Automated Application Management for Microsoft Endpoint Manager

Simplify third-party application management

Knowledge Base ArticlesRequest Trial

Intune Authentication Using Azure App Registration

This article covers integrating the Patch My PC Publisher with your Intune tenant.  We will go over creating an app registration in your Azure AD environment and configuring the Graph API permissions required for the Publisher to automatically create, update and assign Win32 applications in your Intune tenant; as well as configuring the tenant authority, application ID and application secret within the Publisher.

 Step 1: Registering the Patch My PC Application in Azure AD

In order for our service to have permissions to your Intune tenant for application management, start by navigating to your environment’s Azure AD portal, head to App registrations on the left column and click New registration in the top left of the main pane.

azure app registration page

Give your app registration a relevant name such as “Patch My PC – Intune”.  Configure the account types base on your tenant requirements.  For the Redirect URI, leave it default unless you have specific requirements for configuring the Redirect URI.  Then click Register

registering a new app in azure ad

 Step 2: Configure API Permissions for the New Application

After you register a new application, we will need to delegate certain permissions in order for the Patch My PC Publisher to create and update Win32 applications in your Intune tenant, as well as view Azure groups and create assignments for the applications automatically. Once the new app is registered, navigate to the API permissions node in the left column of the newly created app’s page.

api permissions node in app options in azure ad

In the API permissions page, click the button to Add a permission, then in the right pane that appears, select the Microsoft Graph API.  Then, we you are prompted for what type of permissions your app requires, select Application permissions.

adding a new permission for graph api

In the Select permissions table view, search for “DeviceManagementApps” and under those permissions, enable DevicemanagementApps.Read.All and DevicemanagementApss.ReadWrite.All.

Then, search for “Group”, and under Group permissions, enable Group.Read.All.

adding group read all permissions

Click Add permissions.  To approve the new permissions, click Grant admin consent for <Your Org Name>. Choose Yes if you are prompted to consent for the required permissions.  You must be logged into an Azure AD account with permissions to perform this task.

granting permissions for azure ad

 Step 3: Getting the Client Secret and Application ID

Now, we must add a client secret, a string that our app will use to prove its identity when requesting a token.  Navigate to the Certificates & secrets node in the left column, and click the button to add a New client secret.

adding new client secret in azure ad

Decide on a description and expiration date (in years) that best suits your organization’s needs, then click Add.

adding secret key options in azure ad

Click the button to copy the newly created secret key.  Save this value to a secure location.

copy secret key value

Then, navigate to the Overview node, and copy the Application (client) ID.  Save this value to a secure location along with your secret key value.

the application client id in azure ad

 

 Step 4: Configuring the Patch My PC Publisher to Connect to the Intune Tenant

If you do not know your Intune tenant domain, navigate to the tenant status page in your Intune tenant and look at the property for Tenant name.

tenant status page in intune tenant

Now, it is time to go to the Patch My PC Publisher and input the Authority, Application ID, and Application Secret into the Intune Options window of the Publisher. 

inputting authoridy, application id, and secret into intune options in publisher

Replace <TenantName> with the Tenant name you found in the tenant status page of your Intune tenant.  Paste the Application ID and Application Secret that was saved from earlier.  Click Test to validate that the Publisher can connect to your Intune tenant.  If you get a dialog box that says “Successfully connected to Intune”, congratulations!  You can now begin to publish applications to your Intune tenant.