This post has been republished via RSS; it originally appeared at: Intune Customer Success articles.
Beginning in January 2022, the Microsoft Intune “serviceEndpoints” API will require specific permissions for all Azure Active Directory (Azure AD) Applications that call one of the following serviceEndpoints:
https://graph.windows.net/servicePrincipals/0000000a-0000-0000-c000-000000000000/serviceEndpoints
https://graph.microsoft.com/v1.0/servicePrincipals/0000000a-0000-0000-c000-000000000000/serviceEndpoints
These serviceEndpoints will need to have assigned one of the following API permissions:
- Application.Read.All
- Application.ReadWrite.All
- Application.OwnedBy
- Directory.Read.All
The preferred and most secure API permission is Application.Read.All.
Customers have requested Azure AD make this change to provide more granular permissions and roles in Azure AD. As part of the effort, the team reviewed the delegated and application permissions for endpoints and will require one of four permissions for an API call that Independent Software Vendors (ISV) integrated solutions often use. As part of our Intune ISV integration guidance documentation, many references include information about using the “serviceEndpoints” API for Intune.
Not a partner? Skip to how this may affect you as a customer under: Appendix C: Adding a New Permission to a Single Tenant Application (For Customers).
How does this affect you as a partner who has Intune integration?
If your solution makes the /servicePrincipals API call (listed above) to retrieve tenant specific service endpoints for Intune, this may affect you. Based on documentation that Microsoft has shared with partners, we expect this to apply to partners that integrate with Intune for the following scenarios:
- Telecom Expense Management
- Mobile Threat Defense
- Network Access Control
- 3rd Party Device Compliance
- SCEP Services
Please review the below to take the necessary steps to apply the permissions needed as applicable.
Applying permissions
Ensure that your Azure AD Application includes one of the required permission scopes:
- Application.Read.All
- Application.ReadWrite.All
- Application.OwnedBy
- Directory.Read.All
No further action is required if one of the listed permission scopes are in effect. See: Appendix A: Verify API Permissions for instructions on how to verify permission scopes.
For multi-tenant application: If you are a partner who has created a multi-tenant application for your Intune integration, verify the API permissions in . If your application does not have one of the four listed permissions, you must update your application’s permissions by following instructions described in Appendix B: Add Permissions to a Multi-Tenant App. Then, customers must consent to the new permissions as described in Appendix D: Granting Admin Consent to New Permissions.
For single tenant applications: If you are a partner who has instructed your customers to create their own app registration as a single-tenant application, your customers need to confirm required permissions are in effect. Instruct your customers to follow steps in Appendix A: Verify API Permissions and then if permissions are required to be added, instruct your customers to follow steps in Appendix C: Adding a New Permission to a Single Tenant Application and Appendix D: Granting Admin Consent to New Permissions.
IMPORTANT NOTE: For all newly added permissions (whether it’s single-tenant or multi-tenant), a required consent is needed from your customers. Microsoft recommends you send a change notification to your customers about this new permissions requirement so they can plan appropriately. See Appendix D: Granting Admin Consent to New Permissions that describe the steps for consent.
How does this affect you as a customer who has Intune integration?
If you have a solution that makes the /servicePrincipals API call (listed above) to retrieve tenant specific service endpoints for Intune, this may affect you. Based on documentation that Microsoft has shared with partners, we expect this to apply to partners that integrate with Intune for the following scenarios:
- Telecom Expense Management
- Mobile Threat Defense
- Network Access Control
- 3rd Party Device Compliance
- SCEP Services
If you have received guidance from the partner with which you have an integrated solution, follow that guidance. If you have not received guidance from your partner, but want to verify that you are ready for the change, then:
- Follow the instructions in Appendix A: Verify API Permissions.
If your permissions are set correctly, you are done. - If your permissions need to be added, follow the steps in Appendix C: Adding a New Permission to a Single Tenant Application (For Customers) and then follow the steps in Appendix D: Granting Admin Consent to New Permissions (For Customers).
Appendix A: Verify API Permissions
To verify the assigned permissions for your multi-tenant application.
- Open the Azure Portal for Azure AD https://portal.azure.com.
- Authenticate as a user with permissions to manage Azure AD applications in the tenant that was used to create your multi-tenant application.
- Navigate to your list of registered apps: https://portal.azure.com/#blade/Microsoft_AAD_IAM/ActiveDirectoryMenuBlade/RegisteredApps and select the multi-tenant application that needs permission verification.
Select API Permissions and verify that your application contains the correct API permissions for both Azure AD Graph and Microsoft Graph (one of the below):
• Application.Read.All (preferred)
• Application.ReadWrite.All
• Application.OwnedBy
• Directory.Read.All
Appendix B: Add Permissions to a Multi-Tenant App (for Partners)
To add permissions to your multi-tenant application.
- Open the Azure Portal for Azure AD https://portal.azure.com.
- Authenticate as a user with permissions to manage Azure AD applications in the tenant that was used to create your multi-tenant application.
- Navigate to your list of registered apps: https://portal.azure.com/#blade/Microsoft_AAD_IAM/ActiveDirectoryMenuBlade/RegisteredApps and select the multi-tenant application that needs updated permissions.
- Select API Permissions and verify that your application contains the correct API permissions. In this example, one of the required permissions is missing. (Application.Read.All) for Microsoft Graph and for Azure AD Graph. Both permissions are needed.
- Select Add a permission.
-
Choose Microsoft Graph.
- Select Application permissions.
- Select "Application.Read.All" and click Add permissions.
- Select Add a permission
- Scroll down to choose Azure AD Graph
- Choose Application permissions: and select “Application.Read.All” and click Add permissions.
Your application permissions are now updated. Any customers who have registered your application in their tenant will need to consent to the new permissions.
Appendix C: Adding a New Permission to a Single Tenant Application (For Customers)
If your customer registers your application as a single tenant application within their tenant, they will need to add the permission themselves.
- Open the Azure Portal for Azure AD https://portal.azure.com.
- Authenticate as a user with permissions to manage Azure AD applications in the tenant that was used to create your single tenant application.
- Navigate to your list of registered apps: https://portal.azure.com/#blade/Microsoft_AAD_IAM/ActiveDirectoryMenuBlade/RegisteredApps.
- Select the single-tenant application that needs permission verification.
- Select API permissions.
- Click Add a permission.
- Select Microsoft Graph.
- Select Application permissions.
- Expand Application and choose "Application.Read.All" and choose Add permissions.
- Select Add a permission.
- Scroll down to choose Azure AD Graph.
- Choose Application permissions and select “Application.Read.All” and click Add permissions.
- Click “Grant admin consent for <tenant>” and choose “Yes”.
- Verify that the permissions are granted for your tenant.
Appendix D: Granting Admin Consent to New Permissions (For Customers)
For customers who have previously registered your application in their tenant, they will now need to consent to the new permissions that you added to your multi-tenant application. These are the instructions for customers to consent to the new permission:
- Open the Azure Portal for Azure AD https://portal.azure.com.
- Authenticate as a user with Global Administrator permissions to manage Azure AD applications in the tenant.
- Navigate to your list of enterprise apps: https://portal.azure.com/#blade/Microsoft_AAD_IAM/StartboardApplicationsMenuBlade/AllApps/menuId/.
- Search for the application that was registered for the Intune integration.
- Select the application to view the Overview.
- Select Permissions.
- Click Grant admin consent for <tenant name>.
- Authenticate as a user with Global Administrator permissions.
- Accept the updated permissions for the application.
- Verify the consent was successful
Let us know if you have any additional questions by replying to this post or reaching out to @IntuneSuppTeam on Twitter.
Post updates:
6/15/21: updated with additional screenshots.