packagefactory icon indicating copy to clipboard operation
packagefactory copied to clipboard

Published 20 hours ago verified publisher icon aaronparker

Required permissions and devops authentication

Open Flory321 opened this issue 1 year ago • 2 comments

Hey guys, we tried the intune package factory in our test tenant and in fact it's really an awesome tool ! It's definitely helpful for apps where versions changes a lot and which are not available in intune's ms store integration (new).

But there are following 2 things which currently blocks us from using it in production:

  1. We do not understand why the service principal needs the right "DeviceManagementRBAC.ReadWrite.All". This permission should as per my opinion only granted if it's really required.
  2. The azure devops uses a client secret as "Service Principal". Here we would need it to support "workload identity federation".

Don't get me wrong - we do honor what's there right now, but our internal guidelines block us from using it as it is now. Are there any changes planned to address above topics?

Thanks Florian

Flory321 avatar Jan 05 '24 12:01 Flory321

Authentication to Entra ID is managed with the IntuneWin32App module (I have not plans to write my own authentication methods). See: https://github.com/MSEndpointMgr/IntuneWin32App

aaronparker avatar May 24 '24 23:05 aaronparker

thanks so much for response. Do you know why the permission "DeviceManagementRBAC.ReadWrite.All" is required?

Flory321 avatar May 27 '24 06:05 Flory321