Configuring Intune Application Registration
Scope: Easy2Patch 3.0
General steps to configure application registration for Intune application management.
Sign in to the Azure portal (https://portal.azure.com).
Select "Azure Active Directory" from the left-hand navigation menu.
Select "App registrations" under the Manage section.
Click on "New registration" to create a new application registration.
Enter a name for your application, choose the supported account types, and enter a redirect URI (if applicable).
After registering the application, note the Application ID and Tenant ID. These will be used later in the Intune application configuration.
In Intune, navigate to "Client apps" and select "App registration" from the left-hand navigation menu.
Click on "Add" to create a new app registration.
Enter the Application ID and Tenant ID from step 6 and click "Next".
Select the app management capabilities you want to configure, such as app protection policies and app configuration policies.
Complete the configuration and assign the app registration to users or groups as needed.
Note that these steps are general and may differ slightly depending on your specific Intune configuration and requirements. Always refer to official documentation and best practices for guidance when configuring Intune application management.
Microsoft Graph Permissions
You should give some permissions for manage applications in intune for Application registration. In the Select permissions table view, search for “DeviceManagement”, "Application", "User" and "Device" and under those permissions, enable the following:
Application.Read.All: Read all applications
Application.ReadWrite.All: Read and write all applications
Device.Read.All: Read
DeviceManagementApps.ReadWrite.All: View and create applications in Intune
DeviceManagementConfiguration.Read.All: View properties and relationships of assignment filters
DeviceManagementManagedDevices.Read.All: View device inventory for the auto-publish feature
DeviceManagementRBAC.Read.All: View scopes to be assigned to applications
DeviceManagementServiceConfig.ReadWrite.All: Update Enrollment Status Page configurations
User.Read: Sign in and read user profile
User.Read.All: Read all users' full profiles
Then, search for “GroupMember”, "Group" and under Group permissions, enable:
GroupMember.Read.All: View Azure AD groups to enable automatic application deployment
Group.Read.All: Read all groups
Windows Defender ATP Permissions
You should give some permissions for manage Defender Integration in intune for Application registration. In the Select permissions table view, search for “Alert”, "Ip", "Machine", "Score", "SecurityBaselinesAssessment", "SecurityConfiguration", "SecurityRecommendation", "Vulnerability", "User", "Software", and "RemediationTasks" and under those permissions, enable the following:
Alert.Read.All: Read all alerts
Ip.Read.All: Read IP address profiles
Machine.Read.All: Read all machine profiles
Machine.ReadWrite.All: Read and write all machine information
Machine.Scan: Scan machine
RemediationTasks.Read.All: Read all remediation tasks
Score.Read.All: Read Threat and Vulnerability Management score
SecurityBaselinesAssessment.Read.All: Read all security baselines assessment information
SecurityConfiguration.Read.All: Read all security configurations
SecurityRecommendation.Read.All: Read Threat and Vulnerability Management security recommendations
Software.Read.All: Read Threat and Vulnerability Management software information
User.Read.All: Read user profiles
Vulnerability.Read.All: Read Threat and Vulnerability Management vulnerability information
Last updated