Configuring Intune Application Registration

Scope: Easy2Patch (All Versions)

General steps to configure application registration for Intune application management.

  1. Sign in to the Azure portal (https://portal.azure.com).

  2. Select "Azure Active Directory" from the left-hand navigation menu.

  3. Select "App registrations" under the Manage section.

  4. Click on "New registration" to create a new application registration.

  5. Enter a name for your application, choose the supported account types, and enter a redirect URI (if applicable).

  6. After registering the application, note the Application ID and Tenant ID. These will be used later in the Intune application configuration.

  7. In Intune, navigate to "Client apps" and select "App registration" from the left-hand navigation menu.

  8. Click on "Add" to create a new app registration.

  9. Enter the Application ID and Tenant ID from step 6 and click "Next".

  10. Select the app management capabilities you want to configure, such as app protection policies and app configuration policies.

  11. Complete the configuration and assign the app registration to users or groups as needed.

Note that these steps are general and may differ slightly depending on your specific Intune configuration and requirements. Always refer to official documentation and best practices for guidance when configuring Intune application management.

Microsoft Graph Permissions

You should give some permissions for manage applications in intune for Application registration. In the Select permissions table view, search for “DeviceManagement”, "Application", "User" and "Device" and under those permissions, enable the following:

  • Application.Read.All: Read all applications

  • Application.ReadWrite.All: Read and write all applications

  • Device.Read.All: Read

  • DeviceManagementApps.ReadWrite.All: View and create applications in Intune

  • DeviceManagementConfiguration.Read.All: View properties and relationships of assignment filters

  • DeviceManagementManagedDevices.Read.All: View device inventory for the auto-publish feature

  • DeviceManagementRBAC.Read.All: View scopes to be assigned to applications

  • DeviceManagementServiceConfig.ReadWrite.All: Update Enrollment Status Page configurations

  • User.Read: Sign in and read user profile

  • User.Read.All: Read all users' full profiles

Then, search for “GroupMember”, "Group" and under Group permissions, enable:

  • GroupMember.Read.All: View Azure AD groups to enable automatic application deployment

  • Group.Read.All: Read all groups

Windows Defender ATP Permissions

You should give some permissions for manage Defender Integration in intune for Application registration. In the Select permissions table view, search for “Alert”, "Ip", "Machine", "Score", "SecurityBaselinesAssessment", "SecurityConfiguration", "SecurityRecommendation", "Vulnerability", "User", "Software", and "RemediationTasks" and under those permissions, enable the following:

  • Alert.Read.All: Read all alerts

  • Ip.Read.All: Read IP address profiles

  • Machine.Read.All: Read all machine profiles

  • Machine.ReadWrite.All: Read and write all machine information

  • Machine.Scan: Scan machine

  • RemediationTasks.Read.All: Read all remediation tasks

  • Score.Read.All: Read Threat and Vulnerability Management score

  • SecurityBaselinesAssessment.Read.All: Read all security baselines assessment information

  • SecurityConfiguration.Read.All: Read all security configurations

  • SecurityRecommendation.Read.All: Read Threat and Vulnerability Management security recommendations

  • Software.Read.All: Read Threat and Vulnerability Management software information

  • User.Read.All: Read user profiles

  • Vulnerability.Read.All: Read Threat and Vulnerability Management vulnerability information

Last updated