Beginning in January 2022, the Microsoft Intune “serviceEndpoints” API will require specific permissions for all Azure Active Directory (Azure AD) Applications that call one of the following serviceEndpoints:
These serviceEndpoints will need to have assigned one of the following API permissions:
The preferred and most secure API permission is Application.Read.All.
Customers have requested Azure AD make this change to provide more granular permissions and roles in Azure AD. As part of the effort, the team reviewed the delegated and application permissions for endpoints and will require one of four permissions for an API call that Independent Software Vendors (ISV) integrated solutions often use. As part of our Intune ISV integration guidance documentation, many references include information about using the “serviceEndpoints” API for Intune.
Not a partner? Skip to how this may affect you as a customer under: Appendix C: Adding a New Permission to a Single Tenant Application (For Customers).
If your solution makes the /servicePrincipals API call (listed above) to retrieve tenant specific service endpoints for Intune, this may affect you. Based on documentation that Microsoft has shared with partners, we expect this to apply to partners that integrate with Intune for the following scenarios:
Please review the below to take the necessary steps to apply the permissions needed as applicable.
Ensure that your Azure AD Application includes one of the required permission scopes:
No further action is required if one of the listed permission scopes are in effect. See: Appendix A: Verify API Permissions for instructions on how to verify permission scopes.
For multi-tenant application: If you are a partner who has created a multi-tenant application for your Intune integration, verify the API permissions in . If your application does not have one of the four listed permissions, you must update your application’s permissions by following instructions described in Appendix B: Add Permissions to a Multi-Tenant App. Then, customers must consent to the new permissions as described in Appendix D: Granting Admin Consent to New Permissions.
For single tenant applications: If you are a partner who has instructed your customers to create their own app registration as a single-tenant application, your customers need to confirm required permissions are in effect. Instruct your customers to follow steps in Appendix A: Verify API Permissions and then if permissions are required to be added, instruct your customers to follow steps in Appendix C: Adding a New Permission to a Single Tenant Application and Appendix D: Granting Admin Consent to New Permissions.
IMPORTANT NOTE: For all newly added permissions (whether it’s single-tenant or multi-tenant), a required consent is needed from your customers. Microsoft recommends you send a change notification to your customers about this new permissions requirement so they can plan appropriately. See Appendix D: Granting Admin Consent to New Permissions that describe the steps for consent.
If you have a solution that makes the /servicePrincipals API call (listed above) to retrieve tenant specific service endpoints for Intune, this may affect you. Based on documentation that Microsoft has shared with partners, we expect this to apply to partners that integrate with Intune for the following scenarios:
If you have received guidance from the partner with which you have an integrated solution, follow that guidance. If you have not received guidance from your partner, but want to verify that you are ready for the change, then:
To verify the assigned permissions for your multi-tenant application.
To add permissions to your multi-tenant application.
Choose Microsoft Graph.
Your application permissions are now updated. Any customers who have registered your application in their tenant will need to consent to the new permissions.
If your customer registers your application as a single tenant application within their tenant, they will need to add the permission themselves.
For customers who have previously registered your application in their tenant, they will now need to consent to the new permissions that you added to your multi-tenant application. These are the instructions for customers to consent to the new permission:
Let us know if you have any additional questions by replying to this post or reaching out to @IntuneSuppTeam on Twitter.
As of 6/23, when using third-party certification authorities (CA) with SCEP in Microsoft Intune, additional permissions are required. For more information, see Set up third-party CA integration to learn more.
6/15/21: updated with additional screenshots.
7/12/21: updated with known issue section.
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.