Trelica needs the
DeviceManagementManagedDevices.Read.All scope to read Intune asset data.
Application consent in Azure
Azure now offers a very comprehensive approach to OAuth application security. Recommend settings are to limit users' abilities to consent to OAuth applications - if you're an Azure Administrator you can see the configuration your organization is using under Azure Active Directory > Enterprise applications > Consent and permissions > User consent settings.
Trelica requires a number of permissions to access resources in Azure and it's likely you will have Do not allow user consent or Allow user consent for apps from verified publishers, for selected permissions selected. In this case connecting Trelica to Azure with a non Azure administrator account will show the Need admin approval message:
As the message suggests, you could switch to use an Azure administrator login to make the connection (Have an admin account? Sign in with that account).
Trelica will not be granted the full access of your administrator account - our access is limited to the OAuth scopes we request.
Approving the Trelica application connection using a separate Admin Azure account
If you want to use a different user account (perhaps a specific Trelica 'service' account with just the Global Reader role) to connect from Trelica to Azure, then you will still need an Azure Administrator to approve the Trelica application.
The easiest way to do this is to ask an Azure Admin (who does not need to have a Trelica account) to click the following link:
This will initiate the process for approving the Trelica connection in Azure. They will be shown the following screen:
You do NOT need to Consent on behalf of your organization. If you leave the box unchecked it just means that if a new connection is made, then the user must review the access Trelica is requesting.
After you click Accept, then the user will see a message from Trelica that says "Request forwarding failed Forwarding the request to the upstream server failed. Please retry, and if the problem persists contact Trelica support."
You can ignore this message - it's simply because the request was initiated from a direct URL outside Trelica. We are working to improve the wording of this.
Please sign in to leave a comment.