In this Microsoft Entra Identity API post, I will show you how to create an App Registration for Microsoft Entra.
Microsoft Entra is Microsoft’s identity and access management service (formally known as Azure AD).
Since the inception of Microsoft Azure and Microsoft 365, Entra (Azure AD) has been the underlying service that manages these two leading services’ authentication and access layer.
In recent years, Microsoft expanded the service offering of Azure AD beyond just authentication and authorization service and, therefore, rebranded the service to reflect the changes.
Under the Entra brand, Azure Active Directory is now called Entra ID.
With Entra API, we can create and manage any Entra service using REST API protocols like PUT, POST, GET and PATCH.
To access the Entra API (part of Graph API), we must configure an App Registration, which acts as a service account for application access.
An App Registration is like a service account with all the necessary permissions to access Intune (or other services) and perform administrative tasks.
This post will focus on creating an App Registration with enough permissions to create a custom Intune configuration policy, as we showed in the previous article.
Create an App Registration for Microsoft Entra API
To create an App Registration login to Azure with a user that has enough permissions and click on Microsoft Entra ID.
From the Manage menu, Click on App Registrations
Click on Create and use the following details.
- Name – Name the App Registration
- Account Type – Accounts in this Organizational directory only
- Click Register
After you create the App Registration, copy the following details:
- Application ID
- Object ID
- Directory (tenant) ID
From the Manage menu, Click on API Permissions.
This part will give the applications access to perform specific tasks in Intune. Please note that graph API has no such thing as any:any permissions that give full admin rights to all services.
Click on Add a permissions
From the API list, select Microsoft Graph.
In the permissions type page, click on Application permissions.
To set the right permissions for a specific API call or action, let’s take, for example, the following API call that creates an Entra ID administrative unit.
If you open the page, you will see under Application permissions that it needs the following permissions AdministrativeUnit.ReadWrite.All
Now that we know which permissions we need, we can select them from the Application Permissions page, as shown below.
After adding all the permissions you need from the Configured permissions screen, click on Grant admin consent for…
The admin consent will apply the App Registration permissions to the tenant.
Click Yes to confirm the consent.
Use Entra App Registration with Entra API
At this stage, we have all the permissions we need, and it’s time to put everything to the test.
I will use the Postman REST API client to test the app registration and create an Intune configuration policy.
In Postman, Create the following variables
tenant | tenantid |
client_id | client_id |
scope | https://graph.microsoft.com/.default |
client_secret | Client secret |
grant_type | client_credentials |
Objectid | objectid |
Below, you can see how the variables look in Postman (values are hidden).
Add the variables and save.
Create Access Token
The last step before connecting to Graph API is creating a temporary access token. This token is only valid for one hour and needs to be renewed after it expires.
To create an access token, create the following POST request
POST https://login.microsoftonline.com/{{tenant}}/oauth2/v2.0/token
Make sure the request inherits all the variables we set and click Send.
The response will look like this. Copy the access token (everything between the ” “.
After you copy the token, we must paste it into a folder or a new request Authorization tab. In my case, I have all the Intune requests under a folder, and I’m adding it at the folder level.
Create an Administrative Unit With Entra API
We are finally ready to create an Intune configuration policy.
Create a new POST Request with the following details.
Request type | POST |
Endpoint | https://graph.microsoft.com/beta/administrativeUnits |
Body (JSON) | { “displayName”: “CyberSecurity Admins”, “description”: “Administrative group for team members of the Cybersecuirty department”, “membershipType”: “assigned”, “membershipRule”: “(user.country -eq \”United States\”)”, “membershipRuleProcessingState”: “On” } |
The request has the endpoint URL and also the JSON body code.
Troubleshooting
If you get this error message, your token has expired, and you must create a new one.
{
"error": {
"code": "InvalidAuthenticationToken",
"message": "Lifetime validation failed, the token is expired.",
"innerError": {
"date": "2024-05-17T02:44:10",
"request-id": "519c17db-dcfb-43c9-ae25-e582ff1baf8e",
"client-request-id": "519c17db-dcfb-43c9-ae25-e582ff1baf8e"
}
}
}
Conclusion
In this post, I showed the end-to-end process of creating an Entra ID App Registration with enough permissions to create an Entra ID Administrative Unit.