Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Issue: Unable to Connect Custom App & Defaulting to Microsoft Graph Command Line Tools #229

Closed
KeysAU opened this issue May 17, 2024 · 9 comments
Closed

Issue: Unable to Connect Custom App & Defaulting to Microsoft Graph Command Line Tools #229

KeysAU opened this issue May 17, 2024 · 9 comments

Comments

@KeysAU
Copy link

KeysAU commented May 17, 2024

Problem Description

In reference to the documentation provided here: MSALInfo.md, it's highlighted that a custom application can be specified in the Settings.

I am unfortunately encountering issues when trying to connect to a new custom app registration. The application doesn't seem to honour the settings and connect; accordingly, rather, it consistently defaults back to "Microsoft Graph Command Line Tools." This has been confirmed via sign-in logs in Entra ID, with App ID being signed into: 14d82eec-204b-4c2f-b7e8-296a70dab67e

Steps Taken:

I've made changes to the settings and tenant settings as below:

  • App ID: xxxxx-xxxxx-xxxxx-xxxx (my custom app ID)
  • Tenant: xxxx-xxxxx-xxxxx-xxxxx (my tenant)
  • Redirect URL: blank (couldn't find any doco)

Request for Help:

I would appreciate if you could help test and confirm whether this functionality is still operational. If it is, would you please provide a detailed doco, mentioning all the necessary settings that require configuration for setting up a custom app?
Thank you for your attention to this issue.
@Micke-K
Copy link
Owner

Micke-K commented May 17, 2024

Hello!

I've been away a couple of days. I'll try to write some instructions on the weekend.

I use this myself in one of the test environments. So it should be possible.

Cheers!

@Micke-K
Copy link
Owner

Micke-K commented May 19, 2024

Hello,

Documentation by Microsoft: Quickstart: Register an application with the Microsoft identity platform

I hope this will get you going:

Go to the Entra Portal

  • Register a new App registration in Entra

  • Note Application Id

  • Add Delegated permissions

    • Microsoft Graph

    • For full support of the app is requires:
      DeviceManagementConfiguration.ReadWrite.All,Policy.Read.All,Policy.ReadWrite.ConditionalAccess,Application.Read.All,Agreement.ReadWrite.All,DeviceManagementApps.ReadWrite.All,Organization.ReadWrite.All,DeviceManagementServiceConfig.ReadWrite.All,DeviceManagementMana
      gedDevices.ReadWrite.All,DeviceManagementRBAC.ReadWrite.All,CloudPC.ReadWrite.All

    • It will also need User.ReadWrite.All,Group.ReadWrite.All but you could set these to read only unless you will let the app create Groups.

    • Grant permissions for the environment

  • Go to Authentication

Start the Tool

Restart the Tool

  • Custom app settings are only used during startup

Check log for missing permissions. It will have a line stating: "WARNING: Missing scopes:"

You can add missing permissions in the Tool UI by going to you profile picture and click Request Consent. That will only be available if it detects missing permissions. If you feel like the app is adding too many permissions, you can remove them for the App Registration in the Entra portal.

Let me know how you go.

Cheers!

@KeysAU
Copy link
Author

KeysAU commented May 19, 2024

You are a legend! Thank you for the quick write up. Will get it tested tomorrow and let you know.

@KeysAU KeysAU closed this as completed May 19, 2024
@KeysAU KeysAU reopened this May 19, 2024
@KeysAU
Copy link
Author

KeysAU commented May 20, 2024

Thanks @Micke-K - instructions worked perfectly. I was missing the redirect URI in my config.

Graph Permissions:

DeviceManagementConfiguration.ReadWrite.All
Policy.Read.All
Policy.ReadWrite.ConditionalAccess
Application.Read.All
Agreement.ReadWrite.All
DeviceManagementApps.ReadWrite.All
Organization.ReadWrite.All
DeviceManagementServiceConfig.ReadWrite.All
DeviceManagementManagedDevices.ReadWrite.All
DeviceManagementRBAC.ReadWrite.All
CloudPC.ReadWrite.All

Optional:

User.ReadWrite.All
Group.ReadWrite.All

@KeysAU KeysAU closed this as completed May 20, 2024
@Micke-K Micke-K mentioned this issue Jul 18, 2024
Open
@ItsMly
Copy link

ItsMly commented Nov 8, 2024

Hey @Micke-K, sorry to reply to an old thread but Im having problems with this. I have configured everything as in your comment but the app always falls back to Graph PowerShell.

Use-Case:
I am logged in with a user of the tenant that only has the Intune Admin role (the created application has all permissions) - im going to tenant settings and setting:

Im using it with "Tenant Settings" as I login to multiple Tenants - from the description it should work like this right? What am I doing wrong? Thank you

@Micke-K
Copy link
Owner

Micke-K commented Nov 9, 2024

Hello,

No problem!

Not sure that this would work. You can set the App Id in settings but that must be for the home tenant. The authentication will always be for the home tenant and then allow you to change to another tenant.

Also, if you have a custom App for this, is it an Enterprise App with permission in all tenants?
An App Registration would only have access to one tenant.

So you would not be able to authenticate to you home tenant and then swap to another tenant using another app id. That would break the authentication process since the authentication token is for a specific app.

Could work if you create an Enterprise App and the add it to all tenants.

Cheers!

@Micke-K Micke-K mentioned this issue Dec 8, 2024
Open
@CasertaJ
Copy link

I am having the same issues as above.

Drop down is empty,
Using the Custom App ID
put in the request URI

I've also attempted to start it using the custom App. The log always points to the Microsoft Intune PowerShell (d1ddf0e4-d672-4dae-b554-9d5bdfd93547) app regardless of what I put in the settings.

@Micke-K
Copy link
Owner

Micke-K commented Jan 23, 2025

Hello,

Do you do this in Tenant Settings? That is not supported. The reason is that Tenant settings are only available after login. It will not know which tenant you login to until you specify the user App id is required as a login argument during login.

Cheers!

@CasertaJ
Copy link

Hello,

Do you do this in Tenant Settings? That is not supported. The reason is that Tenant settings are only available after login. It will not know which tenant you login to until you specify the user App id is required as a login argument during login.

Cheers!

Turns out I needed to clear the cached login for it to recognize the client app setting.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
4 participants
@CasertaJ @KeysAU @Micke-K @ItsMly