Azure AD Setup
Configure Microsoft Entra ID (formerly Azure AD) to enable user authentication and Intune API access for IntuneGet.
Overview
IntuneGet uses a multi-tenant app registration that allows users from any Microsoft 365 organization to:
- Sign in with their work account
- Grant admin consent for app deployment permissions
- Deploy applications to their Intune tenant
Create App Registration
Navigate to App Registrations
- Go to Azure Portal
- Navigate to Microsoft Entra ID (you can search for it)
- Click App registrations in the left menu
- Click New registration
Configure Registration Settings
Fill in the registration form:
| Setting | Value |
|---|---|
| Name | IntuneGet (or your preferred name) |
| Supported account types | Accounts in any organizational directory (Any Microsoft Entra ID tenant - Multitenant) |
| Redirect URI (type) | Single-page application (SPA) |
| Redirect URI (value) | http://localhost:3000 (for development) |
Click Register to create the app.
Add Production Redirect URI
After registration, add your production URL:
- Go to Authentication in the left menu
- Under Single-page application, click Add URI
- Add your production URL (e.g.,
https://your-app.vercel.app) - Click Save
Exact URL Match Required
The redirect URI must match exactly - including the protocol (https://) and without a trailing slash.
Configure API Permissions
IntuneGet requires two types of permissions:
Delegated Permissions (User Sign-in)
- Go to API permissions in the left menu
- Click Add a permission
- Select Microsoft Graph
- Select Delegated permissions
- Search and add:
User.Read - Click Add permissions
Application Permissions (Service Principal)
- Click Add a permission again
- Select Microsoft Graph
- Select Application permissions
- Search and add:
DeviceManagementApps.ReadWrite.All - Search and add:
DeviceManagementManagedDevices.Read.All - Click Add permissions
Your permissions should look like this:
| Permission | Type | Status |
|---|---|---|
| User.Read | Delegated | Granted for your org |
| DeviceManagementApps.ReadWrite.All | Application | Requires admin consent |
| DeviceManagementManagedDevices.Read.All | Application | Requires admin consent |
Create Client Secret
- Go to Certificates & secrets in the left menu
- Click New client secret
- Add a description:
IntuneGet Production - Select expiration (recommend: 24 months)
- Click Add
- Immediately copy the secret value - it won't be shown again!
Copy the Secret Now!
The client secret value is only shown once. If you navigate away without copying it, you'll need to create a new one.
Collect Required Values
After setup, collect these values for your environment configuration:
| Value | Location | Environment Variable |
|---|---|---|
| Application (client) ID | Overview page | NEXT_PUBLIC_AZURE_AD_CLIENT_ID |
| Client secret | Certificates & secrets | AZURE_AD_CLIENT_SECRET |
Admin Consent Flow
When users from other organizations use IntuneGet, a Global Administrator from their tenant must grant consent for the application permissions.
How Admin Consent Works
- User signs in to IntuneGet
- IntuneGet checks if admin consent was granted
- If not, user sees instructions to request consent
- Global Admin visits the consent URL
- Admin reviews and grants permissions
- User can now deploy apps
Admin Consent URL Format
https://login.microsoftonline.com/{tenant-id}/adminconsent?client_id={client-id}&redirect_uri={redirect-uri}Example:
https://login.microsoftonline.com/contoso.onmicrosoft.com/adminconsent?client_id=12345678-1234-1234-1234-123456789abc&redirect_uri=https://your-app.vercel.appSecurity Recommendations
Rotate secrets regularly
Set calendar reminders before expiration. Rotate every 12-24 months.
Use separate registrations
Create separate apps for dev/staging/production environments.
Monitor sign-ins
Review sign-in logs in Azure AD periodically for suspicious activity.
Limit admin consent
Educate admins about what permissions they're granting.
Common Issues
AADSTS50011: Reply URL does not match
Your redirect URI doesn't match what's configured:
- Check the exact URL (including trailing slashes)
- Verify it's added as a SPA redirect, not Web
AADSTS65001: User or admin has not consented
Admin consent hasn't been granted:
- Direct the admin to the consent URL
- Ensure they're using a Global Administrator account
- Verify they click "Accept" on the consent screen
Invalid client secret
The client secret is wrong or expired:
- Check AZURE_AD_CLIENT_SECRET matches the secret in Azure
- Verify the secret hasn't expired
- Create a new secret if needed
Next Steps
Now that Azure AD is configured, continue with the database setup.
Continue to Database Setup