Installation
This page describes how install the Intune Assistant Worker in your tenant.
Prerequisites
Before you install the Intune Assistant worker make sure you have this in place:
A valid Azure Subscription: the Intune Assistant consumes Azure credits, make sure you have a subscription with a valid payment method
Proper permissions, you deploy resources, you need at least contributor permission at subscription or existing resource group level
The Intune Assistant Worker is a paid service and will be charged above the Azure consumption.
Fill in deployment values
The values represents the following:
Subscription and resourcegroup: the place where you deploy the resources
Region: Normally you pick the nearest region. The Intune Assistant API itself runs in West Europe
Worker name: must be globally unique and is the name where you connect to later
Microsoft Tenant ID: Is your own tenant ID
Notification Email: Provide the email adress to get notified about when the installation is finished.
That's it. From now on, only users signed in with your organization's Microsoft account can access the Worker dashboard
Finish Installation
After deploying the Worker from the Azure Marketplace, there are a few steps to complete before it's fully operational. None of them take long — most users are up and running within 15 minutes.
Where is my Worker dashboard? You can find the URL in the deployment confirmation email, or go to the Azure Portal → Resource Groups → your Worker resource group → App Service and click the Default domain link.
Secure Your Dashboard (Recommended)
Your Worker has a built-in web dashboard. By default, anyone with the URL can view it. We strongly recommend restricting access so that only users from your own organization can open it.
This takes about 30 seconds:
Go to Azure Portal
Navigate to App Services → select your Worker
In the left menu, click Authentication
Click Add identity provider
Select Microsoft
Under Tenant type, choose Workforce configuration (current tenant)
Click Add
That's it. From now on, only users signed in with your organization's Microsoft account can access the Worker dashboard.
Skipping this step means anyone who knows your Worker's URL can view its status. The dashboard is read-only and does not expose your Intune data, but securing it is still best practice.
For more information about securing your web application check: https://learn.microsoft.com/en-us/azure/app-service/overview-authentication-authorization#identity-providers
Set a Sender Email (Optional)
When the Worker sends you job reports (audit reports, drift alerts, etc.), it sends them from an email address. By default, this is the notification email you provided during deployment.
If you want reports sent from a different address — for example, a shared mailbox or a dedicated monitoring address — you can change it from the Worker dashboard in IntuneAssistant.
Go to IntuneAssistant and open the Worker page
Look for the Settings button
Enter the email address you want reports sent from
Save
The sender address must be a valid mailbox in your Microsoft 365 tenant. Reports will be sent on behalf of this address using your organization's mail infrastructure.
Get Your License Key
The Worker requires an Enterprise license key to activate. Without it, it will remain in a Pending state and won't execute any jobs. Better said, it won't have a connection at all and keeps waiting in this state.
To request your license key, send an email to:
Include the following in your email:
Your organization name
The Worker instance ID (visible on the Worker dashboard under Registration Status)
The email address associated with your IntuneAssistant account
You will receive your license key by email, typically within one business day.
Already have a license key? Skip ahead to Step 4.
Activate the Worker
Once you have your license key, enter it in the Worker dashboard to activate:
Open your Worker dashboard
The URL is in your registration confirmation email, or
Go to Azure Portal → App Services → your Worker → Default domain
On the dashboard, find the Activate License section
Enter your license key (format:
INTUNE-xxxxxxxx-xxxxxxxxxxxxxxxx)Click Activate
The Worker will validate the key and switch from Pending to Active within seconds.
The dashboard will show:
Registration Status: Active
Health: Healthy
A green heartbeat indicator showing the Worker is connected
You're ready to create jobs.
If the license key is rejected, check:
The key was entered exactly as received (no extra spaces)
The key hasn't already been used on a different Worker instance
Your Worker instance ID matches what you sent in your license request
If the problem persists, contact [email protected] with your Worker instance ID.
Confirm the Worker is Healthy
Before creating jobs, confirm that the Worker is fully operational.
On the dashboard you should see:
Registration Status
Active
Last Heartbeat
Less than 10 minutes ago
Scheduled Jobs
0 (no jobs configured yet — that's fine)
Worker Version
Current version number
If the heartbeat timestamp is not updating or the status shows anything other than Active, wait a couple of minutes and refresh. If the issue persists, check the App Service logs in the Azure Portal.
Heartbeat updating and status is Active? Your Worker is healthy and ready. Move on to creating your first job.
Add Managed Identity Permissions
After deployment, the worker has no permissions yet. Because we take security very serious, we let you handle all the workers permissions. Currently its not possible to handle those permissions nicely and we need a bit of code for that. Use the following document to add the correct permissions.
Add worker permissionsSetup Checklist
Use this as a quick reference to confirm everything is in place:
Need Help?
If you run into any issues during setup, reach out to us:
Please include your Worker instance ID (visible on the dashboard) in your message so we can help you faster.
Last updated