Changes for page ACMP Intune Connector

Last modified by Sabrina V. on 2025/06/13 09:48

From 2.1 to 1.1 From 4.1 to 3.1

From version 3.1

edited by Sabrina V.
on 2025/05/12 09:07

Change comment: There is no comment for this version

To version 2.1

edited by Sabrina V.
on 2024/10/23 06:03

Change comment: There is no comment for this version

Raw
Rendered

Summary

Page properties (1 modified, 0 added, 0 removed)

Details

Page properties

Content

@@ -10,21 +10,180 @@
  To use the ACMP Intune Connector, the following requirements must be met:
--* You need a user account with the appropriate permissions for Microsoft Entra ID
--
--{{box}}
--Refer to the [[//Registering an enterprise application in Microsoft Entra ID//>>doc:ACMP.68.Unternehmensanwendung registrieren in der Microsoft Entra ID.WebHome]] section for information on how to register an app and distribute the necessary permissions.
--{{/box}}
--
++* You need a user account with the appropriate permissions for Microsoft Azure Active Directory
  * There must be a connection between AESB and ACMP. AESB must be available for this and the necessary details of the [[SICS connection>>doc:||anchor="H1.ACMPconsole:CheckSICSconnectioninACMP"]] must be stored in ACMP
  * AESB must be at least version 1.8
  * You need a working internet connection, as Intune is a cloud solution and requires a network connection to work.
  * A running instance of Intune
--= Prepare for Microsoft Entra ID and distribute permissions =
++= Preparations in Azure Active Directory =
--In order for the ACMP Intune Connector to access the Intune API, you must first register a company application in the Microsoft Entra Admin Centre and grant the necessary permissions within these applications (see [[//Registering a company application in Microsoft Entra ID//>>url:https://doc.aagon.com/bin/view/ACMP/68/Unternehmensanwendung%20registrieren%20in%20der%20Microsoft%20Entra%20ID/]]).
++To enable the ACMP Intune Connector to access the Intune API, you must first register an enterprise application in Azure Active Directory and grant the required permissions within those applications.
++== Register the Enterprise Application ==
++
++First, sign in to the [[Azure AD (Active Directory)>>https://aad.portal.azure.com/]] and navigate to Azure Active Directory in the Overview. Click the //Manage// > //Application// //Registrations// tab and create a new application registration.
++
++{{figure}}
++[[image:65_Intune_App-Registrierung in der Azure AD.png||data-xwiki-image-style-alignment="center"]]
++
++{{figureCaption}}
++App registrations in the Azure AD
++{{/figureCaption}}
++{{/figure}}
++
++Enter all the necessary information: Enter a name for the application and select the accounts to support. Finish the process by clicking //Register//.
++
++{{figure}}
++[[image:65_Intune_Anwendung registrieren.png||data-xwiki-image-style-alignment="center"]]
++
++{{figureCaption}}
++Register application
++{{/figureCaption}}
++{{/figure}}
++
++If you now open the created application, you will see a summary of the information added. This includes the display name, the various IDs (application, object and directory ID) and details of the account types supported.
++
++{{figure}}
++[[image:65_Intune_Zusammenfassung der Anwendungsinformationen.png||alt="65_Intune_Anwendung registrieren.png" data-xwiki-image-style-alignment="center"]]
++
++{{figureCaption}}
++Summary of the application information
++{{/figureCaption}}
++{{/figure}}
++
++== Distribute permissions ==
++
++The next step is to assign the necessary permissions to the business application to access the Graph API. To do this, go to the Permissions section within the registered application (//Manage// > //API// //Permissions//).
++
++{{figure}}
++[[image:65_Intune_API Berechtigungen.png||data-xwiki-image-style-alignment="center"]]
++
++{{figureCaption}}
++API permissions
++{{/figureCaption}}
++{{/figure}}
++
++There, click //Add Permission//. This will bring up a page where you can request the API permissions. In this step you need to select the //Microsoft Graph//.
++
++{{figure}}
++[[image:65_Intune_Microsoft Graph anfordern.png||data-xwiki-image-style-alignment="center"]]
++
++{{figureCaption}}
++API permissions: Request Microsoft Graph
++{{/figureCaption}}
++{{/figure}}
++
++A distinction is made between "Delegated Permissions" and "Application Permissions". Enter the following values individually under 'Delegated permissions' and repeat the process by entering each of the following list entries:
++
++* DeviceManagementManagedDevices.Read.All
++* DeviceManagementManagedDevices.ReadWrite.All
++* User.Read
++
++{{figure}}
++[[image:65_Intune_Delegierte Berechtigungen verteilen.png||data-xwiki-image-style-alignment="center"]]
++
++{{figureCaption}}
++Distribute delegated permissions
++{{/figureCaption}}
++{{/figure}}
++
++Tick the appropriate items, scroll back to the top, click the //Application Permissions// field and add the following permissions:
++
++* DeviceManagementApps.Read.All
++* DeviceManagementConfiguration.Read.All
++* DeviceManagementManagedDevices.PrivilegedOperations.All
++* DeviceManagementManagedDevices.Read.All
++* DeviceManagementManagedDevices.ReadWrite.All
++* DeviceManagementServiceConfig.Read.All
++* User.Read.All
++
++When you have selected all the permissions, click //Add Permissions//. You will see the entries in the overview.
++
++{{figure}}
++[[image:65_Intune_Verteilte Berechtigungen (ohne Einwilligung).png||data-xwiki-image-style-alignment="center"]]
++
++{{figureCaption}}
++Deployed permissions (without consent)
++{{/figureCaption}}
++{{/figure}}
++
++If you have not already done so, you may need to give your consent to the permissions. To do this, click on the //Grant administrator// //consent for// //"%Your Company%//" field. This will change the status and the user permission will be granted.
++
++{{figure}}
++[[image:65_Intune_Bewilligte Berechtigungen.png||data-xwiki-image-style-alignment="center"]]
++
++{{figureCaption}}
++Authorised permissions
++{{/figureCaption}}
++{{/figure}}
++
++== Upload client secret key or certificates ==
++
++Later, during the initial setup of the ACMP Intune Connector, you have to specify an authentication type in the AESB console. You can choose from two methods supported by the Microsoft Client Credentials Provider: //Certificate// or //Client Secret Key//.
++
++{{aagon.infobox}}
++The procedure differs depending on the authentication type selected. Read below to find out what you need to consider for each method.
++{{/aagon.infobox}}
++
++=== Upload certificate ===
++
++{{aagon.infobox}}
++Due to the higher level of security, Microsoft recommends that you use a certificate as your credential.
++{{/aagon.infobox}}
++
++Certificates can be used as an authentication method to log in to Azure Active Directory in the AESB console. A certificate always consists of a public and private part, where the public key is loaded directly into Azure AD. The private part is used in the AESB console. This certificate pair needs to be generated beforehand. Read how to generate a certificate via [[Microsoft>>url:https://learn.microsoft.com/en-us/azure/app-service/configure-ssl-certificate?tabs=apex%2Cportal]] or[[ Open SSL>>url:https://stackoverflow.com/questions/6307886/how-to-create-pfx-file-from-certificate-and-private-key]].
++
++Navigate to //Certificates & Secrets// in the previously registered application. In the details, click on the //Certificates// tab and upload the previously created certificate.
++
++{{figure}}
++[[image:65_Intune_Zertifikat hochladen.png||data-xwiki-image-style-alignment="center"]]
++
++{{figureCaption}}
++Upload certificate
++{{/figureCaption}}
++{{/figure}}
++
++A field will open on the right hand side where you can upload the certificate. Browse to the appropriate directory, upload the file and enter an optional description for the certificate. Then click Add and the certificate will be saved for the application.
++
++{{aagon.infobox}}
++Please note that only .cer, .pem and .crt file types are supported when uploading a certificate.
++{{/aagon.infobox}}
++
++{{figure}}
++[[image:65_Intune_Hochgeladenes Zertifikat in der Azure Active Directory.png||data-xwiki-image-style-alignment="center"]]
++
++{{figureCaption}}
++Uploaded certificate in the Azure Active Directory
++{{/figureCaption}}
++{{/figure}}
++
++=== Adding a secret client key ===
++
++The secret client key is a string of characters used by the enterprise application as an authentication key or proof of identity when requesting the token. To do this, go to the Permissions area within the registered application (//Security// > //Permissions//) and click the Application Registration link. Navigate to //Certificates// & //Secrets//. In the details, click the //Secret Client Keys// tab and create a new key.
++
++{{figure}}
++[[image:65_Intune_Neuen Clientschlüssel hinterlegen.png||data-xwiki-image-style-alignment="center"]]
++
++{{figureCaption}}
++Store new client key
++{{/figureCaption}}
++{{/figure}}
++
++When creating a new secret client key, you can configure the validity period. Note that once the validity period has expired, a new key must be created and stored in the AESB.
++
++{{figure}}
++[[image:65_Intune_Geheimen Clientschlüssel hinterlegen.png||data-xwiki-image-style-alignment="center"]]
++
++{{figureCaption}}
++Adding a secret client key
++{{/figureCaption}}
++{{/figure}}
++
++{{aagon.infobox}}
++You will need the secret client key you created when you set up the AESB. Keep this in mind for future reference.
++{{/aagon.infobox}}
++
  = Configuration in AESB and ACMP =
  Before you can use Intune in ACMP, you need to do some preliminary work in the ACMP and AESB consoles.