Register and secure Microsoft Graph API access for Intune

  • 9 minutes

Microsoft Graph is the recommended API surface for Intune automation. Before your scripts and services can call Intune endpoints, you must register an app in Microsoft Entra ID, assign only the permissions it needs, and secure the app credentials.

Why registration and permissions are important

A registered app establishes trust between your automation workload and the Microsoft identity platform. Intune automation typically uses app-only access so your service can run unattended and manage devices, policies, apps, and compliance data.

If you assign too many permissions or leave credentials exposed, automation becomes a security risk. Use least privilege, manage credentials securely, and keep the app’s access scope aligned with the tasks you automate.

App-only vs delegated access

Use the right authentication model for your scenario:

  • App-only access (application permissions): Best for unattended automation, background services, runbooks, and scheduled tasks. The app acts as itself and no user sign-in is needed.
  • Delegated access (delegated permissions): Best for interactive scripts or tools where a signed-in administrator performs actions on behalf of a user.

Important

Use app-only access for most Intune automation scenarios. App-only permissions are the correct pattern for scheduled scripts and service-driven workflows.

Register the Intune automation app

To use unattended Intune automation you need to create an Entra ID app registration. Later you will assign the required API permissions to this app registration.

  1. Sign in to the Microsoft Entra admin center with a tenant administrator account.
  2. Browse to Identity > Applications > App registrations and choose New registration.
  3. Enter a descriptive name such as Contoso Intune Automation.
  4. Choose the supported account type for your environment:
    • Single tenant for automation within one organization.
    • Multitenant only if the app must run across multiple tenants.
  5. Skip Redirect URI for server-to-server automation.
  6. Select Register.

When registration completes, capture these values from the Overview page:

  • Application (client) ID
  • Directory (tenant) ID

Choose the right Intune Graph permissions

In this scenario you will use the app registration to validate Intune Graph access for managed devices. For the sample query shown later, you only need the following application permission:

  • DeviceManagementManagedDevices.Read.All

Other useful Intune application permissions for broader automation include DeviceManagementConfiguration.Read.All, DeviceManagementApps.Read.All, and DeviceManagementServiceConfig.Read.All. Add those only if your automation needs to manage configurations, apps, or service settings.

Note

Only application permissions are supported for app-only Intune automation. Delegated permissions require a user sign-in and are not ideal for unattended service accounts.

To add permissions:

  1. In the app registration, select API permissions.
  2. Choose Add a permission > Microsoft Graph > Application permissions.
  3. Select DeviceManagementManagedDevices.Read.All.
  4. Choose Add permissions.
  5. Select Grant admin consent for your tenant.

After consent is granted, verify that the app can acquire a token for https://graph.microsoft.com/.default and that the selected permission is sufficient for your validation query.

Secure the automation app credentials

Your automation app needs credentials so it can authenticate to Microsoft Graph. Use the strongest option available for your workload.

Use certificates for production automation

Certificates are the most secure credential type for confidential clients:

  • Upload a certificate under Certificates & secrets > Certificates.
  • Use a certificate stored in Azure Key Vault or your existing PKI.
  • Rotate certificates regularly and remove any expired credentials.

Use client secrets only for development

A client secret is easier to create but less secure than a certificate.

  • Create the secret under Certificates & secrets > Client secrets.
  • Set a short expiration and record the secret value immediately.
  • Store secret values in Azure Key Vault or a secured automation vault.

Use federated credentials for modern pipeline automation

Federated credentials let workloads such as GitHub Actions, Azure Pipelines, or Azure-hosted containers authenticate without storing a secret.

  • Choose Certificates & secrets > Federated credentials.
  • Configure a workload identity federation trust for the service that runs your automation.

Tip

For Azure Automation or Azure Functions, consider using a managed identity instead of app credentials when the service supports Microsoft Graph access.

After adding permissions, grant admin consent and confirm that the application can request tokens.

  • Use the Grant admin consent button in the app registration.
  • Validate the app can receive an access token for https://graph.microsoft.com/.default.
  • Check the tenant admin consent status under API permissions.

After you successfully created the App Registration and granted the admin consent you can authenticate and use the Microsoft Graph API.