How to authenticate DEVICE using "Microsoft Intune MDM Device CA" certificate?

[forderud]

Hi. I'm evaluating feasibility of using the Microsoft Graph APIs to develop an alternative to the "Company Portal" app with custom UI. One sub-problem to then tackle is device authentication.

InTune appear to be automatically create a Microsoft Intune MDM Device CA certificate for client authentication when enrolling:

I'm assuming that "InTune Management Extension" and "Company Portal" already uses this InTune certificate to authenticate the device, so that they can afterwards query for available SW packages specific for just that particular machine. I am seeking advise on how to implement the same functionality myself.

It's possible to semi-solve the problem by creating an Azure app as described on How to use Azure AD to access the Intune APIs in Microsoft Graph. Then, one can upload the public key for the InTune certificate for all relevant machines to the Azure app. However, that approach suffer from several shortcomings:

• It's cumbersome to upload the InTune certificate to the Azure app. This is especially the case if managing a fleet of >1000 machines with different SW entitlements. The InTune certificate if furthermore refreshed every year, which triggers the need for new uploads.
• Certificate authentication through an Azure app appears to authenticate the app, and not the device. I suspect that it's therefore difficult to limit API access to just the SW packages available to the authenticated device.

Any advise on how to authenticate the DEVICE using the InTune certificate, without having to upload the public key to an Azure app?