WinGet-Wrapper icon indicating copy to clipboard operation
WinGet-Wrapper copied to clipboard
verified publisher icon SorenLundt

Graph API permission

Open Ivanodib opened this issue 1 year ago • 10 comments

Upload doesn't work. Is App registration required? which permissions are needed? delegated or application? If needed, how can i import ClientID and ClientSecret ?

Ivanodib avatar Oct 31 '24 15:10 Ivanodib

I have probaly similiar issue... image

Metisak avatar Nov 01 '24 12:11 Metisak

Upload doesn't work. Is App registration required? which permissions are needed? delegated or application? If needed, how can i import ClientID and ClientSecret ?

Microsoft has complicated this early this year by terminating Microsoft intune Powershell enterprise application.

instead you need to create an app registration yourself. Follow this article https://techcommunity.microsoft.com/t5/intune-customer-success/update-to-microsoft-intune-powershell-example-script-repository/ba-p/3842452

tori321 avatar Nov 03 '24 11:11 tori321

So the app is not working at the moment... Correct?

huuub avatar Dec 09 '24 14:12 huuub

So the app is not working at the moment... Correct?

Correct. I found https://github.com/Romanitho/WingetIntunePackager , the last PR includes App registration Id field. (more info at pull request https://github.com/Romanitho/WingetIntunePackager/pull/30

Not tried yet, let me know if this works

Ivanodib avatar Dec 09 '24 14:12 Ivanodib

Well... I tried that one before yours. With that one I cannot even connect. Even after creating an app in entra and giving the right permissions and the uri. So that's why I gave this one a try. I guess I am out of options.

huuub avatar Dec 09 '24 14:12 huuub

Well, i'm gonna create it on my own :).

Ivanodib avatar Dec 09 '24 15:12 Ivanodib

I fixed the issues which occured after the MS App Registration change within the script and added as well to the GUI to set your own non default Client ID and Redirect URI. If the app registration doesn't have the permission, you will be asked with Connect-MgGraph to give the permission. image

You can get my version in my fork: https://github.com/InnovationForge-com/WinGet-Wrapper I will create a pull request after optimizing it a bit more.

If you want the GUI options then you need to start WinGet-WrapperImportGUI.ps1 and not WinGet-WrapperImportGUI.exe. Even without setting it in the GUI, WinGet-WrapperImportFromCSV.ps1 will use App ID "14d82eec-204b-4c2f-b7e8-296a70dab67e" and Redirect URI "https://login.microsoftonline.com/common/oauth2/nativeclient", which is used by the .exe as well.

configforgelabs avatar Dec 09 '24 17:12 configforgelabs

I fixed the issues which occured after the MS App Registration change within the script and added as well to the GUI to set your own non default Client ID and Redirect URI. If the app registration doesn't have the permission, you will be asked with Connect-MgGraph to give the permission.

image

You can get my version in my fork: https://github.com/InnovationForge-com/WinGet-Wrapper

I will create a pull request after optimizing it a bit more.

If you want the GUI options then you need to start WinGet-WrapperImportGUI.ps1 and not WinGet-WrapperImportGUI.exe.

Even without setting it in the GUI, WinGet-WrapperImportFromCSV.ps1 will use App ID "14d82eec-204b-4c2f-b7e8-296a70dab67e" and Redirect URI "https://login.microsoftonline.com/common/oauth2/nativeclient", which is used by the .exe as well.

Great work! Feel free to create a pull request and i will be sure to test it and add it to the main branch.

SorenLundt avatar Dec 09 '24 17:12 SorenLundt

@huuub @Ivanodib @SorenLundt I just checked the Release again and the PR i posted. For me it works fine, im not sure what issues you are facing? You can just create your own Application, give Group Read All, Apps ReadWrite All and ManagedDevices ReadWrite All. Then you can connect to the App with the Application (client) ID and the default Redirect URI https://login.microsoftonline.com/common/oauth2/nativeclient which you ofcourse have to add in your App aswell as an Redirect Mobile and Desktop App URI.

LucaMoor avatar Jan 08 '25 08:01 LucaMoor

created PR https://github.com/SorenLundt/WinGet-Wrapper/pull/23

Azure AD Application Configuration for WinGet-Wrapper

Background

The WinGet-Wrapper tool uses Microsoft Graph API to interact with Intune. By default, it uses a built-in application ID, but due to recent Microsoft infrastructure changes and security policies, it's recommended to create your own Azure AD application registration. This ensures:

  1. Better security control over the application
  2. Avoidance of potential throttling issues
  3. Clear audit trails in your Azure environment
  4. Prevention of authentication issues related to Microsoft's first-party app verification changes

Creating Your Azure AD Application

Step 1: Create the Application Registration

  1. Log in to the Azure Portal (portal.azure.com)
  2. Navigate to Azure Active Directory → App registrations
  3. Click "New registration"
  4. Configure the following:
    • Name: "WinGet-Wrapper-App" (or your preferred name)
    • Supported account types: "Accounts in this organizational directory only"
    • Click "Register"
  5. After creation, note down the "Application (client) ID" - you'll need this later

Step 2: Configure Authentication

  1. In your app registration, go to "Authentication" in the left menu
  2. Click "Add a platform"
  3. Select "Mobile and desktop applications"
  4. Check the box for "https://login.microsoftonline.com/common/oauth2/nativeclient"
  5. Click "Configure"

This configuration is crucial because the PowerShell scripts use interactive authentication, which requires a proper redirect URI.

Step 3: Configure API Permissions

  1. Go to "API permissions" in the left menu
  2. Click "Add a permission"
  3. Select "Microsoft Graph"
  4. Choose "Application permissions"
  5. Search for and select "DeviceManagementApps.ReadWrite.All"
  6. Click "Add permissions"
  7. Click "Grant admin consent" and confirm

Updating the Scripts

You need to update the ClientID in the following files:

Option 1: Modify the Script Directly

Update WinGet-WrapperImportFromCSV.ps1:

#ClientID to connect to MSGraph/InTune with Connect-MSIntuneGraph
[Parameter(Mandatory = $False)]
[string]$ClientID = "your-application-id-here"

Option 2: Pass ClientID as Parameter

Run the script with your ClientID:

.\WinGet-WrapperImportFromCSV.ps1 -TenantID "yourtenant.onmicrosoft.com" -ClientID "your-application-id" -csvFile "your-csv-file.csv"

Troubleshooting

Common Issues

  1. "No reply address is registered for the application"

    • Cause: Missing redirect URI configuration
    • Solution: Follow Step 2 in the configuration process

  2. "Application is not authorized to perform this operation"

    • Cause: Missing or unauthorized API permissions
    • Solution: Ensure Step 3 is completed and admin consent is granted

  3. "AADSTS700016" or "AADSTS90099"

    • Cause: Application not properly authorized in tenant
    • Solution: Ensure admin consent is granted and the account has proper roles (Global Admin or Intune Administrator)

Best Practices

  1. Security:

    • Regularly review and audit application permissions
    • Use separate applications for development and production
    • Follow the principle of least privilege when assigning permissions

  2. Maintenance:

    • Document your application ID and configuration
    • Regularly review and update permissions as needed
    • Monitor application usage through Azure AD audit logs

Required Azure AD Roles

The user account running the scripts needs one of these roles:

  • Intune Administrator
  • Global Administrator

Additional Resources

aollivierre avatar Feb 05 '25 12:02 aollivierre