for “DeviceManagementManagedDevices” and check the box for “Read Microsoft Intune devices” and click “Add Permissions” at the bottom.

8. Click the button “Grant admin consent confirmation”. And click “yes”.

9. Next, click “Add a permission” and search for “” and click the check box to add.

10. Finally, you’ll need another API Application Permission of “Directory.Read.All“. Enable this permission the same as steps above.

11. Be sure to “Grant Admin Consent” for above permissions.


Please double check that you have granted “Application” permissions for the following:

  • Device.Read.All
  • DeviceManagementManagedDevices
  • Directory.Read.All

12. Next, on the left side under manage click, “Certificates & secrets

13. Click “New client secret”. Then, on the right, name it “Reftab key” and set expires to “24 months”.  Then click “Add” at the bottom.

14. A value will appear. We will need it later, copy it to a text document for now. This is the only time it will be visible.

15. Click “Overview” on the left side. And click “Endpoints”. Then, copy  the token on the second line, “OAuth 2.0 token endpoint (v2)” paste this value into a text document.

16. Next, log into Reftab as an administrator. Click “Settings” > “Integrations“. Click “Configure” next to ‘Microsoft Intune’.

In the window that appears, paste in the OAuth 2.0 token endpoint (v2).

Paste in the Application (client) ID. (This value can be found in your Intune Dashboard under App Registration. Click “Reftab” then click Overview and look for Application (client) ID.)

Paste in the Client Secret value. (note: you’re pasting in the value, not the client secret ID)

Next, choose a Reftab location the Intune devices should be saved to. Then, choose a category for the devices.

NOTE: The category you choose must have a text field called, “Azure AD Device ID” saved into it for the integration to work.

If you don’t have this field, click cancel and click “Asset Categories” and create a new field titled “Azure AD Device ID” with a type of “text” and save it to your category for Intune devices. Then, come back to this page.

In this example screenshot above, Azure AD Device ID is a text field on category of “Laptops”. “Laptops can be selected as the category to sync Intune devices.

Once all options are selected, click “Save” and then click, “Test

If the test is successful, you’ll see a response of the data that MS Intune is sending to Reftab.

Syncing Fields from Intune to Reftab

Within the Reftab Intune configuration page you can select certain fields to sync from Intune to Reftab.

First, select your category next “Default Category”.

Then, you will see a table of all the available fields that can be mapped from Intune. Click “Map field” and the system will create a field in your chosen category automatically.

Syncing Device Owners to Auto Assign Assets from Intune

You can automatically assign assets to users after enabling the “Auto Assign Assets” option. Reftab will look for a user via the “emailAddress” attribute sent from Intune. If that email address is found for a user in Reftab, the asset with be checked out to them indefinitely.

NOTE: Setting up a SCIM integration is ideal for this scenario to automatically add users from Azure. See this guide here:

If an asset is already checked out in Reftab, it will not be checked out again even if a value for the emailAddress attribute is sent from Intune.

Types of Devices to Import

Reftab allows you to choose which types of devices to sync. This is helpful if you have some staff who have personally owned devices registered in Intune and you don’t need to track them in Reftab.

  • Company Devices – owned by company
  • Personal Devices – personal devices
  • Company and Personal Devices – both personal and company owned

Types of Devices to Import by OS

Reftab allows you to choose which type of OS to sync from Intune. This is helpful if you only want to sync certain devices such as Windows only or iOS and Android only, etc.

NOTE: By default the asset names that display in Reftab are mapped from the Intune field of: “Management Name”. The values for management name can be edited in MS Endpoint Manager by clicking “Devices” and “Windows Devices”.

However, you can choose to map the asset title to other fields from Intune.

Options for Setting Asset IDs / Changing Asset ID’s after Sync

By default, assets will be created in Reftab with Azure’s AD Device ID value as the Asset ID.

However, Reftab provides a setting called, “Use ‘Serial Number’ for Asset ID“. Turn that on and newly created assets will be saved into Reftab with the Serial Number instead.

After assets are synced into Reftab, you may manually change an asset’s ID. Find the asset and click “Edit” > “Override and Change Barcode” (note, only Reftab administrators can do this.)

Move assets to different locations after sync

By default, Reftab’s Intune integration saves assets into one location. However, you can configure workflows to moving assets based on all sorts of criteria to other locations. See our workflow page here:

Moving assets into a new category after sync

You may also move the asset into a new category. However, keep in mind the fields that are populated are based upon the fields present in the assigned category. To change an asset’s category, see our FAQ page here:

Assign Assets Alternative Mode

If assets aren’t being checked out to the correct users in Reftab, you can try enabling this setting. This will parse the data from Intune in an alternative manner to find users.

Notes on changing primary user in Intune

As of writing this article, if you change the primary user in Intune, the asset will not check out to the new user in Reftab.

The recommended way is to simply scan the asset’s barcode or pull up the asset on screen and check-in the device. Then when the device is enrolled to a new user in Intune, it will automatically check out the device to that new user in Reftab. (We are developing a setting to enable / disable this behavior for a future update)

For help email “[email protected]”.