I’m back with part two!
If you missed my first blog – on Microsoft Graph actually is – make sure you give it a read.
Now, to connect to Azure and use the data within the various products, an application registration needs to be created within Azure Active Directory. This grants access to the specified elements of Azure Active Directory, Office 365 or Intune, depending on what the application is required for. The application registration can be configured for anonymous authentication or using a secret key within the application to provide authentication for a particular user account.
Setting up the Application Registration allows connection through media such as Powershell or Microsoft Graph Explorer (more on this later).
Let’s create a new application registration which will be used to connect to the Intune Graph API.
1. The first step is to log into the Azure portal as a Global Administrator. This account role is needed to grant admin access to the Intune components.
2. Navigate to Azure Active Directory -> App Registrations
3. Select New Registration
4. Enter a name for the new application. In this case, it will be called Intune-API
5. Under the Supported Account Types, select Accounts in this organisational directory only (Contoso only – Single tenant). This may change depending on how this application will be accessed.
6. Under the Redirect URI (optional) setting, select Public client/native (mobile and desktop) from the drop-down menu.
7. In the field to the right, add the following URI – urn:ietf:wg:oauth:2.0:oob
8. Select Register
Once registered, this will present an overview of the newly created application. Make note of the Application (client) ID. This is highlighted below. You may need to add the client ID to scripts or applications to obtain an authorization token.
9. From this menu, select Authentication.
10. Scroll down to Implicit Grant and select ID Tokens
11. Click Save
12. Within the menu on the left, select API permissions
13. Microsoft Graph is already present. Click on Microsoft Graph (1)
At this stage it is worth pointing out that although the Microsoft Graph API is already present, we could have selected Add a permission and then selected Microsoft Graph from the list. We could also add other APIs such as SharePoint, OneNote or Exchange. As we are only interested in Microsoft Graph, we can leave this as default.
14. Depending on how the application will access the API, in this case; Intune, there are two choices for the type of permissions to apply. Delegated permissions are used when the application will access the API as the user who is signed in to the application. Application permissions are used when the application runs as a background service with no signed-in user. In other words, anonymous authentication. For this example, we will select Delegated permissions.
15. The listed permissions relate to all areas of Microsoft 365 therefore we need to focus on the areas of Intune that are required. In this case, I will select the entries that start with the word
16. Select the required permissions based on what the application, script or function is looking to achieve. As an example, the Read settings have been selected here. This allows the specified information to be read from Intune using the Graph API. Some of these settings require Admin consent.
17. Click Update Permissions
18. The selected permissions will be added to the application. For those permissions that require admin consent, we need to select the Grant admin consent for Contoso button
19. The application is now ready for use. In some cases, the script or application that is being developed will need the Application ID (mentioned in Step 8).
And that’s it!
Now if you’re interested in learning more, I’ll be releasing part three next Monday (edit: here’s the link!).
Next week – actually using Microsoft Graph!
(Plus bonus tutorial on accessing Intune Graph API using Powershell).
Any questions? Drop us a line at firstname.lastname@example.org and we’ll get back to you.