Issue: Unable to Connect Custom App & Defaulting to Microsoft Graph Command Line Tools

Question

Issue: Unable to Connect Custom App & Defaulting to Microsoft Graph Command Line Tools

Closed this issue 7 months ago · 6 comments

Problem Description

In reference to the documentation provided here: MSALInfo.md, it's highlighted that a custom application can be specified in the Settings.

I am unfortunately encountering issues when trying to connect to a new custom app registration. The application doesn't seem to honour the settings and connect; accordingly, rather, it consistently defaults back to "Microsoft Graph Command Line Tools." This has been confirmed via sign-in logs in Entra ID, with App ID being signed into: 14d82eec-204b-4c2f-b7e8-296a70dab67e

Steps Taken:

I've made changes to the settings and tenant settings as below:

App ID: xxxxx-xxxxx-xxxxx-xxxx (my custom app ID)
Tenant: xxxx-xxxxx-xxxxx-xxxxx (my tenant)
Redirect URL: blank (couldn't find any doco)

Request for Help:

I would appreciate if you could help test and confirm whether this functionality is still operational. If it is, would you please provide a detailed doco, mentioning all the necessary settings that require configuration for setting up a custom app?
Thank you for your attention to this issue.

Answer 1 · 2024-05-17T13:03:03.000Z

Hello!

I've been away a couple of days. I'll try to write some instructions on the weekend.

I use this myself in one of the test environments. So it should be possible.

Cheers!

Answer 2 · 2024-05-19T03:40:25.000Z

Hello,

Documentation by Microsoft: Quickstart: Register an application with the Microsoft identity platform

I hope this will get you going:

Go to the Entra Portal

Register a new App registration in Entra
Note Application Id
Add Delegated permissions
- Microsoft Graph
- For full support of the app is requires:
  DeviceManagementConfiguration.ReadWrite.All,Policy.Read.All,Policy.ReadWrite.ConditionalAccess,Application.Read.All,Agreement.ReadWrite.All,DeviceManagementApps.ReadWrite.All,Organization.ReadWrite.All,DeviceManagementServiceConfig.ReadWrite.All,DeviceManagementMana
  gedDevices.ReadWrite.All,DeviceManagementRBAC.ReadWrite.All,CloudPC.ReadWrite.All
- It will also need User.ReadWrite.All,Group.ReadWrite.All but you could set these to read only unless you will let the app create Groups.
- Grant permissions for the environment
Go to Authentication
- Click + Add platform
- Click on Mobile and desktop applications
- Check https://login.microsoftonline.com/common/oauth2/nativeclient
- msal value can also be used

Start the Tool

Go to Settings
Change Application in Endpoint Manager/Intune
- Set drop down to Empty. It will only use custom app if drop down is empty.
- Specify App Id
- Specify Redirect URL to https://login.microsoftonline.com/common/oauth2/nativeclient
Save Settings

Restart the Tool

Custom app settings are only used during startup

Check log for missing permissions. It will have a line stating: "WARNING: Missing scopes:"

You can add missing permissions in the Tool UI by going to you profile picture and click Request Consent. That will only be available if it detects missing permissions. If you feel like the app is adding too many permissions, you can remove them for the App Registration in the Entra portal.

Let me know how you go.

Cheers!

Answer 3 · 2024-05-19T08:30:16.000Z

You are a legend! Thank you for the quick write up. Will get it tested tomorrow and let you know.

Answer 4 · 2024-05-20T00:26:47.000Z

Thanks @Micke-K - instructions worked perfectly. I was missing the redirect URI in my config.

Graph Permissions:

DeviceManagementConfiguration.ReadWrite.All
Policy.Read.All
Policy.ReadWrite.ConditionalAccess
Application.Read.All
Agreement.ReadWrite.All
DeviceManagementApps.ReadWrite.All
Organization.ReadWrite.All
DeviceManagementServiceConfig.ReadWrite.All
DeviceManagementManagedDevices.ReadWrite.All
DeviceManagementRBAC.ReadWrite.All
CloudPC.ReadWrite.All

Optional:

User.ReadWrite.All
Group.ReadWrite.All

Answer 5 · 2024-11-08T13:56:29.000Z

Hey @Micke-K, sorry to reply to an old thread but Im having problems with this. I have configured everything as in your comment but the app always falls back to Graph PowerShell.

Use-Case:
I am logged in with a user of the tenant that only has the Intune Admin role (the created application has all permissions) - im going to tenant settings and setting:

Set drop down to Empty. It will only use custom app if drop down is empty.
Specify App Id
Specify Redirect URL to https://login.microsoftonline.com/common/oauth2/nativeclient

Im using it with "Tenant Settings" as I login to multiple Tenants - from the description it should work like this right? What am I doing wrong? Thank you

Answer 6 · 2024-11-09T03:08:04.000Z

Hello,

No problem!

Not sure that this would work. You can set the App Id in settings but that must be for the home tenant. The authentication will always be for the home tenant and then allow you to change to another tenant.

Also, if you have a custom App for this, is it an Enterprise App with permission in all tenants?
An App Registration would only have access to one tenant.

So you would not be able to authenticate to you home tenant and then swap to another tenant using another app id. That would break the authentication process since the authentication token is for a specific app.

Could work if you create an Enterprise App and the add it to all tenants.

Cheers!