Blog Post

Intune Customer Success
6 MIN READ

Support Tip: Intune service discovery API endpoint will require specific permissions

Intune_Support_Team's avatar
Intune_Support_Team
Silver Contributor
Jun 08, 2021

Updated 03/11/22: The end of support timeline for Azure AD Graph has been extended to December 2022. The requirement changes detailed below are still required however if you have not updated the "serviceEndpoints", the timeline has been extended to December 2022.

 

For more information on Azure AD change management and timelines, please see: Azure AD: Change Management Simplified to learn more.

 

Beginning in January December 2022, the Microsoft Intune “serviceEndpoints” API will require specific permissions for all Azure Active Directory (Azure AD) Applications that call one of the following serviceEndpoints:

https://graph.windows.net/servicePrincipals/0000000a-0000-0000-c000-000000000000/serviceEndpoints
https://graph.microsoft.com/v1.0/servicePrincipals/0000000a-0000-0000-c000-000000000000/serviceEndpoints 

 

These serviceEndpoints will need to have assigned one of the following API permissions:

  • Application.Read.All
  • Application.ReadWrite.All
  • Application.ReadWrite.OwnedBy
  • Directory.Read.All

 

The preferred and most secure API permission is Application.Read.All.

 

Customers have requested Azure AD make this change to provide more granular permissions and roles in Azure AD. As part of the effort, the team reviewed the delegated and application permissions for endpoints and will require one of four permissions for an API call that Independent Software Vendors (ISV) integrated solutions often use. As part of our Intune ISV integration guidance documentation, many references include information about using the “serviceEndpoints” API for Intune.

 

Not a partner? Skip to how this may affect you as a customer under: Appendix C: Adding a New Permission to a Single Tenant Application (For Customers).

 

How does this affect you as a partner who has Intune integration?

If your solution makes the /servicePrincipals API call (listed above) to retrieve tenant specific service endpoints for Intune, this may affect you. Based on documentation that Microsoft has shared with partners, we expect this to apply to partners that integrate with Intune for the following scenarios:

  • Telecom Expense Management
  • Mobile Threat Defense
  • Network Access Control
  • 3rd Party Device Compliance
  • SCEP Services

Please review the below to take the necessary steps to apply the permissions needed as applicable.

 

Applying permissions

Ensure that your Azure AD Application includes one of the required permission scopes:

  • Application.Read.All
  • Application.ReadWrite.All
  • Application.ReadWrite.OwnedBy
  • Directory.Read.All

 

No further action is required if one of the listed permission scopes are in effect. See: Appendix A: Verify API Permissions for instructions on how to verify permission scopes.

 

For multi-tenant application: If you are a partner who has created a multi-tenant application for your Intune integration, verify the API permissions in . If your application does not have one of the four listed permissions, you must update your application’s permissions by following instructions described in Appendix B: Add Permissions to a Multi-Tenant App. Then, customers must consent to the new permissions as described in Appendix 😧 Granting Admin Consent to New Permissions.

 

For single tenant applications: If you are a partner who has instructed your customers to create their own app registration as a single-tenant application, your customers need to confirm required permissions are in effect. Instruct your customers to follow steps in Appendix A: Verify API Permissions and then if permissions are required to be added, instruct your customers to follow steps in Appendix C: Adding a New Permission to a Single Tenant Application and Appendix 😧 Granting Admin Consent to New Permissions.

 

IMPORTANT NOTE: For all newly added permissions (whether it’s single-tenant or multi-tenant), a required consent is needed from your customers. Microsoft recommends you send a change notification to your customers about this new permissions requirement so they can plan appropriately. See Appendix 😧 Granting Admin Consent to New Permissions that describe the steps for consent.

 

How does this affect you as a customer who has Intune integration?

If you have a solution that makes the /servicePrincipals API call (listed above) to retrieve tenant specific service endpoints for Intune, this may affect you. Based on documentation that Microsoft has shared with partners, we expect this to apply to partners that integrate with Intune for the following scenarios:

  • Telecom Expense Management
  • Mobile Threat Defense
  • Network Access Control
  • 3rd Party Device Compliance
  • SCEP Services

 

If you have received guidance from the partner with which you have an integrated solution, follow that guidance. If you have not received guidance from your partner, but want to verify that you are ready for the change, then:

  1. Follow the instructions in Appendix A: Verify API Permissions.
    If your permissions are set correctly, you are done.

  2. If your permissions need to be added, follow the steps in Appendix C: Adding a New Permission to a Single Tenant Application (For Customers) and then follow the steps in Appendix 😧 Granting Admin Consent to New Permissions (For Customers).

 

Appendix A: Verify API Permissions

To verify the assigned permissions for your multi-tenant application.

  1. Open the Azure Portal for Azure AD https://portal.azure.com.
  2. Authenticate as a user with permissions to manage Azure AD applications in the tenant that was used to create your multi-tenant application.
  3. Navigate to your list of registered apps: https://portal.azure.com/#blade/Microsoft_AAD_IAM/ActiveDirectoryMenuBlade/RegisteredApps and select the multi-tenant application that needs permission verification.

    Figure 1 - List of App registrations in the Azure AD portal.

    Select API Permissions and verify that your application contains the correct API permissions for both Azure AD Graph and Microsoft Graph (one of the below):
    • Application.Read.All (preferred)
    • Application.ReadWrite.All
    • Application.ReadWrite.OwnedBy
    • Directory.Read.All

  4. Figure 2 - List of assigned API permissions for the selected app with "Application.Read.All" highlighted.

  5. Figure 3 - Example of API permissions needed.

Appendix B: Add Permissions to a Multi-Tenant App (for Partners)

To add permissions to your multi-tenant application.

  1. Open the Azure Portal for Azure AD https://portal.azure.com.
  2. Authenticate as a user with permissions to manage Azure AD applications in the tenant that was used to create your multi-tenant application.
  3. Navigate to your list of registered apps: https://portal.azure.com/#blade/Microsoft_AAD_IAM/ActiveDirectoryMenuBlade/RegisteredApps and select the multi-tenant application that needs updated permissions.

  4. Figure 4 - List of App registrations in the Azure AD portal.

  5. Select API Permissions and verify that your application contains the correct API permissions. In this example, one of the required permissions is missing. (Application.Read.All) for Microsoft Graph and for Azure AD Graph. Both permissions are needed.

    Figure 5 - Example list of available API permissions with one of the required permissions missing.

  6. Select Add a permission.

    Figure 6 - Request API permission flow on adding a new permission.

  7. Choose Microsoft Graph.


    Figure 7 - Request API permission flow for the Microsoft Graph application.

  8. Select Application permissions.

    Figure 8 - Requesting the Application permissions for the Microsoft Graph application.

  9. Select "Application.Read.All" and click Add permissions.

    Figure 9 - Requesting the "Application.Read.All" permission for the Microsoft Graph application.


  10. Select Add a permission

    Figure 10 - Adding a new permission.

  11. Scroll down to choose Azure AD Graph

    Figure 11 - Adding a new API permission for Azure AD Graph.

  12. Choose Application permissions: and select “Application.Read.All” and click Add permissions.

    Figure 12 - Adding the “Application.Read.All” permission.

Your application permissions are now updated. Any customers who have registered your application in their tenant will need to consent to the new permissions.

 

Appendix C: Adding a New Permission to a Single Tenant Application (For Customers)

If your customer registers your application as a single tenant application within their tenant, they will need to add the permission themselves.

  1. Open the Azure Portal for Azure AD https://portal.azure.com.
  2. Authenticate as a user with permissions to manage Azure AD applications in the tenant that was used to create your single tenant application.
  3. Navigate to your list of registered apps: https://portal.azure.com/#blade/Microsoft_AAD_IAM/ActiveDirectoryMenuBlade/RegisteredApps.

    Figure 13 - List of App registrations in the Azure AD portal.

  4. Select the single-tenant application that needs permission verification.

    Figure 14 - Screenshot of an example Azure application and details under the Overview blade.

  5. Select API permissions.



  6. Click Add a permission.

    Figure 16 - Request API permission flow on adding a new permission.

  7. Select Microsoft Graph.

    Figure 17 - Request API permission flow for the Microsoft Graph application.

  8. Select Application permissions.

    Figure 18 - Requesting the Application permissions for the Microsoft Graph application.

  9. Expand Application and choose "Application.Read.All" and choose Add permissions.

    Figure 19 - Requesting the "Application.Read.All" permission for the Microsoft Graph application.

  10. Select Add a permission.

    Figure 20 - Adding a new permission.
  11. Scroll down to choose Azure AD Graph.

    Figure 21 - Requesting a new API permission for Azure AD Graph.
  12. Choose Application permissions and select “Application.Read.All” and click Add permissions.

    Figure 22 - Adding the “Application.Read.All” permission.
  13. Click “Grant admin consent for <tenant>” and choose “Yes”.

    Figure 23 - Notice when selecting "Grant admin consent for <tenant>".

  14. Verify that the permissions are granted for your tenant.

    Figure 24 - Example screenshot of granted API permissions for a tenant.

    Figure 25 - Example of API permissions needed.

Appendix 😧 Granting Admin Consent to New Permissions (For Customers)

For customers who have previously registered your application in their tenant, they will now need to consent to the new permissions that you added to your multi-tenant application. These are the instructions for customers to consent to the new permission:

  1. Open the Azure Portal for Azure AD https://portal.azure.com.
  2. Authenticate as a user with Global Administrator permissions to manage Azure AD applications in the tenant.
  3. Navigate to your list of enterprise apps: https://portal.azure.com/#blade/Microsoft_AAD_IAM/StartboardApplicationsMenuBlade/AllApps/menuId/.
  4. Search for the application that was registered for the Intune integration.

    Figure 26 - Example screenshot of an Azure AD app registered for the Intune integration.

  5. Select the application to view the Overview.

    Figure 27 - Screenshot of an example Azure application and details under the Overview blade.

  6. Select Permissions.

    Figure 28 - Permissions blade of an example Azure AD app registered for the Intune integration.

  7. Click Grant admin consent for <tenant name>.

    Figure 29 - Notice when granting admin consent for the tenant.

  8. Authenticate as a user with Global Administrator permissions.

    Figure 30 - Authenticating as a user with Global Administrator permissions.

  9. Accept the updated permissions for the application.

    Figure 31 - Accepting the updated permissions for the Azure AD application.

  10. Verify the consent was successful

    Figure 32 - Successful admin consent.

Let us know if you have any additional questions by replying to this post or reaching out to @IntuneSuppTeam on Twitter.

 

Known issues

As of 6/23, when using third-party certification authorities (CA) with SCEP in Microsoft Intune, additional permissions are required. For more information, see Set up third-party CA integration to learn more.

 

Post updates:

6/15/21: Updated with additional screenshots.

7/12/21: Updated with known issue section.

03/11/22: The end of support timeline for Azure AD Graph has been extended to December 2022. The requirement changes detailed below are still required however if you have not updated the "serviceEndpoints", the timeline has been extended to December 2022.

Updated Dec 19, 2023
Version 12.0
Microsoft Graph Api

9 Comments

Sort By
  • marc_goff's avatar
    marc_goff
    Copper Contributor
    Dec 01, 2021

    But aren't the permission IDs unique to my tenant (like role IDs) so if I don't have an app that already uses the application.read.all from the Azure graph API (which I haven't found yet), and I can't add it through the GUI anymore, how am I supposed to get the permission ID to add with those steps on the link you provided? The doc even states you need to get the permission ID from a current app. I feel like this is sort of a catch 22 here, but maybe I'm missing something.

  • marc_goff's avatar
    marc_goff
    Copper Contributor
    Nov 30, 2021

    Hi Dave Randall , When I add the Microsoft graph application.read.all permission, the Intune JAMF integration fails. Since the screenshots show the Azure Graph being chosen and we can't chose the Azure Graph at all anymore, I wondered whether that is what is causing the integration to fail.

     

  • Dave Randall's avatar
    Dave Randall
    Icon for Microsoft rankMicrosoft
    Nov 30, 2021

    Hello marc_goff. Yes, the method requires that you have an app registered, but my understanding was that you attempted to connect with Jamf but it failed because the correct permission wasn't present.  So, to address that issue, you'd need to go update the permissions on the app.  Let me know if that's not the case. 

     

    I've also contacted our doc team to get an update to the Jamf integration page, I see it was last updated in February. 

  • marc_goff's avatar
    marc_goff
    Copper Contributor
    Nov 30, 2021

    Thanks for that article Dave, but don't both those methods require an application to already be configured in your tenant to get the application permission? We don't have an app that uses that permission.

     

    Also, why are the InTune docs that get linked to from the InTune interface in the "Connectors and tokens | Partner device management" section still incorrect? https://docs.microsoft.com/en-us/mem/intune/protect/conditional-access-integrate-jamf

     

    Perhaps I am misunderstanding something.

  • marc_goff's avatar
    marc_goff
    Copper Contributor
    Oct 29, 2021

    Azure Active Directory Graph is being deprecated as of June 2022 and I can no longer select it in the add permissions interface on the app registration. It is greyed out. I believe this might be why we are unable to integrate JAMF with InTune. Is there a work around for this?

  • Intune_Support_Team's avatar
    Intune_Support_Team
    Silver Contributor
    Jul 12, 2021

    Hi oliviomoura, you are correct! Confirming that Application.OwnedBy should be Application.ReadWrite.OwnedBy. We've updated the post to reflect the correct API permission. Thanks for the feedback! :smile:

  • oliviomoura's avatar
    oliviomoura
    Copper Contributor
    Jun 30, 2021

    https://docs.microsoft.com/en-us/graph/permissions-reference

     

    Application.OwnedBy should be Application.ReadWrite.OwnedBy, can you please verify?