v2.0.5-beta.1 - Entra

[almenscorner]

Not everything in Entra is using Graph API, some resources are using an internal API to get and update payloads.

The first authentication to Azure APIs (main.iam.ad.ext.azure.com) is manual and requires you to go to a URL and put in a device code and sign in. The refresh token that is obtained upon authenticating can be stored in an encrypted local cache however so that subsequent runs are authenticated silently.

To save the refresh token in a local cache, you must create a key that will be used from encryption and decryption. The key can be created in two ways,

macOS or any other UNIX based system with openssl,

openssl rand -base64 32 | tr -d '\n' | tr '+/' '-_'

Windows and PowerShell,

$bytes = New-Object Byte[] 32
$rand = [System.Security.Cryptography.RandomNumberGenerator]::Create()
$rand.GetBytes($bytes)
$base64 = [System.Convert]::ToBase64String($bytes)
$urlSafeBase64 = $base64.Replace('+', '-').Replace('/', '_')
$urlSafeBase64

If you are using local auth when running IntuneCD, add this key and tenant id to the json,

{
	"params": {
                "TENANT_NAME": "",
                "CLIENT_ID": "",
                "CLIENT_SECRET": "",
		"TENANT_ID": "",
		"KEY": ""
	}
}

If not using local auth, set TENANT_ID and KEY as ENV vars.

App registration permissions

New permissions needed to manage Entra

• Domain.ReadWrite.All
• Policy.ReadAll
• Policy.ReadWrite.ConditionalAccess
• Policy.ReadWrite.AuthenticationFlows
• Policy.ReadWrite.AuthenticationMethod
• Policy.ReadWrite.Authorization
• Policy.ReadWrite.DeviceConfiguration
• Policy.ReadWrite.ExternalIdentities
• Policy.ReadWrite.SecurityDefaults