Skip to main content

Azure AD App Registration

Intune Commander requires an Azure AD (Entra ID) app registration to authenticate and access Microsoft Graph API. This guide provides step-by-step instructions for creating app registrations in each cloud environment.
You need separate app registrations for each cloud environment because Commercial, GCC-High, and DoD use different Azure portals and authentication endpoints.

Cloud Environment Overview

Intune Commander supports four Microsoft cloud environments:
CloudAzure PortalGraph EndpointAuthority Host
Commercialhttps://portal.azure.comhttps://graph.microsoft.comAzurePublicCloud
GCChttps://portal.azure.comhttps://graph.microsoft.comAzurePublicCloud
GCC-Highhttps://portal.azure.ushttps://graph.microsoft.usAzureGovernment
DoDhttps://portal.apps.milhttps://dod-graph.microsoft.usAzureGovernment
Commercial and GCC environments use the same portal and endpoints. GCC-High and DoD require separate portals and have isolated authentication infrastructure.

Commercial & GCC Cloud Registration

Use these steps for both Commercial and GCC environments.
1

Navigate to Azure Portal

Open the Azure Portal:https://portal.azure.comSign in with an account that has at least Application Administrator or Global Administrator role.
2

Create new app registration

  1. Navigate to Azure Active Directory (or Microsoft Entra ID)
  2. Select App registrations from the left navigation
  3. Click + New registration
3

Configure basic settings

Fill in the registration form:
  • Name: IntuneCommander-Prod (or any descriptive name)
  • Supported account types: Select one of:
    • “Accounts in this organizational directory only” (single tenant)
    • “Accounts in any organizational directory” (multi-tenant, if needed)
  • Redirect URI:
    • Platform: Mobile and desktop applications
    • URI: http://localhost:45132
Click Register.
4

Note the application details

On the app registration overview page, copy and save:
  • Application (client) ID: A GUID like xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx
  • Directory (tenant) ID: A GUID like xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx
You’ll need these values when configuring Intune Commander profiles.
5

Add API permissions

  1. Click API permissions in the left navigation
  2. Click + Add a permission
  3. Select Microsoft Graph
  4. Choose Delegated permissions
  5. Add the following permissions:
Device Management:
  • DeviceManagementConfiguration.ReadWrite.All
  • DeviceManagementManagedDevices.ReadWrite.All
  • DeviceManagementServiceConfig.ReadWrite.All
  • DeviceManagementApps.ReadWrite.All
Identity & Access:
  • Policy.Read.All
  • Policy.ReadWrite.ConditionalAccess
  • Application.Read.All
Directory & Groups:
  • Directory.Read.All
  • Group.Read.All
  • GroupMember.Read.All
Click Add permissions after selecting all permissions.
6

Grant admin consent

  1. Click Grant admin consent for [Your Organization]
  2. Confirm by clicking Yes in the dialog
  3. Wait for the status to update
  4. Verify all permissions show “Granted” in the Status column
7

(Optional) Create client secret

If you plan to use Client Secret authentication instead of interactive browser:
  1. Click Certificates & secrets in the left navigation
  2. Click + New client secret
  3. Add a description: IntuneCommander-Secret
  4. Choose an expiration period (e.g., 12 months, 24 months)
  5. Click Add
  6. Immediately copy the secret Value — you cannot retrieve it later!
  7. Store the secret securely (e.g., password manager, Azure Key Vault)
Client secrets expire! Set a calendar reminder to rotate the secret before expiration. When the secret expires, authentication will fail until you create a new secret and update your profiles.

GCC-High Cloud Registration

GCC-High environments use a separate Azure portal and authentication infrastructure.
1

Navigate to Azure Government Portal

Open the Azure Government portal:https://portal.azure.usSign in with your GCC-High credentials (typically .us domain).
2

Create new app registration

  1. Navigate to Azure Active Directory
  2. Select App registrations
  3. Click + New registration
3

Configure basic settings

  • Name: IntuneCommander-GCCHigh
  • Supported account types: “Accounts in this organizational directory only”
  • Redirect URI:
    • Platform: Mobile and desktop applications
    • URI: http://localhost:45132
Click Register.
4

Note the application details

Copy and save:
  • Application (client) ID
  • Directory (tenant) ID
5

Add Microsoft Graph permissions

Follow the same permission setup as Commercial/GCC:
  1. API permissions → Add a permission → Microsoft Graph
  2. Delegated permissions
  3. Add all permissions listed in the Commercial section
  4. Click Add permissions
6

Grant admin consent

Click Grant admin consent for [Your Organization] and confirm.
7

(Optional) Create client secret

If using Client Secret authentication:
  1. Certificates & secrets → + New client secret
  2. Add description and expiration
  3. Copy the secret Value immediately
  4. Store securely
GCC-High app registrations are completely separate from Commercial registrations. You cannot use a Commercial app registration to authenticate against GCC-High endpoints.

DoD Cloud Registration

DoD environments require registration in the DoD Azure portal.
1

Navigate to DoD Azure Portal

Open the DoD Azure portal:https://portal.apps.milSign in with your DoD credentials.
Access to the DoD portal requires appropriate DoD credentials and network access. Contact your DoD Azure administrator if you cannot access the portal.
2

Create new app registration

  1. Navigate to Azure Active Directory
  2. Select App registrations
  3. Click + New registration
3

Configure basic settings

  • Name: IntuneCommander-DoD
  • Supported account types: “Accounts in this organizational directory only”
  • Redirect URI:
    • Platform: Mobile and desktop applications
    • URI: http://localhost:45132
Click Register.
4

Note the application details

Copy and save:
  • Application (client) ID
  • Directory (tenant) ID
5

Add Microsoft Graph permissions

  1. API permissions → Add a permission → Microsoft Graph
  2. Delegated permissions
  3. Add all required permissions (same as Commercial)
  4. Click Add permissions
6

Grant admin consent

Click Grant admin consent for [Your Organization] and confirm.
7

(Optional) Create client secret

If using Client Secret authentication:
  1. Certificates & secrets → + New client secret
  2. Add description and expiration
  3. Copy the secret Value immediately
  4. Store securely

Automated Setup with PowerShell

For automated app registration setup, Intune Commander includes a PowerShell script that creates the app registration with all required permissions.
This script is designed for Commercial/GCC environments only. GCC-High and DoD require manual registration in their respective portals.
Script location: scripts/Setup-IntegrationTestApp.ps1 Usage: 
# Clone the repository
git clone https://github.com/yourusername/intune-commander.git
cd intune-commander

# Run the setup script
.\scripts\Setup-IntegrationTestApp.ps1
The script will:
  1. Create a new app registration named IntuneCommander-Auto
  2. Configure the redirect URI
  3. Add all required Microsoft Graph permissions
  4. Prompt you to grant admin consent
  5. Display the Tenant ID and Client ID
Review the script contents to understand the exact permissions being granted. You can customize the app name and permissions as needed.

Configuring Profiles in Intune Commander

After creating app registrations, add them to Intune Commander as profiles.

Manual Profile Configuration

In Intune Commander’s login screen:
  1. Profile Name: Contoso-Commercial (descriptive name)
  2. Tenant ID: Paste your Directory (tenant) ID
  3. Client ID: Paste your Application (client) ID
  4. Cloud: Select Commercial, GCC, GCCHigh, or DoD
  5. Auth Method: Choose Interactive or ClientSecret
  6. Client Secret: (if using ClientSecret auth) Paste your secret value
  7. Click Save Profile

Profile Import from JSON

Download the profile template from .github/profile-template.json: 
[
  {
    "name": "Contoso-Commercial",
    "tenantId": "your-tenant-id-guid",
    "clientId": "your-client-id-guid",
    "cloud": "Commercial",
    "authMethod": "Interactive",
    "clientSecret": ""
  },
  {
    "name": "Fabrikam-GCCHigh",
    "tenantId": "your-gcc-high-tenant-id",
    "clientId": "your-gcc-high-client-id",
    "cloud": "GCCHigh",
    "authMethod": "ClientSecret",
    "clientSecret": "your-client-secret-value"
  },
  {
    "name": "DoD-Tenant",
    "tenantId": "your-dod-tenant-id",
    "clientId": "your-dod-client-id",
    "cloud": "DoD",
    "authMethod": "ClientSecret",
    "clientSecret": "your-dod-client-secret"
  }
]
Then in Intune Commander:
  1. Click Import Profiles
  2. Select your JSON file
  3. Profiles are imported and encrypted automatically

Verifying Permissions

After connecting to a tenant, Intune Commander can verify your permissions:
  1. Connect to a tenant using your profile
  2. Navigate to ToolsCheck Permissions (if available)
  3. Review the permission check results
  4. Missing permissions will be highlighted
You can also view permissions in the Debug Log window during authentication. Any permission issues will be logged there.

Common Issues

”The application does not have permission to access this resource”

Cause: Missing Microsoft Graph API permissions or admin consent not granted. Solution:
  1. Return to the app registration in Azure Portal
  2. Navigate to API permissions
  3. Verify all required permissions are listed
  4. Click “Grant admin consent for [Organization]” again
  5. Wait 5-10 minutes for permission propagation
  6. Try reconnecting in Intune Commander

”AADSTS700016: Application not found in the directory”

Cause: Using the wrong cloud configuration for your tenant. Solution:
  • Verify you’re using the correct cloud setting:
    • Commercial/GCC → Cloud: Commercial
    • GCC-High → Cloud: GCCHigh, use app from portal.azure.us
    • DoD → Cloud: DoD, use app from portal.apps.mil

”AADSTS50011: The redirect URI specified in the request does not match”

Cause: Redirect URI not configured correctly in app registration. Solution:
  1. Open your app registration in Azure Portal
  2. Navigate to Authentication
  3. Under “Platform configurations” → “Mobile and desktop applications”
  4. Ensure http://localhost:45132 is listed
  5. Save changes

Client Secret Expired

Cause: Client secrets expire after the configured period (typically 12-24 months). Solution:
  1. Create a new client secret in Azure Portal
  2. Copy the new secret value
  3. Update your profile in Intune Commander with the new secret
  4. Delete the old secret from Azure Portal

Security Best Practices

Use Interactive Auth

Prefer interactive browser authentication over client secrets when possible. Interactive auth supports MFA and conditional access policies.

Rotate Secrets Regularly

If using client secrets, set a reminder to rotate them before expiration. Use shorter expiration periods (12 months) for better security.

Principle of Least Privilege

Only grant the permissions your use case requires. Use read-only permissions if you don’t need to modify configurations.

Monitor App Usage

Review sign-in logs in Azure AD to monitor app registration usage and detect unauthorized access.

Next Steps

Quickstart Guide

Use your app registration to connect and start managing Intune

Prerequisites

Review all system and permission requirements

Build docs developers (and LLMs) love

Get started for freeTalk to us