-
Notifications
You must be signed in to change notification settings - Fork 94
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
[MC736429] the global Microsoft Intune PowerShell application (client) ID based authentication method is being removed. #156
Comments
Scripts with references to the old app id. \IntuneWin32App-master\Development\Save-IntuneWin32AppContent.ps1 |
We got the following announcement in our intune tenant: |
It is possible to use your own application by doing: I am not sure on the least access permission but the one I tested this with had:
|
It appears that Connect-MSIntuneGraph is failing on most tenants now. I've tried creating an application as per here but despite retrieving an access token Add-IntuneWin32App fails with Forbidden errors despite the application seemingly having the same permissions. This is significantly impacting us as it has broken all our Intune application deployments.
|
WE have the same issue, that Microsoft Intune Powershell app registration has been revoked my Microsoft |
Create new app registration or use the "new default" app registration. Lookup the client id from appregistration. With the same settings as the revoked one. Connect to Microsoft Intune GraphConnect-MSIntuneGraph -TenantID "yourtenant.onmicrosoft.com" -ClientID "yourappregistrationid" Then you can connect again. |
Thanks for this @blimpz! We are back up and running again. I can confirm that using an application with only:
I was able to create an app, get list of all apps, supersede a previous version, and assign the app to groups whose IDs I had passed. I would assume that if you want to look up groups and members you would need to add Directory.Read.All Other functions may need DeviceManagementManagedDevices.Read(/Write).All if your script performs other actions - but I think for this module at least, DeviceManagementApps is enough. |
Confirming that a new application with permissions assigned as Application gives me the same access as previously. NOTE that many commenters have specified to duplicate the existing Microsoft Intune PowerShell application, but this has permissions assigned as type Delegated which gives a token but does not work. I'm still finding that Add-IntuneWin32App fails with
but switching to PowerShell 5.1 it works. |
Working for me fine with 5.1 |
Same. Connect-MSIntuneGraph fails with Application with identifier 'd1ddf0e4-d672-4dae-b554-9d5bdfd93547' was not found. This has broken our deployments, so we are unable to deploy until it gets resolved. From what we gather, Connect-MSIntuneGraph has a reliance on the above ID which was published years ago by Microsoft as a kind of Powershell sample code. And now Microsoft has blocked this identifier. The workaround seems to be for administrators to create an application. I tried a few things but couldn't get it working. If someone can document the steps that would be very helpful. Ideally, the codebase should include a method for creating the application with the 'correct' permission, if not in-line, then at least as a utility function. |
Run my script here which will create an Azure application called "IntuneWin32App" and add the permissions... You'll need the PowerShell module Microsoft.Graph installed to run it successfully |
It works for most parts, but when checking or changing the Category I still get an error, so we probably need more API Permissions
The documentation says we need DeviceManagementApps.ReadWrite.All, but these are already added (Delegegated/Application , consent for whole tenant) |
I also ran into this as described at Plan for Change: Update your PowerShell scripts with a Microsoft Entra ID registered app ID. I found that the only MS Graph permission required for my use case was |
I have also just encountered the problem, how do I have to set the app so that it works again?
//Edit |
To use the IntuneWin32AppAssignment features, you also need the Group.Read.All permission |
There is no script ;) |
@twelch-ricohnz May you able to share your script again, please? It is not available anymore. |
@aCID-sLAM , @alexhass
Once you have this in place you'll have to work out how you are authenticating against it. We're using a self-signed certificate and storing the tenant id and application id within a JSON file. The below gets added to every application upload script...
|
It would be good to have this issue marked as a bug and the module updated so that users can at least register an azure app and then connect the module with something like: (The above doesn't currently work for me). Below are the steps that I have compiled for the current user based auth workaround: In azure, go to azure app registrations and register an app. (note that application permissions for these 3 roles may also be needed) Get the appid for the app you just registered. Edit the powershell module Edit the Connect-MSIntuneGraph.ps1 in Connect-MSIntuneGraph.ps1, set the following old values > new values.
New Values:
Now you should be able to connect with |
Today I was informed from our company EntraID Admin, that the Intune PowerShell application ID (d1ddf0e4-d672-4dae-b554-9d5bdfd93547) will be removed by Microsoft?
Here the Message:
Are you aware of theese changes?
The text was updated successfully, but these errors were encountered: