Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Graph API permission #21

Open
Ivanodib opened this issue Oct 31, 2024 · 10 comments
Open

Graph API permission #21

Ivanodib opened this issue Oct 31, 2024 · 10 comments

Comments

@Ivanodib
Copy link

Upload doesn't work. Is App registration required? which permissions are needed? delegated or application? If needed, how can i import ClientID and ClientSecret ?
@Metisak
Copy link

Metisak commented Nov 1, 2024

I have probaly similiar issue...
image

@tori321
Copy link

tori321 commented Nov 3, 2024
edited
Loading

Upload doesn't work. Is App registration required? which permissions are needed? delegated or application? If needed, how can i import ClientID and ClientSecret ?

Microsoft has complicated this early this year by terminating Microsoft intune Powershell enterprise application.

instead you need to create an app registration yourself.
Follow this article
https://techcommunity.microsoft.com/t5/intune-customer-success/update-to-microsoft-intune-powershell-example-script-repository/ba-p/3842452

@huuub
Copy link

huuub commented Dec 9, 2024

So the app is not working at the moment... Correct?

@Ivanodib
Copy link
Author

Ivanodib commented Dec 9, 2024

So the app is not working at the moment... Correct?

Correct. I found https://github.com/Romanitho/WingetIntunePackager , the last PR includes App registration Id field. (more info at pull request Romanitho/WingetIntunePackager#30

Not tried yet, let me know if this works

@huuub
Copy link

huuub commented Dec 9, 2024

Well... I tried that one before yours. With that one I cannot even connect. Even after creating an app in entra and giving the right permissions and the uri. So that's why I gave this one a try. I guess I am out of options.

@Ivanodib
Copy link
Author

Ivanodib commented Dec 9, 2024

Well, i'm gonna create it on my own :).

@InnovationForge-com
Copy link
Contributor

InnovationForge-com commented Dec 9, 2024
edited
Loading

I fixed the issues which occured after the MS App Registration change within the script and added as well to the GUI to set your own non default Client ID and Redirect URI. If the app registration doesn't have the permission, you will be asked with Connect-MgGraph to give the permission.
image

You can get my version in my fork: https://github.com/InnovationForge-com/WinGet-Wrapper
I will create a pull request after optimizing it a bit more.

If you want the GUI options then you need to start WinGet-WrapperImportGUI.ps1 and not WinGet-WrapperImportGUI.exe.
Even without setting it in the GUI, WinGet-WrapperImportFromCSV.ps1 will use App ID "14d82eec-204b-4c2f-b7e8-296a70dab67e" and Redirect URI "https://login.microsoftonline.com/common/oauth2/nativeclient", which is used by the .exe as well.

@SorenLundt
Copy link
Owner

SorenLundt commented Dec 9, 2024
edited
Loading

I fixed the issues which occured after the MS App Registration change within the script and added as well to the GUI to set your own non default Client ID and Redirect URI. If the app registration doesn't have the permission, you will be asked with Connect-MgGraph to give the permission.

image

You can get my version in my fork: https://github.com/InnovationForge-com/WinGet-Wrapper

I will create a pull request after optimizing it a bit more.

If you want the GUI options then you need to start WinGet-WrapperImportGUI.ps1 and not WinGet-WrapperImportGUI.exe.

Even without setting it in the GUI, WinGet-WrapperImportFromCSV.ps1 will use App ID "14d82eec-204b-4c2f-b7e8-296a70dab67e" and Redirect URI "https://login.microsoftonline.com/common/oauth2/nativeclient", which is used by the .exe as well.

Great work!
Feel free to create a pull request and i will be sure to test it and add it to the main branch.

@LucaMoor
Copy link

LucaMoor commented Jan 8, 2025

@huuub @Ivanodib @SorenLundt I just checked the Release again and the PR i posted. For me it works fine, im not sure what issues you are facing? You can just create your own Application, give Group Read All, Apps ReadWrite All and ManagedDevices ReadWrite All. Then you can connect to the App with the Application (client) ID and the default Redirect URI https://login.microsoftonline.com/common/oauth2/nativeclient which you ofcourse have to add in your App aswell as an Redirect Mobile and Desktop App URI.

@aollivierre
Copy link

created PR #23

Azure AD Application Configuration for WinGet-Wrapper

Background

The WinGet-Wrapper tool uses Microsoft Graph API to interact with Intune. By default, it uses a built-in application ID, but due to recent Microsoft infrastructure changes and security policies, it's recommended to create your own Azure AD application registration. This ensures:

  1. Better security control over the application
  2. Avoidance of potential throttling issues
  3. Clear audit trails in your Azure environment
  4. Prevention of authentication issues related to Microsoft's first-party app verification changes

Creating Your Azure AD Application

Step 1: Create the Application Registration

  1. Log in to the Azure Portal (portal.azure.com)
  2. Navigate to Azure Active Directory → App registrations
  3. Click "New registration"
  4. Configure the following:
    • Name: "WinGet-Wrapper-App" (or your preferred name)
    • Supported account types: "Accounts in this organizational directory only"
    • Click "Register"
  5. After creation, note down the "Application (client) ID" - you'll need this later

Step 2: Configure Authentication

  1. In your app registration, go to "Authentication" in the left menu
  2. Click "Add a platform"
  3. Select "Mobile and desktop applications"
  4. Check the box for "https://login.microsoftonline.com/common/oauth2/nativeclient"
  5. Click "Configure"

This configuration is crucial because the PowerShell scripts use interactive authentication, which requires a proper redirect URI.

Step 3: Configure API Permissions

  1. Go to "API permissions" in the left menu
  2. Click "Add a permission"
  3. Select "Microsoft Graph"
  4. Choose "Application permissions"
  5. Search for and select "DeviceManagementApps.ReadWrite.All"
  6. Click "Add permissions"
  7. Click "Grant admin consent" and confirm

Updating the Scripts

You need to update the ClientID in the following files:

Option 1: Modify the Script Directly

Update WinGet-WrapperImportFromCSV.ps1:

#ClientID to connect to MSGraph/InTune with Connect-MSIntuneGraph
[Parameter(Mandatory = $False)]
[string]$ClientID = "your-application-id-here"

Option 2: Pass ClientID as Parameter

Run the script with your ClientID:

.\WinGet-WrapperImportFromCSV.ps1 -TenantID "yourtenant.onmicrosoft.com" -ClientID "your-application-id" -csvFile "your-csv-file.csv"

Troubleshooting

Common Issues

  1. "No reply address is registered for the application"

    • Cause: Missing redirect URI configuration
    • Solution: Follow Step 2 in the configuration process

  2. "Application is not authorized to perform this operation"

    • Cause: Missing or unauthorized API permissions
    • Solution: Ensure Step 3 is completed and admin consent is granted

  3. "AADSTS700016" or "AADSTS90099"

    • Cause: Application not properly authorized in tenant
    • Solution: Ensure admin consent is granted and the account has proper roles (Global Admin or Intune Administrator)

Best Practices

  1. Security:

    • Regularly review and audit application permissions
    • Use separate applications for development and production
    • Follow the principle of least privilege when assigning permissions

  2. Maintenance:

    • Document your application ID and configuration
    • Regularly review and update permissions as needed
    • Monitor application usage through Azure AD audit logs

Required Azure AD Roles

The user account running the scripts needs one of these roles:

  • Intune Administrator
  • Global Administrator

Additional Resources

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
8 participants
@huuub @aollivierre @Ivanodib @InnovationForge-com @tori321 @Metisak @LucaMoor @SorenLundt