Setting up a Microsoft Graph Connection

I’m back with part two! 

If you missed my first blog – on Microsoft Graph actually is – make sure you give it a read.

Now, to connect to Azure and use the data within the various products, an application registration needs to be created within Azure Active Directory. This grants access to the specified elements of Azure Active Directory, Office 365 or Intune, depending on what the application is required for. The application registration can be configured for anonymous authentication or using a secret key within the application to provide authentication for a particular user account.

Setting up the Application Registration allows connection through media such as Powershell or Microsoft Graph Explorer (more on this later).

Let’s create a new application registration which will be used to connect to the Intune Graph API.

1. The first step is to log into the Azure portal as a Global Administrator. This account role is needed to grant admin access to the Intune components.

2. Navigate to Azure Active Directory -> App Registrations

image showing where to find app registrations in azure ad

3. Select New Registration

4. Enter a name for the new application. In this case, it will be called Intune-API

5. Under the Supported Account Types, select Accounts in this organisational directory only (Contoso only – Single tenant). This may change depending on how this application will be accessed.

6. Under the Redirect URI (optional) setting, select Public client/native (mobile and desktop) from the drop-down menu.

7. In the field to the right, add the following URI – urn:ietf:wg:oauth:2.0:oob

8. Select Register

Once registered, this will present an overview of the newly created application. Make note of the Application (client) ID. This is highlighted below. You may need to add the client ID to scripts or applications to obtain an authorization token.

9. From this menu, select Authentication.

10. Scroll down to Implicit Grant and select ID Tokens

11. Click Save

12. Within the menu on the left, select API permissions

13. Microsoft Graph is already present. Click on Microsoft Graph (1)

At this stage it is worth pointing out that although the Microsoft Graph API is already present, we could have selected Add a permission and then selected Microsoft Graph from the list. We could also add other APIs such as SharePoint, OneNote or Exchange. As we are only interested in Microsoft Graph, we can leave this as default.

Image showing adding permissions in azure AD

14. Depending on how the application will access the API, in this case; Intune, there are two choices for the type of permissions to apply. Delegated permissions are used when the application will access the API as the user who is signed in to the application. Application permissions are used when the application runs as a background service with no signed-in user. In other words, anonymous authentication. For this example, we will select Delegated permissions.

15. The listed permissions relate to all areas of Microsoft 365 therefore we need to focus on the areas of Intune that are required. In this case, I will select the entries that start with the word

request API permissions in azure ad

16. Select the required permissions based on what the application, script or function is looking to achieve. As an example, the Read settings have been selected here. This allows the specified information to be read from Intune using the Graph API. Some of these settings require Admin consent.

permission settings for admin consent

17. Click Update Permissions

18. The selected permissions will be added to the application. For those permissions that require admin consent, we need to select the Grant admin consent for Contoso button

configured permissions azure ad

19. The application is now ready for use. In some cases, the script or application that is being developed will need the Application ID (mentioned in Step 8).

And that’s it!

Now if you’re interested in learning more, I’ll be releasing part three next Monday (edit: here’s the link!).

Next week – actually using Microsoft Graph!

(Plus bonus tutorial on accessing Intune Graph API using Powershell).

Any questions? Drop us a line at info@poweronplatforms.com and we’ll get back to you.

Stephen Barnard

Stephen Barnard

More about this author

Related resources

What Makes a Secure PKI Solution? Part 2

Apart from obvious server security aspects such as patching, with PKI solutions there are also considerations relating to cryptography and even physical access. These are rarely documented as a consolidated list, so we decided to try and lay out what we look for and why in a PKI solution.

What Makes a Secure PKI Solution? Part 1

Apart from obvious server security aspects such as patching, with PKI solutions there are also considerations relating to cryptography and even physical access. These are rarely documented as a consolidated list, so we decided to try and lay out what we look for and why in a PKI solution.

Managing Inconsistent AOVPN Disconnects

Struggling with AOVPN disconnects? We now potentially have a mechanism to regulate this known behaviour from the AOVPN server when using the IKEv2 protocol for VPN tunnels.