App Registration Setup¶
Before Intune Commander can connect to your tenant, you need an Entra ID app registration with the appropriate Microsoft Graph permissions. The permission type depends on the authentication method you choose:
- Interactive Browser or Device Code → add Delegated permissions
- Client Secret → add Application permissions
Commercial tenants¶
- Sign in to the Microsoft Entra and navigate to App registrations → New registration.
- Give it a name (e.g.
IntuneCommander). - Under Supported account types, select Accounts in this organizational directory only.
- Under Redirect URI, choose Mobile and desktop applications and enter:
- Click Register.
Add Graph permissions¶
Interactive Browser / Device Code (Delegated permissions)¶
- In your new app registration, go to API permissions → Add a permission → Microsoft Graph → Delegated permissions.
- Add the following permissions:
| Permission | Purpose |
|---|---|
DeviceManagementConfiguration.ReadWrite.All |
Device Configs, Compliance, Settings Catalog, Endpoint Security |
DeviceManagementScripts.ReadWrite.All |
Device Health Scripts, Mac Custom Attributes |
DeviceManagementApps.ReadWrite.All |
Applications, App Protection Policies, Policy Sets |
DeviceManagementServiceConfig.ReadWrite.All |
Enrollment, Autopilot, Branding, Terms & Conditions |
DeviceManagementRBAC.ReadWrite.All |
Roles, Scope Tags |
DeviceManagementManagedDevices.Read.All |
Device Categories |
Policy.ReadWrite.ConditionalAccess |
Conditional Access Policies |
Agreement.ReadWrite.All |
Terms of Use |
Organization.Read.All |
Azure Branding (org ID resolution) |
OrganizationalBranding.ReadWrite.All |
Azure Branding |
Group.Read.All |
Group lookup |
GroupMember.Read.All |
Group member enumeration |
CloudPC.ReadWrite.All |
Windows 365 Cloud PC (requires W365 licence) |
- Click Grant admin consent for your tenant.
Client Secret (Application permissions)¶
Application permissions
Client Secret authentication uses an app-only (non-delegated) flow. You must add Application permissions — not Delegated — or the connection will fail.
- In your new app registration, go to API permissions → Add a permission → Microsoft Graph → Application permissions.
- Add the following permissions:
| Permission | Purpose |
|---|---|
DeviceManagementConfiguration.ReadWrite.All |
Device Configs, Compliance, Settings Catalog, Endpoint Security |
DeviceManagementScripts.ReadWrite.All |
Device Health Scripts, Mac Custom Attributes |
DeviceManagementApps.ReadWrite.All |
Applications, App Protection Policies, Policy Sets |
DeviceManagementServiceConfig.ReadWrite.All |
Enrollment, Autopilot, Branding, Terms & Conditions |
DeviceManagementRBAC.ReadWrite.All |
Roles, Scope Tags |
DeviceManagementManagedDevices.Read.All |
Device Categories |
Policy.ReadWrite.ConditionalAccess |
Conditional Access Policies |
Agreement.ReadWrite.All |
Terms of Use |
Organization.Read.All |
Azure Branding (org ID resolution) |
OrganizationalBranding.ReadWrite.All |
Azure Branding |
Group.Read.All |
Group lookup |
GroupMember.Read.All |
Group member enumeration |
CloudPC.ReadWrite.All |
Windows 365 Cloud PC (requires W365 licence) |
- Click Grant admin consent for your tenant.
- Under Certificates & secrets → New client secret, create a secret and copy the value — you will enter this in the Intune Commander profile.
Full permissions reference
For a complete breakdown of every permission and which service uses it, see the Graph Permissions reference.
Government clouds (GCC-High / DoD)¶
Government clouds require separate app registrations in their own portals.
| Cloud | Portal |
|---|---|
| GCC | portal.azure.com (same as Commercial) |
| GCC-High | portal.azure.us |
| DoD | portal.apps.mil |
The steps are identical — register in the cloud-specific portal and use the same redirect URI (http://localhost:45132).
Next steps¶
With an app registration ready, add your first profile in Intune Commander.