IntuneGet Logo
IntuneGet
Documentation

Entra ID Setup

Configure Microsoft Entra ID to enable user authentication and Intune API access for IntuneGet.

Overview

IntuneGet uses a multi-tenant app registration that allows users from any Microsoft 365 organization to:

  • Sign in with their work account
  • Grant admin consent for app deployment permissions
  • Deploy applications to their Intune tenant

Create App Registration

1

Navigate to App Registrations

  1. Go to Azure Portal
  2. Navigate to Microsoft Entra ID (you can search for it)
  3. Click App registrations in the left menu
  4. Click New registration
2

Configure Registration Settings

Fill in the registration form:

SettingValue
NameIntuneGet (or your preferred name)
Supported account typesAccounts in any organizational directory (Any Microsoft Entra ID tenant - Multitenant)
Redirect URI (type)Single-page application (SPA)
Redirect URI (value)http://localhost:3000 (for development)

Click Register to create the app.

3

Add Production Redirect URI

After registration, add your production URL:

  1. Go to Authentication in the left menu
  2. Under Single-page application, click Add URI
  3. Add your production URL (e.g., https://your-app.vercel.app)
  4. Click Save

Exact URL Match Required

The redirect URI must match exactly - including the protocol (https://) and without a trailing slash.

4

Configure API Permissions

IntuneGet requires two types of permissions:

Delegated Permissions (User Sign-in)

  1. Go to API permissions in the left menu
  2. Click Add a permission
  3. Select Microsoft Graph
  4. Select Delegated permissions
  5. Search and add: User.Read
  6. Click Add permissions

Application Permissions (Service Principal)

  1. Click Add a permission again
  2. Select Microsoft Graph
  3. Select Application permissions
  4. Search and add: DeviceManagementApps.ReadWrite.All
  5. Search and add: DeviceManagementManagedDevices.Read.All
  6. Click Add permissions

Your permissions should look like this:

PermissionTypeStatus
User.ReadDelegatedGranted for your org
DeviceManagementApps.ReadWrite.AllApplicationRequires admin consent
DeviceManagementManagedDevices.Read.AllApplicationRequires admin consent
5

Create Client Secret

  1. Go to Certificates & secrets in the left menu
  2. Click New client secret
  3. Add a description: IntuneGet Production
  4. Select expiration (recommend: 24 months)
  5. Click Add
  6. Immediately copy the secret value - it won't be shown again!

Copy the Secret Now!

The client secret value is only shown once. If you navigate away without copying it, you'll need to create a new one.

Collect Required Values

After setup, collect these values for your environment configuration:

ValueLocationEnvironment Variable
Application (client) IDOverview pageNEXT_PUBLIC_AZURE_AD_CLIENT_ID
Client secretCertificates & secretsAZURE_CLIENT_SECRET

Admin Consent Flow

When users from other organizations use IntuneGet, a Global Administrator from their tenant must grant consent for the application permissions.

How Admin Consent Works

  1. User signs in to IntuneGet
  2. IntuneGet checks if admin consent was granted
  3. If not, user sees instructions to request consent
  4. Global Admin visits the consent URL
  5. Admin reviews and grants permissions
  6. User can now deploy apps

Admin Consent URL Format

text
https://login.microsoftonline.com/{tenant-id}/adminconsent?client_id={client-id}&redirect_uri={redirect-uri}

Example:

text
https://login.microsoftonline.com/contoso.onmicrosoft.com/adminconsent?client_id=12345678-1234-1234-1234-123456789abc&redirect_uri=https://your-app.vercel.app

Security Recommendations

Rotate secrets regularly

Set calendar reminders before expiration. Rotate every 12-24 months.

Use separate registrations

Create separate apps for dev/staging/production environments.

Monitor sign-ins

Review sign-in logs in Entra ID periodically for suspicious activity.

Limit admin consent

Educate admins about what permissions they're granting.

Common Issues

AADSTS50011: Reply URL does not match

Your redirect URI doesn't match what's configured:

  • Check the exact URL (including trailing slashes)
  • Verify it's added as a SPA redirect, not Web

AADSTS65001: User or admin has not consented

Admin consent hasn't been granted:

  • Direct the admin to the consent URL
  • Ensure they're using a Global Administrator account
  • Verify they click "Accept" on the consent screen

Invalid client secret

The client secret is wrong or expired:

  • Check AZURE_CLIENT_SECRET matches the secret in Azure
  • Verify the secret hasn't expired
  • Create a new secret if needed

Next Steps

Now that Entra ID is configured, continue with the database setup.

Continue to Database Setup