Automated Application Management for Microsoft Endpoint Manager

Simplify third-party application management

Knowledge Base ArticlesRequest Trial

Configure Azure App Registration Permissions for Win32 Applications in Intune

This article covers integrating the Patch My PC Publisher with your Intune tenant.  We will go over creating an app registration in your Azure AD environment and configuring the Graph API permissions required for the Publisher to automatically create, update and assign Win32 applications in your Intune tenant; as well as configuring the tenant authority, application ID and application secret within the Publisher.

Topics covered in this article:

Step 1: Registering the Patch My PC Application in Azure AD

In order for our service to have permissions to your Intune tenant for application management, start by navigating to your environment’s Azure AD portal, head to App registrations, and click New registration in the top left of the main pane.

Azure AD Create New App Registration for Microsoft Intune

Give your app registration a relevant name such as “Patch My PC – Intune Connector”.  Configure the account types base on your tenant requirements.  For the Redirect URI, leave it default unless you have specific requirements for configuring the Redirect URI.  Then click Register.

App Registration Additional Options for Microsoft Intune

Step 2: Configure API Permissions for the New Application

After you register a new application, we will need to delegate certain permissions in order for the Patch My PC Publisher to create and update Win32 applications in your Intune tenant, as well as view Azure groups and create assignments for the applications automatically. Once the new app is registered, navigate to the API permissions node in the left column of the newly created app’s page.

Intune App Registration Created Screen

In the API permissions page, click the button to Add a permission, then in the right pane that appears, select the Microsoft Graph API.  Then, you are prompted for what type of permissions your app requires, select Application permissions.

Add Azure App Registration Graph API Permissions

In the Select permissions table view, search for “DeviceManagement” and under those permissions, enable DevicemanagementApps.Read.AllDevicemanagementApss.ReadWrite.All and DeviceManagementManagedDevices.Read.All

Select Intune App Permissions for Azure App Registration

Then, search for “Group”, and under Group permissions, enable Group.Read.All.

Add Intune App Permissions for Azure App Registration

Click Add permissions.

To approve the new permissions, click Grant admin consent for <Your Org Name>. Choose Yes if you are prompted to consent for the required permissions.  You must be logged into an Azure AD account with permissions to perform this task.

The result is shown below.

Success Added Intune App Permissions for Azure App Registration

Step 3: Getting the Client Secret and Application ID

Now, we must add a client secret, a string that our app will use to prove its identity when requesting a token.  Navigate to the Certificates & secrets node in the left column, and click the button to add a New client secret.

Azure App Registration Secret Key and App ID for Patch My PC

Decide on a description and expiration date (in years) that best suits your organization’s needs, then click Add.

Azure App Registration Client Secret Key for Patch My PC

Click the button to copy the newly created secret key.  Save this value to a secure location.

copy secret key value

Then, navigate to the Overview node, and copy the Application (client) ID.  Save this value to a secure location along with your secret key value.

the application client id in azure ad

 

You may receive an error similar to ‘An error occurred while connecting to Intune: AADSTS7000215: Invalid client secret is provided.’ within the PatchMyPC.log file. If you receive this error please repeat step 3 above to create a new secret, or review your existing secret configuration within the Publisher to ensure you are using the correct value.

Step 4: Configuring the Patch My PC Publisher to Connect to the Intune Tenant

If you do not know your Intune tenant domain, navigate to the tenant status page in your Intune tenant, and look at the property for Tenant name.

tenant status page in intune tenant

Now, it is time to go to the Patch My PC Publisher and input the Authority, Application ID, and Application Secret into the Intune Options window of the Publisher.

inputting authoridy, application id, and secret into intune options in publisher

Replace <TenantName> with the Tenant name you found in the tenant status page of your Intune tenant.  Paste the Application ID and Application Secret that was saved from earlier.  Click Test to validate that the Publisher can connect to your Intune tenant.  If you get a dialog box that says “Successfully connected to Intune”, congratulations!  You can now begin to publish applications to your Intune tenant.