Scopes requested
Trelica needs theDeviceManagementManagedDevices.Read.All
scope to read Intune asset data.
Application consent in Entra ID
Microsoft Entra ID (formerly Azure AD) now offers a very comprehensive approach to OAuth application security. Recommended settings are to limit users' abilities to consent to OAuth applications - if you're an Entra Administrator you can see the configuration your organization is using under Enterprise applications > Consent and permissions > User consent settings.
Trelica requires a number of permissions to access resources in Entra ID and it's likely you will have Do not allow user consent or Allow user consent for apps from verified publishers, for selected permissions selected. In this case connecting Trelica to Entra ID with a non-Entra administrator account will show the Need admin approval message:
As the message suggests, you could switch to using an Entra administrator account to make the connection by clicking Have an admin account? Sign in with that account.
Trelica will not be granted the full access of your administrator account - our access is limited to the OAuth scopes we request.
Approving the Trelica application connection using a separate Entra admin account
If you want to use a different user account (perhaps a specific Trelica 'service' account with just the Global Reader role) to connect from Trelica to Entra ID, then you will still need an Entra Administrator to approve the Trelica application.
The easiest way to do this is to ask an Entra Admin (who does not need to have a Trelica account) to click the following link:
https://login.microsoftonline.com/common/adminconsent?client_id=e1ecc680-201e-4a67-9671-6a159d448669
This will initiate the process for approving the Trelica connection in Entra ID. They will be shown the following screen:
You do NOT need to Consent on behalf of your organization. If you leave the box unchecked it just means that if a new connection is made, then the user must review the access Trelica is requesting.
After you click Accept, then the user will see a message from Trelica that says "Request forwarding failed Forwarding the request to the upstream server failed. Please retry, and if the problem persists contact Trelica support."
You can ignore this message - it's simply because the request was initiated from a direct URL outside Trelica. We are working to improve the wording of this.
Assigning and removing devices from Azure AD groups
The Microsoft Intune integration uses a normal OAuth consent process.
However, assigning and removing devices from Azure AD groups requires 'Application' rather than 'Delegated' Azure API permissions for the Device.ReadWrite.All scope (which is required for setting group membership). This means that an application must be created and configured directly in your Entra ID tenant.
There are two parts to configuring the connection - you may need help from an IT admin to complete the first step.
- Create credentials in Entra ID (an 'app')
- Connect Trelica to Microsoft 365 using these credentials.
Register the app
- Login to Entra ID and find App registrations:
- Click New registration.
- Enter a name (e.g.
Trelica (Intune)
) - Choose Accounts in this organizational directory only (Single tenant)
- You do not need to enter a Redirect URI - just click Register to continue.
Configuring API permissions
- On the API permissions tab, click Add a permission
- Under the Microsoft APIs tab choose Microsoft Graph:
-
Choose Application permissions search for
Group.Read.All
and then tick this: - In a similar way, add
GroupMember.ReadWrite.All
Device.ReadWrite.All
DeviceManagementManagedDevices.Read.All
- Click Add permissions
- Finally, click Grant admin consent:
Create a new secret
- Go to Certificates & secrets
- Click New client secret
- Give the secret a name (e.g.
Trelica
) and chose the Expiry duration that you are comfortable with (we recommend 12 or 24 months). - Click Add
Collecting the IDs you need
You need three IDs which you can copy from Entra ID:
- From the Certificates & secrets tab copy the Client Secret Value (not the Secret ID)
The Client secret value will only be available for you to copy for a short period of time. If you are unable to view or copy it, then just create new one.
- From the Overview tab copy the Application (client ID) and the Directory (tenant) ID
Connect from Trelica
- In Trelica, go to Admin > Integrations > Microsoft Intune
- Click Connect and enter the IDs that you gathered earlier:
- Click Connect again.
- You may need to login and consent to other scopes (required for other Intune actions).
- The integration will run in the background.
Comments
0 comments
Please sign in to leave a comment.