This browser is no longer supported.
Upgrade to Microsoft Edge to take advantage of the latest features, security updates, and technical support.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(272, 82%, 36%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EPA%3C/text%3E%3C/svg%3E)
Have received the below advisory from Microsoft but enable to find the particular script with the following app id.
Can someone please help the process how to search for this app id and identify.
Creating a new app registration in the Microsoft Entra admin center. For detailed instructions, read: Quickstart: Register an application with the Microsoft identity platform. (https://learn.microsoft.com/entra/identity-platform/quickstart-register-app)
Update scripts containing the Intune application ID (d1ddf0e4-d672-4dae-b554-9d5bdfd93547) with the new application ID created in step 1.
Additional Diagnostics
Review any PowerShell scripts for Intune that run in your environment and are using the AppID d1ddf0e4-d672-4dae-b554-9d5bdfd93547. Scripts that were copied from the following GitHub repo contain that AppID: https://github.com/microsoftgraph/powershell-intune-samples
Latest Message
Title: We've detected a Microsoft Intune PowerShell script issue in your environment User impact: If action isn't taken, PowerShell scripts may break. Current Status: If you are using the Intune PowerShell application ID (d1ddf0e4-d672-4dae-b554-9d5bdfd93547), you will need to update your scripts before May 1 with a different Microsoft Entra ID registered application ID to prevent your PowerShell scripts from breaking. Microsoft has replaced the GitHub repository using the old application ID d1ddf0e4-d672-4dae-b554-9d5bdfd93547 with a new repository as announced here: https://techcommunity.microsoft.com/t5/intune-customer-success/update-to-microsoft-intune-powershell-example-script-repository/ba-p/3842452 Additionally, this has been communicated under Message Center posts MC736429 and MC721851. This communication will expire in 14 days, and is scheduled to remain active for the full duration.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(233.6, 30%, 32%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3ECM%3C/text%3E%3C/svg%3E)
@Paricha, Avijit (WIPRO), Thanks for posting in Q&A. Based on my checking, starting on April 1, 2024, due to updated authentication methods in the Graph SDK-based PowerShell module, the Microsoft Intune PowerShell (d1ddf0e4-d672-4dae-b554-9d5bdfd93547) is being removed. If you are using the Intune PowerShell application ID (d1ddf0e4-d672-4dae-b554-9d5bdfd93547), you will need to create a new application under App registrations. And then update your scripts with a Microsoft Entra ID registered application ID with the registered application you created to prevent your scripts from breaking.
Here is one I created in my environment for your reference.
1.Go to Identity > Applications > App registrations and select "New registration".
2.Set the application name, select "Accounts in this organizational directory only (Contoso only - Single tenant)", Redirect URl: urn:ietf:wg:oauth:2.0:oob
3.Click Register to register the application.
4.Then go to API permissions to add the following permission and "Grant admin consent for Contoso".
DeviceManagementApps.ReadWrite.All
DeviceManagementConfiguration.ReadWrite.All
DeviceManagementManagedDevices.PrivilegedOperations.All
DeviceManagementManagedDevices.ReadWrite.All
DeviceManagementRBAC.ReadWrite.All
DeviceManagementServiceConfig.ReadWrite.All
Directory.Read.All
Group.ReadWrite.All
openid
5.After the Application is created, find the application and replace the one in script with this one.
Hope the above information can help.
If the answer is helpful, please click "Accept Answer" and kindly upvote it. If you have extra questions about this answer, please click "Comment".
Note: Please follow the steps in our documentation to enable e-mail notifications if you want to receive the related email notification for this thread.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(179.20000000000002, 71%, 27%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3ESH%3C/text%3E%3C/svg%3E)
I was also looking into this, but when I look at the sign-in logs of the existing Intune Powershell app registration, even when just doing
Import-Module Microsoft.Graph.Intune
Connect-MSGraph
this triggers a sign-in (so I guess usage) of this app.
How on earth will Microsoft know to start using a random new app registration created by us instead of the one provisioned by Microsoft ?
It's quite confusing to me....
@Steve Hernou, Thanks for the reply. Based on my checking, yes, when we run command "Connect-MSGraph", it uses the built-in enterprise application "Microsoft Intune PowerShell" to do the authentication.
For the script in GitHub, it writes in script to specific a registration application to get auth token. Here is an example DeviceConfiguration_Get.ps1 for your reference.
@Steve Hernou, Hope things are going well. if there's anything else we can help, feel free to let us know.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(297.6, 11%, 38%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EM%3C/text%3E%3C/svg%3E)
Hi,
thanks, for the steps shown above, much appreciated.
I questioned myself, whether the existing Intune App must be exactly replaced with the same permissions, but I didn't find any information in the web - now it's clear.
The only question I have, is the Redirect URI = urn:ietf:wg:oauth:2.0:oob mandatory and exactly to be used in the same way like you mentioned?
Because, for the moment, the current App "Microsoft Intune PowerShell - d1ddf0e4-d672-4dae-b554-9d5bdfd93547" does not have a "Redirect URI" in place.
Thanks & Regards
@Marsch, For the permission we set, it depends on the API we access. For example, when we want to using Get deviceManagement API, then we need to ensure the following required permissions are added in our registration app.
The redirect URIs is the location where the authorization server sends the user once the app has been successfully authorized and granted an authorization code or access token. The authorization server sends the code or token to the redirect URI,
https://learn.microsoft.com/en-us/entra/identity-platform/reply-url
For the value "urn:ietf:wg:oauth:2.0:oob", it is a default value of some authentication libraries. You can configure it according to the API uses.
For "Microsoft Intune PowerShell", it is an Enterprise application which is without Redirect URI configured by default. And due to updated authentication methods in the Graph SDK-based PowerShell module. So we need to create a new app registration for the previous script.
Hope the above information can help.
@Marsch, Hope the above information can help. If there's anything else we can help, feel free to let us know.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(224.00000000000003, 8%, 31%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EK%3C/text%3E%3C/svg%3E)
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(44.800000000000004, 41%, 14%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3ESC%3C/text%3E%3C/svg%3E)
to check usage of the app Look within Entra ID, under Identity – Applications – Enterprise Applications
The app reg will be called "Microsoft Intune Powershell" and check the Sign in Logs