Changes for page ACMP Intune Connector

Last modified by Sabrina V. on 2025/06/13 09:48
From version 2.1
edited by Sabrina V.
on 2024/10/23 06:03
Change comment: There is no comment for this version
To version 4.1
edited by Sabrina V.
on 2025/06/13 09:48
Change comment: There is no comment for this version

Summary

Details

Page properties
Content
... ... @@ -4,6 +4,10 @@
4 4  
5 5  {{aagon.floatingbox/}}
6 6  
7 +{{aagon.versionierungsbox}}
8 +Please note that the ACMP Intune Connector has been replaced by [[Intune Management>>doc:ACMP.68.ACMP-Solutions.Intune Management.WebHome]] in version 6.8 of ACMP.
9 +{{/aagon.versionierungsbox}}
10 +
7 7  Microsoft Intune is a cloud-based solution that helps you manage your mobile devices. It allows you to remotely manage devices, secure access or even lock them down. With the ACMP Intune Connector, you can inventory the devices from Intune in ACMP and send the most important actions to the devices from ACMP.
8 8  
9 9  = **Requirements for using the ACMP Intune Connector** =
... ... @@ -10,180 +10,21 @@
10 10  
11 11  To use the ACMP Intune Connector, the following requirements must be met:
12 12  
13 -* You need a user account with the appropriate permissions for Microsoft Azure Active Directory
17 +* You need a user account with the appropriate permissions for Microsoft Entra ID
18 +
19 +{{box}}
20 +Refer to the [[//Registering an enterprise application in Microsoft Entra ID//>>doc:ACMP.68.Unternehmensanwendung registrieren in der Microsoft Entra ID.WebHome]] section for information on how to register an app and distribute the necessary permissions.
21 +{{/box}}
22 +
14 14  * There must be a connection between AESB and ACMP. AESB must be available for this and the necessary details of the [[SICS connection>>doc:||anchor="H1.ACMPconsole:CheckSICSconnectioninACMP"]] must be stored in ACMP
15 15  * AESB must be at least version 1.8
16 16  * You need a working internet connection, as Intune is a cloud solution and requires a network connection to work.
17 17  * A running instance of Intune
18 18  
19 -= Preparations in Azure Active Directory =
28 += Prepare for Microsoft Entra ID and distribute permissions =
20 20  
21 -To enable the ACMP Intune Connector to access the Intune API, you must first register an enterprise application in Azure Active Directory and grant the required permissions within those applications.
30 +In order for the ACMP Intune Connector to access the Intune API, you must first register a company application in the Microsoft Entra Admin Centre and grant the necessary permissions within these applications (see [[//Registering a company application in Microsoft Entra ID//>>url:https://doc.aagon.com/bin/view/ACMP/68/Unternehmensanwendung%20registrieren%20in%20der%20Microsoft%20Entra%20ID/]]).
22 22  
23 -== Register the Enterprise Application ==
24 -
25 -First, sign in to the [[Azure AD (Active Directory)>>https://aad.portal.azure.com/]] and navigate to Azure Active Directory in the Overview. Click the //Manage// > //Application// //Registrations// tab and create a new application registration.
26 -
27 -{{figure}}
28 -[[image:65_Intune_App-Registrierung in der Azure AD.png||data-xwiki-image-style-alignment="center"]]
29 -
30 -{{figureCaption}}
31 -App registrations in the Azure AD
32 -{{/figureCaption}}
33 -{{/figure}}
34 -
35 -Enter all the necessary information: Enter a name for the application and select the accounts to support. Finish the process by clicking //Register//.
36 -
37 -{{figure}}
38 -[[image:65_Intune_Anwendung registrieren.png||data-xwiki-image-style-alignment="center"]]
39 -
40 -{{figureCaption}}
41 -Register application
42 -{{/figureCaption}}
43 -{{/figure}}
44 -
45 -If you now open the created application, you will see a summary of the information added. This includes the display name, the various IDs (application, object and directory ID) and details of the account types supported.
46 -
47 -{{figure}}
48 -[[image:65_Intune_Zusammenfassung der Anwendungsinformationen.png||alt="65_Intune_Anwendung registrieren.png" data-xwiki-image-style-alignment="center"]]
49 -
50 -{{figureCaption}}
51 -Summary of the application information
52 -{{/figureCaption}}
53 -{{/figure}}
54 -
55 -== Distribute permissions ==
56 -
57 -The next step is to assign the necessary permissions to the business application to access the Graph API. To do this, go to the Permissions section within the registered application (//Manage// > //API// //Permissions//).
58 -
59 -{{figure}}
60 -[[image:65_Intune_API Berechtigungen.png||data-xwiki-image-style-alignment="center"]]
61 -
62 -{{figureCaption}}
63 -API permissions
64 -{{/figureCaption}}
65 -{{/figure}}
66 -
67 -There, click //Add Permission//. This will bring up a page where you can request the API permissions. In this step you need to select the //Microsoft Graph//.
68 -
69 -{{figure}}
70 -[[image:65_Intune_Microsoft Graph anfordern.png||data-xwiki-image-style-alignment="center"]]
71 -
72 -{{figureCaption}}
73 -API permissions: Request Microsoft Graph
74 -{{/figureCaption}}
75 -{{/figure}}
76 -
77 -A distinction is made between "Delegated Permissions" and "Application Permissions". Enter the following values individually under 'Delegated permissions' and repeat the process by entering each of the following list entries:
78 -
79 -* DeviceManagementManagedDevices.Read.All
80 -* DeviceManagementManagedDevices.ReadWrite.All
81 -* User.Read
82 -
83 -{{figure}}
84 -[[image:65_Intune_Delegierte Berechtigungen verteilen.png||data-xwiki-image-style-alignment="center"]]
85 -
86 -{{figureCaption}}
87 -Distribute delegated permissions
88 -{{/figureCaption}}
89 -{{/figure}}
90 -
91 -Tick the appropriate items, scroll back to the top, click the //Application Permissions// field and add the following permissions:
92 -
93 -* DeviceManagementApps.Read.All
94 -* DeviceManagementConfiguration.Read.All
95 -* DeviceManagementManagedDevices.PrivilegedOperations.All
96 -* DeviceManagementManagedDevices.Read.All
97 -* DeviceManagementManagedDevices.ReadWrite.All
98 -* DeviceManagementServiceConfig.Read.All
99 -* User.Read.All
100 -
101 -When you have selected all the permissions, click //Add Permissions//. You will see the entries in the overview.
102 -
103 -{{figure}}
104 -[[image:65_Intune_Verteilte Berechtigungen (ohne Einwilligung).png||data-xwiki-image-style-alignment="center"]]
105 -
106 -{{figureCaption}}
107 -Deployed permissions (without consent)
108 -{{/figureCaption}}
109 -{{/figure}}
110 -
111 -If you have not already done so, you may need to give your consent to the permissions. To do this, click on the //Grant administrator// //consent for// //"%Your Company%//" field. This will change the status and the user permission will be granted.
112 -
113 -{{figure}}
114 -[[image:65_Intune_Bewilligte Berechtigungen.png||data-xwiki-image-style-alignment="center"]]
115 -
116 -{{figureCaption}}
117 -Authorised permissions
118 -{{/figureCaption}}
119 -{{/figure}}
120 -
121 -== Upload client secret key or certificates ==
122 -
123 -Later, during the initial setup of the ACMP Intune Connector, you have to specify an authentication type in the AESB console. You can choose from two methods supported by the Microsoft Client Credentials Provider: //Certificate// or //Client Secret Key//.
124 -
125 -{{aagon.infobox}}
126 -The procedure differs depending on the authentication type selected. Read below to find out what you need to consider for each method.
127 -{{/aagon.infobox}}
128 -
129 -=== Upload certificate ===
130 -
131 -{{aagon.infobox}}
132 -Due to the higher level of security, Microsoft recommends that you use a certificate as your credential.
133 -{{/aagon.infobox}}
134 -
135 -Certificates can be used as an authentication method to log in to Azure Active Directory in the AESB console. A certificate always consists of a public and private part, where the public key is loaded directly into Azure AD. The private part is used in the AESB console. This certificate pair needs to be generated beforehand. Read how to generate a certificate via [[Microsoft>>url:https://learn.microsoft.com/en-us/azure/app-service/configure-ssl-certificate?tabs=apex%2Cportal]] or[[ Open SSL>>url:https://stackoverflow.com/questions/6307886/how-to-create-pfx-file-from-certificate-and-private-key]].
136 -
137 -Navigate to //Certificates & Secrets// in the previously registered application. In the details, click on the //Certificates// tab and upload the previously created certificate.
138 -
139 -{{figure}}
140 -[[image:65_Intune_Zertifikat hochladen.png||data-xwiki-image-style-alignment="center"]]
141 -
142 -{{figureCaption}}
143 -Upload certificate
144 -{{/figureCaption}}
145 -{{/figure}}
146 -
147 -A field will open on the right hand side where you can upload the certificate. Browse to the appropriate directory, upload the file and enter an optional description for the certificate. Then click Add and the certificate will be saved for the application.
148 -
149 -{{aagon.infobox}}
150 -Please note that only .cer, .pem and .crt file types are supported when uploading a certificate.
151 -{{/aagon.infobox}}
152 -
153 -{{figure}}
154 -[[image:65_Intune_Hochgeladenes Zertifikat in der Azure Active Directory.png||data-xwiki-image-style-alignment="center"]]
155 -
156 -{{figureCaption}}
157 -Uploaded certificate in the Azure Active Directory
158 -{{/figureCaption}}
159 -{{/figure}}
160 -
161 -=== Adding a secret client key ===
162 -
163 -The secret client key is a string of characters used by the enterprise application as an authentication key or proof of identity when requesting the token. To do this, go to the Permissions area within the registered application (//Security// > //Permissions//) and click the Application Registration link. Navigate to //Certificates// & //Secrets//. In the details, click the //Secret Client Keys// tab and create a new key.
164 -
165 -{{figure}}
166 -[[image:65_Intune_Neuen Clientschlüssel hinterlegen.png||data-xwiki-image-style-alignment="center"]]
167 -
168 -{{figureCaption}}
169 -Store new client key
170 -{{/figureCaption}}
171 -{{/figure}}
172 -
173 -When creating a new secret client key, you can configure the validity period. Note that once the validity period has expired, a new key must be created and stored in the AESB.
174 -
175 -{{figure}}
176 -[[image:65_Intune_Geheimen Clientschlüssel hinterlegen.png||data-xwiki-image-style-alignment="center"]]
177 -
178 -{{figureCaption}}
179 -Adding a secret client key
180 -{{/figureCaption}}
181 -{{/figure}}
182 -
183 -{{aagon.infobox}}
184 -You will need the secret client key you created when you set up the AESB. Keep this in mind for future reference.
185 -{{/aagon.infobox}}
186 -
187 187  = Configuration in AESB and ACMP =
188 188  
189 189  Before you can use Intune in ACMP, you need to do some preliminary work in the ACMP and AESB consoles.
© Aagon GmbH 2026
Besuchen Sie unsere Aagon-Community