Creating App Registrations for Intune API Access with PowerShell

Intune Device Management

Nov 12, 2024

In this post I have documented how you would create an app registration in Entra to provide you with least privilege when you want to Interact with Intune APIs from a console using PowerShell.

I mainly use this if I need to run commands myself instead of some sort of automation. In this scenario the permissions are delegated which means that the application needs to access the API as the signed-in user. In a automation scenario you would use application permissions which does not require a signed-in user.

A really good video on this subject can be found here.

Create app registration

Go to the Microsoft Entra admin center - App registrations > New Registration.

Enter a Name for your application, for example Microsoft Graph PowerShell - High Privilege admin use only.
For Supported account types, select Accounts in this organization directory.
For Redirect URI:
- Select Public client/native from the drop down
- URI value: http://localhost
Select Register.

You can see an example of what that looks like below:

API Permissions - Delegated access (access on behalf of a user)

It’s a good idea to just give the minimum permissions required for what you need. In this case since I want to export all devices I chose DeviceManagementManagedDevices.Read.All.

After creating the app registration in the previous step go to the app registrations pane again and search for your app.

Then go to API permissions and click on Add a permission.

Next select delegated as we want the app to access the API as the signed-in user.

Then select the permissions, you can type in the search box to filter the available permissions.

Once you press add permissions you will see the configured permissions

You will likely need to grant admin consent and approve the permission

Least privilege

Additionally instead of allowing everyone access to the app it’s a good idea to limit who can use the app.

Go to the enterprise applications pane and chose Properties

Then press the button to toggle Assignment required.

Then click on the User and groups buttom

And add the user accounts that need access

Connecting

You’ll need to get your tenant and client ID from the Overview page from the entra app.

Then just replace the following with your IDs

Connect-MgGraph -ClientId <YOUR_NEW_APP_ID> -TenantId <YOUR_TENANT_ID>

Verify permissions

Verify the scope which should include the delegated permission you added in one of the previous steps.

get-mgcontext | Select-Object scopes

Scopes
------
{DeviceManagementManagedDevices.Read.All, openid, profile, User.Read…}

Getting Device Info

There are many commands to interact with Intune, so far I have only use the following ones:

Get-MgDeviceManagementManagedDevice -ManagedDeviceId <Device_ID>

$devices = Get-MgDeviceManagementManagedDevice -All

For a full list of commands for devices see: Get-MgDeviceManagementManagedDevice (Microsoft.Graph.DeviceManagement) | Microsoft Learn

Summary

Understanding how app registrations and entrprise apps work is quite handy and makes it a bit easier when you’re assigning Microsoft Graph permissions. Finding the correct API permissions to assign can be tricky, but you can always use the graph explorer to find out what you can do with Graph and it will also show you what permissions you need.

After experimenting from the console I did venture into using Graph and Sharepoint APIs using Azure Automation runbooks, this required Application permissions (since there is no signed in user) . When dealing with managed identities you can’t assign permissions from the portal (At least I don’t think so). I will probably create another post about that.

I found the following resources very useful:

To jump to specific portals and panes I use https://cmd.ms/ which has a search. This even has an extension for Edge.
To find what permissions are available you could use Microsoft Graph Permissions Explorer | Graph Permissions

Computer things

Discussion about this post