Intune and Lookout: how to integrate?

mtp-blog-3-00In the last two blogs we looked at the global overview and the architecture of the solution. In this blog I want to go a bit deeper and have a look how to integrate the two services with each other.

Like said, the Lookout service is currently hosted on Amazon Web Services and Microsoft Intune is hosted on Microsoft Intune.

First of all the feature needs to be available in your Microsoft Intune tenant to be able to get the integration between Microsoft Intune and Lookout to work. When you look in the Admin workspace of the Intune Console, you see a node called Third Party Service Integration with Lookout Status like shown below. The integration is available since the September update of Microsoft Intune.

Integration has been added during the September update
Integration has been added during the September update

Setting up Groups

But first let’s prepare the enablement of the integration creating three Azure AD security groups, those groups can be created in your local Active Directory or directly in Azure AD. The following groups need to be created;

Group name Purpose Mandatory
Lookout Administrators All Administrators for the Lookout Service Yes
Lookout Restricted Administrators Restricted Admin access to the Lookout service No
Lookout Users All users that need Lookout for Work (enrollment group) Yes

When using Lookout Administrators and Lookout Restricted Administrators, you need to supply the object ID of the Azure AD group to the support desk of Lookout. This can be done as follows.

Go to the new Azure Portal ( and click Azure Active Directory. Click in the Quick Tasks Find Group and look for the Lookout groups you created. To get the Object ID, click the groups one by one and look for the Object ID in the Overview > Essentials section like shown below.

Get the object id

After the configuration of the groups is done by Lookout, you need to add your Tenant Global Admin in the Lookout Administrators to be able to configure the connection between Lookout MTP and Microsoft Intune.

Activating integration

The next step is to accept consent for allowing Lookout MTP to get access to Microsoft Intune, Lookout MTP needs to have access to the following;

  • Send device threat information to Microsoft Intune
  • Read directory data (Azure AD)
  • Access your organization’s directory

Login with the Azure AD Global Admin to and accept the consent like shown below.

Accept the consent
Accept the consent

After the consent has been accepted the connector can be setup in the console of Lookout MTP. So login to the Lookout MTP console via and browse to System > Connectors. Click Add Connector and choose Intune as shown below.


After selecting Intune the connector needs to be created. This can be done by clicking on Create Connector like shown in the figure below.


The discovery of users and their devices is done based on enrollment groups. This can be one or more Azure AD group, in this example we only use one group (Lookout Users). After the connector has been created click Enrollment Management and supply the display name of the Azure AD group like shown below in the figure.


Click Save Changes.

Next we need to enable the connection in the Microsoft Intune console. Browse in the Microsoft Intune console to Admin > Third Party Service Integration > Lookout Status. Enable the Connect with Lookout MTP switch and look at the status to be changing from Provisioned to Active.


In the next blog we will have a look at the administrative experience, remember to be able to use the integration of Lookout with Intune you need a separate Lookout MTP license.

Stay tuned!

Want to see the integration in action?



At IT/Dev Connections (10/10 10/13)  I will show the same during at our full day Microsoft Enterprise Mobility +Security workshop ; How You Can Digitally Transform Any Organization on Monday! Be sure to join Kenny Buntinx, Tim De Keukelaere and me in Las Vegas, there are still tickets available!

Other blogs in this series:


  1. Thanks for the info. We have hybrid (SCCM 1606 + Intune) environment. So is this feature applicable for hybrid model. If yes, kindly share the steps to implement it as well.

    1. Hi,

      For Hybrid this is not available yet. It is on the roadmap though..


Leave a Reply

Your email address will not be published. Required fields are marked *

Previous Post

Up next AZSMUG and IT/Dev Connections

Next Post

October update to Intune service coming up!

Related Posts