In this Microsoft Intune and Graph API post, I will show you how to create an App Registration for Microsoft Intune.
Microsoft Intune is a leading Mobile Device Management (MDM) solution for small and large organizations.
With Intune, we can manage the entire lifecycle of devices (Windows, iOS or Android) at scale and perform any task remotely using Intune management capabilities.
One of the challenging parts of Intune deployment is deploying policies and maintaining them is source code. To overcome this challenge, Microsoft offers programmatic access to Intune using Graph API and the Graph SDK for .NET and Python.
With Graph API, we can write Intune configuration, security, and compliance policies in code and deploy them using REST API calls or use . NET.
To access Intune using a REST API protocol or any Graph SDKs, we must configure Entra ID, which acts as the authentication and authorisation layer for Microsoft 365 and Azure Services, to allow such access.
We do that using an Entra ID App Registration. An App Registration is like a service account with all the necessary permissions to access Intune (or other services) and perform administrative tasks.
This post will focus on creating an App Registration with enough permissions to create a custom Intune configuration policy, as we showed in the previous article.
Create an App Registration for Microsoft Intune Graph API
To create an App Registration login to Azure with a user that has enough permissions and click on Microsoft Entra ID.
From the Manage menu, Click on App Registrations
Click on Create and use the following details.
- Name – Name the App Registration
- Account Type – Accounts in this Organizational directory only
- Click Register
After you create the App Registration, copy the following details:
- Application ID
- Object ID
- Directory (tenant) ID
From the Manage menu, Click on API Permissions.
This part will give the applications access to perform specific tasks in Intune. Please note that graph API has no such thing as any:any permissions that give full admin rights to all services.
Click on Add a permissions
From the API list, select Microsoft Graph.
In the permissions type page, click on Application permissions.
To set the right permissions for a specific API call or action, let’s take, for example, the following API call that creates a Custom Windows 10 configuration policy.
If you open the page, you will see under Application permissions that it needs the following permissions DeviceManagmentConfiguration.ReadWrite.All
Now that we know which permissions we need, we can select them from the Application Permissions page, as shown below.
After adding all the permissions you need from the Configured permissions screen, click on Grant admin consent for…
The admin consent will apply the App Registration permissions to the tenant.
Click Yes to confirm the consent.
Use Intune App Registration with Graph API
At this stage, we have all the permissions we need, and it’s time to put everything to the test.
I will use the Postman REST API client to test the app registration and create an Intune configuration policy.
In Postman, Create the following variables
| tenant | tenantid |
| client_id | client_id |
| scope | https://graph.microsoft.com/.default |
| client_secret | Client secret |
| grant_type | client_credentials |
| Objectid | objectid |
Below, you can see how the variables look in Postman (values are hidden).
Add the variables and save.
Create Access Token
The last step before connecting to Graph API is creating a temporary access token. This token is only valid for one hour and needs to be renewed after it expires.
To create an access token, create the following POST request
POST https://login.microsoftonline.com/{{tenant}}/oauth2/v2.0/token
Make sure the request inherits all the variables we set and click Send.
The response will look like this. Copy the access token (everything between the ” “.
After you copy the token, we must paste it into a folder or a new request Authorization tab. In my case, I have all the Intune requests under a folder, and I’m adding it at the folder level.
Create Configuration Policy With Graph API
We are finally ready to create an Intune configuration policy.
Create a new POST Request with the following details.
| Request type | POST |
| Endpoint | https://graph.microsoft.com/beta/deviceManagement/deviceConfigurations |
| Body (JSON) | { “@odata.type”: “#microsoft.graph.windows10GeneralConfiguration”, “description”: “Windows Configuration test “, “displayName”: “Windows” } |
The request has the endpoint URL and also the JSON body code. This request will only create the a policy without any settings and will not assign it to any Entra ID group.
Troubleshooting
If you get this error message, it means your token has expired and you must create a new one.
{
"error": {
"code": "InvalidAuthenticationToken",
"message": "Lifetime validation failed, the token is expired.",
"innerError": {
"date": "2024-05-17T02:44:10",
"request-id": "519c17db-dcfb-43c9-ae25-e582ff1baf8e",
"client-request-id": "519c17db-dcfb-43c9-ae25-e582ff1baf8e"
}
}
}Conclusion
In this post, I showed the end-to-end process of creating an Entra ID App Registration to create a Microsoft Intune configuration policy using Graph API.