Managing enterprise endpoint compliance and status is a critical, yet often tedious, part of IT operations. In my role as an IT Senior Manager, I am constantly exploring ways to streamline workflows and reduce the manual administrative overhead that comes with managing device fleets.
In practice, answering a seemingly simple question like
“Is this device compliant right now?”
often means breaking context, logging into Intune, applying filters, and manually validating data—sometimes during a live incident or executive call.
That constant context switching was the frustration I wanted to eliminate.
I didn’t want another dashboard or reporting layer.
I wanted the experience of asking a knowledgeable teammate a question—and getting an immediate, trustworthy answer.
That’s how A.M.A.L. (Automated Management & Access Liaison) was born.
A.M.A.L. is an agentic AI assistant designed to instantly retrieve Microsoft Intune data just by asking a simple question.
Here is a breakdown of how I built it, the architecture under the hood, and how it securely interacts with our tenant.
The Brains: Amazon Bedrock and Amazon Nova Lite
At the core of A.M.A.L. is Amazon Nova Lite, hosted via Amazon Bedrock. I chose Nova Lite because it is incredibly fast and highly cost-effective for everyday reasoning tasks.
The key here is intent recognition.
When A.M.A.L. receives a question, Nova Lite doesn’t just attempt to answer—it decides whether the question requires live tenant data. If it does, it determines which action group and which parameters are required, before orchestrating the next step.
I created an action group in bedrock and specified a Lambda function that will be invoked based on the action group identified by the Foundation model during orchestration.
I also created an Action Group schema and stored it in an Amazon S3 bucket to define the APIs that the agent can invoke to carry out its tasks.
It takes the parameters identified by the AI (like a specific hostname or user email) and translates them into REST API queries directed at the Microsoft Graph API.
Through Graph, A.M.A.L. currently has the ability to query:
- Real-time Intune device compliance status.
- General Intune device health and check-in status.
The Muscle: AWS Lambda & Microsoft Graph API
To actually fetch the data, Bedrock orchestrates an AWS Lambda function. This function acts as the bridge to Microsoft.
I created an AWS Lambda function using the Python 3.12 runtime and x86_64 architecture, configured with a 30-second timeout. The Python code is designed to query Microsoft Intune, and the source code is available on my GitHub: https://github.com/amalkabraham001/agenticAIworks/tree/c85a5fecdd1142bea566fe60a50d5657d5d4a42c/Intuneagent
When the Lambda function is invoked, it first retrieves these credentials from Secrets Manager at runtime, requests an OAuth token from Microsoft, and only then executes the Graph API query. This ensures that no sensitive authentication data is ever exposed in the code or the AI prompt logs.
What used to require multiple manual queries and tenant navigation is now a single conversational exchange without sacrificing accuracy or security.
Security First: Entra ID & AWS Secrets Manager
In enterprise IT, you cannot cut corners on security—especially when granting an AI agent access to your device management tenant.
Instead of hardcoding credentials, I configured A.M.A.L. to authenticate securely using a dedicated Microsoft Entra ID Application. I provisioned a Client ID and Client Secret, which are securely locked away inside AWS Secrets Manager.
At no point does the AI model have direct access to credentials or raw tokens.
Authentication is handled strictly at runtime by Lambda, preserving clear trust boundaries between the AI layer and tenant access.
The Entra ID application has been given the API permission 'DeviceManagementManagedDevices.Read.All' with admin consent.
I created a new secret in AWS Secrets Manager named intunesecrets and stored the TenantId, ClientId, and ClientSecret as individual key-value pairs.
The Architecture Flow
Here is a high-level look at how a user interacts with A.M.A.L. and how the data flows securely between AWS and Microsoft:
From the user’s perspective, all of this complexity is hidden behind a simple question and a clear, immediate answer.
A.M.A.L. at Work
A.M.A.L. started as a personal solution to an everyday problem, but it represents something bigger:
AI should remove friction from IT operations—not introduce new tools to manage.
Bringing this capability into Slack and Microsoft Teams is the next step in meeting IT teams where the work actually happens.
Top comments (0)