Forum Discussion

JeremyTBradshaw's avatar
JeremyTBradshaw
Steel Contributor
Jun 10, 2020

Intune Graph API permissions - no Application permissions - why?

I'm hoping to gain an understanding why all Intune Graph resources and actions only allow Delegated permissions.  This essentially means no unattended administration available, at least not App-only.

 

I can't figure out why it is like this.  The Intune PowerShell SDK (i.e. Microsoft.Graph.Intune PowerShell gallery module) can be used unattended'ly, but the sample for this that is on GitHub is using ConvertFrom-SecureString | Out-File.  That's not really secure, nor is sending plain text password to MS Graph (not referring to the sample with the latter comment, rather this: https://docs.microsoft.com/en-us/azure/active-directory/develop/v2-oauth-ropc).  So Application permissions, enabling Certificate (or Client Credential) authentication would be far superior.

 

Referenced sample script: https://github.com/microsoftgraph/powershell-intune-samples/tree/master/Authentication

 

Use cases that I'm particularly talking about are ones like resetPasscode, or remoteLock.  We should be able to trigger these actions with an App Registration that has Application permissions.  We could then script automatic reactions, such as remoteLock upon a particular Azure AD Sign-In event or risk detection.

 

Can somebody please tell me why Intune's Graph permissions are strictly only Delegated?  This same issue applies to about every single thing an Admin might want to use MS Graph API's for.  I wish there was a TON of focus in this area by Microsoft.  If magically all of a sudden customer administrative automation was catered to, this would be a massive positive thing leading to mass embracement from customers.  Right now, it sometimes seems like MS doesn't want customers automating things with unattended intention.

 

Thanks in advance.

Resources