Intune Configuration

SoftwareCentral is compliant with Microsoft Intune® App Protection Policies and build on top of the Microsoft Graph API.

 

This guide describes how to configure SoftwareCentral to connect to Microsoft Intune.

SoftwareCentral connects to Microsoft Intune via the Microsoft Graph API. This is done by creating an App Registration in the Intune portal and linking this App Registration to your SoftwareCentral installation.

 

SoftwareCentral can authenticate in two different ways.

Authenticate as application

Users of SoftwareCentral gets direct access to Intune and do their accounts do not need access to Intune. Note that you are responsible for having Intune licenses for your users.

SoftwareCentral accesses Intune as an application. A service account that SoftwareCentral can use to access Intune on behalf of is also required.

The service account is used to retrieve data that the application is unable to. For instance is the device action log only available to users.

You can grant users access to Intune interfaces and delegate resources with the SoftwareCentral Security Roles.

 

Authenticate as user

Users of SoftwareCentral must sign in with their Microsoft Account in SoftwareCentral to access devices and applications from Intune.

SoftwareCentral gets access to Intune on behalf of the signed in user, meaning that SoftwareCentral itself does not have access to Intune.

You can grant users access to Intune interfaces with the SoftwareCentral Security Roles, but access to the resources are managed from the Intune portal.

 

If you have not configured SoftwareCentral to run with https, this is highly recommended before you proceed.

 

Your SoftwareCentral installation needs to authenticate against Intune. To do this a SSL certificate is required.

You can create a self-signed certificate directly from SoftwareCentral or acquire your own certificate from your preferred certificate authority.

 

You will need a .pfx file with the certificate and the private key.

You will also need a .cer file with the certificate and only the public key, not the private key.

 

SoftwareCentral can create a self-signed certificate from Settings -> Settings -> General Settings -> Intune Configuration -> Generate self-signed certificate.

When you click on the "Generate self-signed certificate", you will be prompted for a password. Enter a strong password for the certificate and save this password.

A certificate file named "UploadToIntune_SoftwareCentral.cer" will be downloaded. This is the certificate you upload to Intune later in this guide. The certificate itself with the private key is stored in the SoftwareCentral installation folder under "Uploads\Certifcates\StoreLocally_SoftwareCentral.pfx".

Once you have downloaded the certificate file, click on the "Save Settings" button, to save the certificate path and password.

 

You need to setup an Azure Active Directory Application Registration in your Azure Portal to allow SoftwareCentral to connect to your Intune.

Intune is in constant development, so the screenshots from Intune may be different from the ones you see in your portal. But the concepts are the same.

Go to the Azure Portal -> Azure Active Directory -> App registrations -> New registration:

 

Give your Application Registration a name.

Under Supported account types, select Multitenant.

Under Redirect URI, enter the address you use to access SoftwareCentral.

Click "Register" to save:

 

The Application Registration will now be created and opened. On the overview page, note the Application and Directory ID. They will be needed later during the setup.

 

Go to the Authentication (1) tab.

If you have additional SoftwareCentral installations, which will use the same app registration in Azure, with different redirect URI's, you can add them under Redirect URIs (2).

Add your first Redirect URI in the Logout URL (3).

Under Implicit grant, check "ID tokens" (4).

Click Save (5). 

 

Next you must go to "Certificates and secrets" and upload the .cer file:

If you have generated the certificate through SoftwareCentral, then this is the certificate file named "UploadToIntune_SoftwareCentral.cer" that you downloaded earlier from SoftwareCentral.

 

You must now grant permissions for the application. Go to "API permissions" and click on "Add a permission":

 

Select "Microsoft Graph":

 

SoftwareCentrals can call Intune as an application and on behalf of a user.

If you authenticate as a user, you only need to select delegated permissions.

If you choose to authenticate as an application, you need both delegated and application permissions.

For a complete list of required permissions, click here.

 

Select the required permissions and click on "Add permissions".

Note that the permissions email, offline_access, openid and profile are required to sign in.

 

 

When the permissions have been added, you must wait until they are ready for consent:

 

It is required to grant admin consent for the newly added permissions. You must do this every time you change the permissions. Click on the "Grant admin consent for ...." button or get an administrator with the required permissions to log into the Azure Portal and grant the consent.

 

When you grant admin consent, a login prompt will open. Login with an administrator account. Then verify the permissions and click "Accept":

After the consent has been given, wait a few minutes before you continue.

If you use "Authenticate as user", your users must also be granted access to their resources in Intune. If you use "Authenticate as application", the service account must be granted access to the resources you wish to manage through SoftwareCentral.

 

Now you must go to the SoftwareCentral console. Open Settings -> Settings -> Intune Configuration:

1. Check the "Enable Intune integration" checkbox at the top.

2. Enter you Client (Application) ID.

3. Enter your Tenant (Directory) ID.

4. Enter your Redirect URI.

5. Enter the path to your certificate pfx file with the private key. Note that the SoftwareCentral service account (App pool user) must have read and access to this directory.

6. Enter the password for your certificate pfx file. The password is saved encrypted in the SoftwareCentral database.

7. Choose how SoftwareCentral authenticates against Intune.

         Authenticate as application: Here SoftwareCentral will always be connected to Intune. Authentication is handled by the application (SoftwareCentral) and users do not have to sign in. Devices and applications are delegated via the Security Roles in SoftwareCentral.

         Authenticate as user: Here each user must sign in to Intune. If you use single sign on, users can access Intune resources directly. Otherwise users will have to sign in with their Microsoft account. Devices and applications are delegated to your users through the Intune portal.

8. If you use "Authenticate as application", a service account is also required. The service account must be a user with access to the required resources. The service account is used to read certain data, which is only available to users, but not to applications. This is for instance be the device action log where you can retrieve the passcode for a device.

9. Enter the password for the service account. Note that this is only required if you use "Authenticate as application".

 

Click on the "Save Settings" button.

 

Your users are now ready to sign in to SoftwareCentral to manage Intune resources.

If you use "Authenticate as user", your users will now see an additional button in the lower left menu on all pages in SoftwareCentral:

 

When a user clicks on that button, the user will be redirect to https://login.microsoftonline.com/.

When the users have signed in with their work account, they will be redirected back to SoftwareCentral.

From there they will now be able to manage those Intune resources they have permission to see and manage.

 

If you use "Authenticate as application", you can now delegate devices to your users for each security role.

 

If you want your users to automatically sign in, when you use "Authenticate as users", they can either access SoftwareCentral via a direct link: https://Your-SofttwareCentral-Address/Intune

Or you can set the default document of the SoftwareCentral web site to "Intune" instead of "default.aspx":

 

 

 

See Also

Status

 

 


© Copyright - SoftwareCentral

https://softwarecentral.cloud/help