MS Intune Integration Guide – How to integrate Microsoft Intune with Reftab

Reftab can integrate with Microsoft Intune to populate your Reftab account with managed devices like Laptops and Desktops. Devices can be automatically checked out to users in Reftab. By doing so, you’ll have a convenient, single pane of glass to see all devices together in one application.

🔹 Before You Begin

Before enabling the Microsoft Intune integration, if you have already created assets that will be kept up to date by Intune, then you need to ensure your existing assets in Reftab contain the required identification fields.

To prevent duplicate assets and ensure Intune updates existing records correctly, assets must include:

• Serial Number
• Azure AD Device ID

Reftab uses these fields together to uniquely identify devices during sync. Assets missing either field may be skipped to prevent duplicate creation or incorrect updates.

Additionally, we recommend configuring SCIM provisioning first before setting Intune up:

• Why: Setting up SCIM ensures that your users are automatically created and managed within Reftab. This allows Intune-synced devices to be automatically assigned to the correct users in Reftab.
• If you skip SCIM: You can still integrate Intune to bring devices into Reftab, but those devices won’t be linked to specific users unless SCIM is configured later.

Best practice:

1. Complete your SCIM integration.
2. Ensure any existing Intune device in Reftab have the appropriate fields.
3. Then proceed with the Intune integration.

This approach provides the most accurate and automated user-to-device relationships in Reftab.

Contents of This Guide

• Setting up the integration
• Configuring for Autopilot (optional)
• Configuring Secrets, Endpoint, and Reftab Intune Settings
• Syncing asset data fields from Intune to Reftab
• Syncing device owners to automatically assign assets to users
• Types of devices to import
• Limit Categories to import
• Viewing Installed Software
• Move assets to different locations after sync (optional)
• Updating asset ID’s
• Suggested Next Steps

Setting up the Integration

You’ll need a Reftab account on the Business plan or an account on trial of Business Plan to set this up.

Log into Microsoft Azure and click “App Registrations” > “New Registration”.

Click “Add” > “App Registration“

Next, name the app “Reftab” and click “Register“

Next, on the left side under Manage , click “API Permissions“

Next, select “Microsoft Graph“

Next, select the option “Application Permissions”.

Next, expand the section for “DeviceManagementManagedDevices” and check the box for “Read Microsoft Intune devices” and click “Add Permissions” at the bottom.

Click the button “Grant admin consent confirmation”. And click “yes”.

Next, click “Add a permission” and search for “Device.read.all” and click the check box to add.

Finally, you’ll need another API Application Permission of “Directory.Read.All“. Enable this permission the same as steps above.

Be sure to “Grant Admin Consent” for above permissions.

CHECK PERMISSIONS
BEFORE PROCEEDING

Please double check that you have granted “Application” permissions for the following:

• Device.Read.All
• DeviceManagementManagedDevices
• Directory.Read.All

Configuring for Autopilot (optional)

What is Windows Autopilot?
A Microsoft service that lets you pre-configure new devices to ship directly to users, with company settings and apps already applied — no IT setup needed.

Why use it with Reftab?
Importing Autopilot devices into Reftab keeps your inventory updated before devices even ship, making onboarding and device assignment faster and easier.

To set this up, ensure you add the application permission DeviceManagementServiceConfig.Read.All and grant it Admin Consent.

When configuring on the Reftab side, ensure that you set a default location for your Autopilot devices:

Configuring Secrets, Endpoint, and Reftab Intune Settings

Next, on the left side under manage click, “Certificates & secrets“

Click “New client secret”. Then, on the right, name it “Reftab key” and set expires to “24 months”.  Then click “Add” at the bottom.

A value will appear. We will need it later, copy it to a text document for now. This is the only time it will be visible.

Click “Overview” on the left side. And click “Endpoints”. Then, copy the token on the second line, “OAuth 2.0 token endpoint (v2)” paste this value into a text document.

Next, log into Reftab as an administrator. Click “Settings” > “Integrations“. Click “Configure” next to ‘Microsoft Intune’.

In the window that appears, paste in the OAuth 2.0 token endpoint (v2).

Paste in the Application (client) ID. (This value can be found in your Intune Dashboard under App Registration. Click “Reftab” then click Overview and look for Application (client) ID.)

Paste in the Client Secret value. (note: you’re pasting in the value, not the client secret ID)

Next, choose a Reftab location the Intune devices should be saved to. Then, choose a category for the devices.

NOTE: The category you choose must have a text field called, “Azure AD Device ID” and “Serial Number” saved into it for the integration to work.

If you don’t have this field, click cancel and click “Asset Categories” and create a new field titled “Azure AD Device ID” with a type of “text”, as well as a field titled “Serial Number” with a type of “text“. Ensure that you mark your Serial Number field with the No Duplicates toggle, and save them to your category for Intune devices. Then, come back to this page.

In this example screenshot above, Azure AD Device ID and Serial Number is a text field on category of “Laptops”. “Laptops can be selected as the category to sync Intune devices.

Once all options are selected, click “Save” and then click, “Test“

If the test is successful, you’ll see a response of the data that MS Intune is sending to Reftab.

Syncing Fields from Intune to Reftab

Within the Reftab Intune configuration page you can select certain fields to sync from Intune to Reftab.

First, select your category next “Default Category”.

Then, you will see a table of all the available fields that can be mapped from Intune. Click “Map field” and the system will create a field in your chosen category automatically.

Syncing Device Owners to Auto Assign Assets from Intune

You can automatically assign assets to users after enabling the “Auto Assign Assets” option. Reftab will look for a user via the “emailAddress” attribute sent from Intune. If that email address is found for a user in Reftab, the asset with be checked out to them indefinitely.

NOTE: Setting up a SCIM integration is ideal for this scenario to automatically add users from Azure. See this guide here.

If an asset is already checked out in Reftab, it will not be checked out again even if a value for the emailAddress attribute is sent from Intune.

Types of Devices to Import

Reftab allows you to choose which types of devices to sync. This is helpful if you have some staff who have personally owned devices registered in Intune and you don’t need to track them in Reftab.

• Company Devices – owned by company
• Personal Devices – personal devices
• Company and Personal Devices – both personal and company owned

Limit Categories to import

Optionally, Reftab permits you to restrict which categories you would like to import. For example, if you create a category in Intune labeled “HR Laptops”, you will be able to restrict the integration to only bring in “HR Laptops”. If left blank, the integration will operate normally and import all categories.

If you have shared Entra tenants, this will be useful for pulling devices based on the intune device category.

**Please note that each category will need to be on a separate line.

Types of Devices to Import by OS

Reftab allows you to choose which type of OS to sync from Intune. This is helpful if you only want to sync certain devices such as Windows only or iOS and Android only, etc.

NOTE: By default the asset names that display in Reftab are mapped from the Intune field of: “Management Name”. The values for management name can be edited in MS Endpoint Manager by clicking “Devices” and “Windows Devices”.

However, you can choose to map the asset title to other fields from Intune.

Viewing Installed Software

When viewing an asset synced with Intune, you can click the tab “Licenses and Software“.

You’ll see a table showing a list of applications installed on the computer. You’ll also see column labeled “Vulnerabilities“. Reftab checks the application and the version against CVE databases. If a vulnerability is found, you’ll see it listed in the “Vulnerabilities” column.

Changing Asset ID’s after Sync

After assets are synced into Reftab, you may manually change an asset’s ID. Find the asset and click “Edit” > “Override and Change Barcode” (note, only Reftab administrators can do this.)

Move assets to different locations after sync

By default, Reftab’s Intune integration saves assets into one location. However, you can configure workflows to move assets based on all sorts of criteria to other locations. See an example here where we utilize workflows to move assets based on a loanee’s location: page here: How to Auto-Assign Asset Locations via Loanee Fields in Workflows

Moving assets into a new category after sync

You may also move the asset into a new category. However, keep in mind the fields that are populated are based upon the fields present in the assigned category. To change an asset’s category, see our FAQ page here: How to Change an Assets Category

Assign Assets Alternative Mode

If assets aren’t being checked out to the correct users in Reftab, you can try enabling this setting. This will parse the data from Intune in an alternative manner to find users.

Notes on changing primary user in Intune

If your team assigns Primary Users in Intune, you’ll want to toggle “Auto Re-Assign Assets.” This will allow Reftab to assign the asset to the new Primary User upon next sync:

An important note for this, Reftab will not check the asset back in if the Primary User is removed. The system will only re-assign the asset, if there is a new primary user present.

Important Notes

Default system emails for “check out” and “return” do not trigger by default when Intune assigns or returns assets. If a user wants to use emails or any other actions, workflows can be used to achieve this purpose.

By default, the Intune integration uses Serial Number as the Asset ID. While this setting is enabled automatically, accurate asset matching does not occur based on Asset ID alone. For existing assets to be reliably identified and updated during Intune syncs, you must have both of the following fields present and populated on assets:

• Serial Number
• Azure Device ID

Reftab uses these fields to locate and map existing assets. If an incoming Intune device has a serial number that matches an existing Asset ID, but the asset does not contain a populated Serial Number field, the record will be treated as an ID collision and skipped rather than updated.

Why Assets May Be Skipped During Intune Sync

Reftab requires a unique and stable Serial Number field to correctly match Intune devices to existing assets.

In some environments, devices may report non-unique or placeholder serial numbers (for example: generic BIOS values, default manufacturer strings, or reused identifiers). When this occurs and the asset category does not include a properly populated “Serial Number” field, multiple assets may appear to match the same incoming Intune device.

To prevent assets from incorrectly overwriting each other or oscillating between updates, Reftab will skip the affected device rather than applying an update or creating a duplicate asset.

Suggested Next Steps

Enhance your asset management by integrating Reftab with Microsoft Entra for seamless SaaS discovery and utilization tracking. This setup builds on your current infrastructure, automating the management of both hardware and software assets. Click here to get started.

For support, email “help@reftab.com”.