Microsoft Intune
Manage Intune-enrolled devices, compliance, and apps from plain-language requests.
Dex connects to Microsoft Intune through the Microsoft Graph API and lets admins and employees run everyday device-management operations in natural language — listing managed devices, checking compliance, pushing reboot/sync/wipe/retire actions, collecting diagnostic logs, and assigning mobile apps — with full policy guardrails and audit logging.
What Dex does with Microsoft Intune
Dex handles both admin workflows and employee self-service — all policy-guardrailed and audit-logged.
For admins (CoAdmin)
- List and search managed devices by OS, compliance state, enrollment state, or last-sync time
- Inspect device details including hardware, OS version, serial number, and installed applications
- Update device display name, owner type (company/personal), category, and admin notes
- Force a device sync to pull the latest compliance and configuration state from Intune
- Reboot or shut down a managed device remotely
- Collect diagnostic logs (log collection requests) from any managed device
- Retire a device (remove company data, preserve personal data) or full-wipe with explicit two-step confirmation
- Delete stale devices from Intune and assign mobile apps to users or groups
For employees (self-service)
- Check whether your own laptop or phone is compliant and when it last synced with Intune
- Trigger a sync on your own device to force compliance and policy refresh
- Reboot your own managed device from chat
- Request a diagnostic log collection on your own device before opening a ticket
- Start BYOD enrollment for a personal device so you can access work apps
Just ask Dex
Your team types a request in plain language. Dex investigates, plans, and executes — with the right guardrails.
Admin prompts
- >List every non-compliant Windows device in Intune and show me who owns each one
- >Retire Alex Kim's old MacBook — keep personal data but remove all corporate apps and profiles
- >Reboot every device in the "Finance-Laptops" category that hasn't synced in the last 7 days
- >Show me all devices running iOS 16 or older and their enrolled users
- >Push a full factory wipe to device ID abc-123 — it's been reported stolen
Employee prompts
- >Is my laptop compliant right now?
- >Force my work phone to sync with Intune — I just changed my password
- >Reboot my company laptop, it's frozen
- >Collect diagnostic logs from my device so IT can look at why Teams keeps crashing
Policy actions
Every action Dex can take on Microsoft Intune is declared, scoped, and guardrailed. Admins control which apply, who approves them, and whether they're limited to self-service.
| Action | What it does |
|---|---|
device_sync | Force a managed device to sync with Intune and refresh its compliance state |
device_reboot | Remotely reboot a managed device |
device_retire | Retire a device — remove company data and apps while preserving personal data |
device_wipe | Full or selective factory wipe of a managed device (two-step confirmation required) |
device_unenroll | Unenroll a device from Intune management |
device_diagnostic | Trigger a device log collection request for troubleshooting |
byod-enroll | Start a Bring-Your-Own-Device enrollment flow for the current user |
How to configure Microsoft Intune
Onboarding takes minutes. Dex validates your credentials before saving them.
Setup steps
- 1Connect your Microsoft 365 tenant to Dex (one consent covers Entra ID, Intune, Exchange, SharePoint, Teams, and the rest of the Graph surface).
- 2During tenant consent, approve the DeviceManagement scopes Dex needs (DeviceManagementManagedDevices.ReadWrite.All, DeviceManagementApps.ReadWrite.All, DeviceManagementConfiguration.Read.All).
- 3Enable the Microsoft Intune integration in Dex — no separate credentials; Dex reuses the Graph token from the M365 connection.
- 4Configure policy actions (device_sync, device_reboot, device_retire, device_wipe, etc.) with approval requirements and self-only constraints.
- 5Run a smoke test: ask Dex to "list my managed devices" in a co-admin chat to confirm the Graph scopes are active.
No extra credentials
This integration is covered by your Microsoft 365 tenant authorization to Dex. There are no per-app credentials to create or rotate.
Requirements
- •Microsoft 365 tenant connected to Dex (shared OAuth flow with Entra ID and Exchange)
- •Microsoft Intune license assigned to the users and devices you want to manage
- •Devices must be enrolled in Intune (Windows, macOS, iOS, iPadOS, or Android) to receive remote actions
- •Graph admin consent for DeviceManagement scopes — granted during tenant connection
- •Full wipe is irreversible and requires an explicit two-step confirmation; macOS full wipe additionally requires a recovery unlock code
Related integrations
Directory & IdentityMicrosoft Entra ID
Manage Entra ID users, groups, licenses, and sign-in risk through Microsoft Graph.
Learn more →
RMM & EndpointWindows Device Agent
On-device diagnostics, PowerShell, and full remote-desktop control for Windows endpoints managed by Dex.
Learn more →
RMM & EndpointAction1
Run Action1 patch, software, and endpoint operations from plain-language requests.
Learn more →
See Dex run Microsoft Intune
Book a 30-minute walkthrough with our team and see how autonomous IT works in your environment — or get started for free.