Discover Shadow AI – Microsoft Intune

  • Updated

The Microsoft Intune integration helps you discover applications with AI capabilities installed across your organization's managed devices. By connecting Intune to RexCommand, you can automatically surface AI apps that may otherwise go undetected, review them, and bring them into your AI Inventory for governance.

This functionality is included in the Paid plans.

Purpose

The Intune integration enables you to:

  • Discover apps with AI capabilities installed on managed devices
  • Reduce the manual effort of cataloguing AI tools across a large device fleet
  • Move from blanket "block AI apps" policies toward informed AI governance
  • Maintain a current, deduplicated inventory of AI applications in use

How It Works

When you connect Microsoft Intune, RexCommand:

  1. Pulls the full list of apps discovered on managed devices via the Intune API
  2. Deduplicates apps so each unique application appears once, regardless of version or how many devices it is installed on
  3. Cross-references the deduplicated list against a curated AI-aware application database
  4. Presents only the AI-relevant apps for review

You can then select one or more AI apps to import into the AI Inventory as draft entries for further review and approval.

Connecting Microsoft Intune

Connecting Intune requires:

  • A Microsoft account with Intune admin-level permissions in your tenant
  • Consent to grant RexCommand the required permissions during the OAuth2 sign-in

To connect:

  1. Go to the Discover AI tab and select Connections.
  2. Select Add Integration and choose Microsoft Intune.
  3. Sign in with your Intune admin credentials and approve the requested permissions.
  4. Once authentication completes, the connector status updates to Connected.

Scanning

Once connected, RexCommand scans your Intune tenant automatically every 24 hours at 00:00 UTC (11:00 AM AEDT).

You can also trigger a manual scan if you need fresher data. Manual scans are subject to a rate limit:

  • Maximum 1 scan per hour
  • Maximum 5 scans per day

The automatic daily scan counts toward this limit, which means up to 4 additional manual scans can be triggered after the automatic scan has run.

Reviewing Discovered Apps

After a scan completes, AI apps appear in a filtered list. For each app you'll see:

  • App name, vendor, and version where available
  • Status (e.g., New, Imported)

Apps already brought into the AI Inventory are marked as Imported so you don't import them again. Newly detected AI apps from the most recent scan are highlighted to make them easy to spot.

Importing Apps into the AI Inventory

To bring discovered AI apps under governance:

  1. Select one or more AI apps from the discovered list.
  2. Choose Import to AI Inventory.
  3. Imported apps appear in the AI Inventory as Draft entries with basic fields (name, vendor, description) pre-populated.
  4. Open each draft to complete the remaining fields, assess risk, and submit for approval.

Notes

  • Admin-level Intune permissions are required for the initial connection.
  • This functionality is available on paid plans - Teams & Enterprise plans
  • Apps are deduplicated by name and vendor. Version differences are tracked in the backend but consolidated into a single entry in the user view.
  • The AI-aware application database is curated and maintained by RecordPoint.
  • An Intune connection is independent of any Defender connection — they can be used together or separately.

Was this article helpful?

0 out of 0 found this helpful

Have more questions? Submit a request