Forum Discussion
Intune Graph API permissions - no Application permissions - why?
I'm hoping to gain an understanding why all Intune Graph resources and actions only allow Delegated permissions. This essentially means no unattended administration available, at least not App-only.
I can't figure out why it is like this. The Intune PowerShell SDK (i.e. Microsoft.Graph.Intune PowerShell gallery module) can be used unattended'ly, but the sample for this that is on GitHub is using ConvertFrom-SecureString | Out-File. That's not really secure, nor is sending plain text password to MS Graph (not referring to the sample with the latter comment, rather this: https://docs.microsoft.com/en-us/azure/active-directory/develop/v2-oauth-ropc). So Application permissions, enabling Certificate (or Client Credential) authentication would be far superior.
Referenced sample script: https://github.com/microsoftgraph/powershell-intune-samples/tree/master/Authentication
Use cases that I'm particularly talking about are ones like resetPasscode, or remoteLock. We should be able to trigger these actions with an App Registration that has Application permissions. We could then script automatic reactions, such as remoteLock upon a particular Azure AD Sign-In event or risk detection.
Can somebody please tell me why Intune's Graph permissions are strictly only Delegated? This same issue applies to about every single thing an Admin might want to use MS Graph API's for. I wish there was a TON of focus in this area by Microsoft. If magically all of a sudden customer administrative automation was catered to, this would be a massive positive thing leading to mass embracement from customers. Right now, it sometimes seems like MS doesn't want customers automating things with unattended intention.
Thanks in advance.
- Application support for all Intune endpoints have been added, but it's still in the beta Graph though
https://docs.microsoft.com/en-us/graph/api/resources/intune-device-mgt-conceptual?view=graph-rest-beta
- Thijs LecomteBronze ContributorApplication support for all Intune endpoints have been added, but it's still in the beta Graph though
https://docs.microsoft.com/en-us/graph/api/resources/intune-device-mgt-conceptual?view=graph-rest-beta- JeremyTBradshawSteel Contributor
Thijs Lecomte Thanks for the info, this is great.
I wonder how/when this will factor into the Intune PowerShell SDK. I suppose they Connect-MSGraph cmdlet from the module/SDK will just need to get some client credential flow functionality added.
- Thijs LecomteBronze ContributorI wouldn't get your hopes up that the Powershell cmdlets will support application permissions
The Graph API is rather easy to use and I would recommend looking into this.
As the Graph API has support for features much earlier than the Powershell SDK