[MC736429] the global Microsoft Intune PowerShell application (client) ID based authentication method is being removed.

[Basti890]

Today I was informed from our company EntraID Admin, that the Intune PowerShell application ID (d1ddf0e4-d672-4dae-b554-9d5bdfd93547) will be removed by Microsoft?

Here the Message:

As mentioned in MC721851, last year we announced a new Microsoft Intune GitHub repository (https://aka.ms/Intune/Scripts-blog) based on the Microsoft Graph SDK-based PowerShell module. The legacy Microsoft Intune PowerShell sample scripts GitHub repository is now read-only. Additionally, starting on or after April 1, 2024, due to updated authentication methods in the Graph SDK-based PowerShell module, the global Microsoft Intune PowerShell application (client) ID based authentication method is being removed.

[How this will affect your organization:]
If you are using the Intune PowerShell application ID (d1ddf0e4-d672-4dae-b554-9d5bdfd93547), you will need to update your scripts with a Microsoft Entra ID registered application ID to prevent your scripts from breaking.

[What you need to do to prepare:]
Before April 1, 2024, update your PowerShell scripts by:
Creating a new app registration in the Microsoft Entra admin center. For detailed instructions, read: Quickstart: Register an application with the Microsoft identity platform (https://learn.microsoft.com/entra/identity-platform/quickstart-register-app). Update scripts containing the Intune application ID (d1ddf0e4-d672-4dae-b554-9d5bdfd93547) with the new application ID created in step 1.

Are you aware of theese changes?

[x907]

Scripts with references to the old app id.

\IntuneWin32App-master\Development\Save-IntuneWin32AppContent.ps1
\IntuneWin32App-master\Public\Connect-MSIntuneGraph.ps1

[MichaelGerman]

We got the following announcement in our intune tenant:
We've detected a Microsoft Intune PowerShell script issue in your environment User impact: If action isn't taken, PowerShell scripts may break. Current Status: If you are using the Intune PowerShell application ID (d1ddf0e4-d672-4dae-b554-9d5bdfd93547), you will need to update your scripts before May 6 with a different Microsoft Entra ID registered application ID to prevent your PowerShell scripts from breaking. Microsoft has replaced the GitHub repository using the old application ID d1ddf0e4-d672-4dae-b554-9d5bdfd93547 with a new repository...

[blimpz]

It is possible to use your own application by doing:
Connect-MSIntuneGraph -TenantID $TenantID -ClientID $ClientID -ClientSecret $ClientSecret

I am not sure on the least access permission but the one I tested this with had:

• DeviceManagementApps.Read.All
• DeviceManagementApps.ReadWrite.All
• DeviceManagementManagedDevices.Read.All
• DeviceManagementManagedDevices.ReadWrite.All

[twelch-ricohnz]

It appears that Connect-MSIntuneGraph is failing on most tenants now.

I've tried creating an application as per here but despite retrieving an access token Add-IntuneWin32App fails with Forbidden errors despite the application seemingly having the same permissions.

This is significantly impacting us as it has broken all our Intune application deployments.

VERBOSE: POST https://graph.microsoft.com/Beta/deviceAppManagement/mobileApps
WARNING: An error occurred while creating the Win32 application. Error message: UnknownError: {"ErrorCode":"Forbidden","Message":"{\r\n  \"_version\": 3,\r\n  \"Message\": \"An error has occurred - Operation ID (for customer support): 00000000-0000-0000-0000-000000000000 - Activity ID: 9ac8ae62-7e74-4777-9d37-17aeaf202201 - Url: https://fef.msuc03.manage.microsoft.com/AppLifecycle_2404/StatelessAppMetadataFEService/deviceAppManagement/mobileApps?api-version=5024-03-08\",\r\n  \"CustomApiErrorPhrase\": \"\",\r\n  \"RetryAfter\": null,\r\n  \"ErrorSourceService\": \"\",\r\n  \"HttpHeaders\": \"{\\\"WWW-Authenticate\\\":\\\"Bearer realm=\\\\\\\"urn:intune:service,9225b241-44e1-44a8-8bfe-c10e39177505,3e9c57b9-808d-4aa0-9500-4b2d369279e7\\\\\\\"\\\"}\"\r\n}","Target":null,"Details":null,"InnerError":null,"InstanceAnnotations":[]}

[Ekrist3]

WE have the same issue, that Microsoft Intune Powershell app registration has been revoked my Microsoft

[Marcel-Blokland]

Create new app registration or use the "new default" app registration. Lookup the client id from appregistration. With the same settings as the revoked one.

Connect to Microsoft Intune Graph

Connect-MSIntuneGraph -TenantID "yourtenant.onmicrosoft.com" -ClientID "yourappregistrationid"

Then you can connect again.

[apmurdoch]

It is possible to use your own application by doing: Connect-MSIntuneGraph -TenantID $TenantID -ClientID $ClientID -ClientSecret $ClientSecret

I am not sure on the least access permission but the one I tested this with had:

• DeviceManagementApps.Read.All
• DeviceManagementApps.ReadWrite.All
• DeviceManagementManagedDevices.Read.All
• DeviceManagementManagedDevices.ReadWrite.All

Thanks for this @blimpz! We are back up and running again.

I can confirm that using an application with only:

• DeviceManagementApps.ReadWrite.All

I was able to create an app, get list of all apps, supersede a previous version, and assign the app to groups whose IDs I had passed.

I would assume that if you want to look up groups and members you would need to add Directory.Read.All

Other functions may need DeviceManagementManagedDevices.Read(/Write).All if your script performs other actions - but I think for this module at least, DeviceManagementApps is enough.

[twelch-ricohnz]

Confirming that a new application with permissions assigned as Application gives me the same access as previously.

NOTE that many commenters have specified to duplicate the existing Microsoft Intune PowerShell application, but this has permissions assigned as type Delegated which gives a token but does not work.

I'm still finding that Add-IntuneWin32App fails with

WARNING: Failed to finalize Azure Storage blob upload. Error message: The given key 'Content-Type' was not present in the dictionary.

but switching to PowerShell 5.1 it works.

[Ath3na-UK]

Working for me fine with 5.1

[jason-nyc]

Same. Connect-MSIntuneGraph fails with Application with identifier 'd1ddf0e4-d672-4dae-b554-9d5bdfd93547' was not found. This has broken our deployments, so we are unable to deploy until it gets resolved. From what we gather, Connect-MSIntuneGraph has a reliance on the above ID which was published years ago by Microsoft as a kind of Powershell sample code. And now Microsoft has blocked this identifier.

The workaround seems to be for administrators to create an application. I tried a few things but couldn't get it working. If someone can document the steps that would be very helpful. Ideally, the codebase should include a method for creating the application with the 'correct' permission, if not in-line, then at least as a utility function.

[twelch-ricohnz]

Run my script here which will create an Azure application called "IntuneWin32App" and add the permissions...
DeviceManagementApps.ReadWrite.All and DeviceManagementConfiguration.ReadWrite.All

You'll need the PowerShell module Microsoft.Graph installed to run it successfully

[hotzenwalder]

It works for most parts, but when checking or changing the Category I still get an error, so we probably need more API Permissions

WARNING: Graph request failed with status code '401 (Unauthorized)'. Error details: UnknownError - {"ErrorCode":"Forbidden","Message":"{\r\n \"_version\": 3,\r\n \"Message\": \"An error has occurred - Operation ID (for customer support): 00000000-0000-0000-0000-000000000000 - Activity ID: d6e7b4ab-0199-45a0-98ee-22248f2117e3 - Url: https://fef.msub07.manage.microsoft.com/AppLifecycle_2404/StatelessAppMetadataFEService/deviceAppManagement/mobileAppCategories?api-version=5024-03-08&$filt er=displayName+eq+%27Web+Browsers%27\",\r\n \"CustomApiErrorPhrase\": \"\",\r\n \"RetryAfter\": null,\r\n \"ErrorSourceService\": \"\",\r\n \"HttpHeaders\": \"{\\\"WWW-Authenticate\\\":\\\"Bearer

The documentation says we need DeviceManagementApps.ReadWrite.All, but these are already added (Delegegated/Application , consent for whole tenant)

[jaspain]

I also ran into this as described at Plan for Change: Update your PowerShell scripts with a Microsoft Entra ID registered app ID. I found that the only MS Graph permission required for my use case was
DeviceManagementApps.ReadWrite.All, but that application permissions were required. Delegated permissions did not work.

[Hardexit]

I have also just encountered the problem, how do I have to set the app so that it works again?
I have created an app and add a client secret and given it the DeviceManagementApps.ReadWrite.All Application api permission, but I still get error messages when executing the commands:

Get-IntuneWin32App -DisplayName "7-zip"
WARNING: Graph request failed with status code '401 (Unauthorized)'. Error details: UnknownError - {"ErrorCode":"Forbidden","Message":"{\r\n  \"_version\": 3,\r\n  \"Message\": \"An error has occurred - Operation ID (for customer support): 00000000-0000-0000-0000-000000000000 - Activity ID: f48ecac5-fe6b-4b5f-a40e-a64e60503fe0 - Url: https://fef.amsub0502.manage.microsoft.com/AppLifecycle_2405/StatelessAppMetadataFEService/deviceAppManagement/mobileApps?api-version=5024-03-08&$filter=isof(%27microsoft.management.services.api.win32LobApp%27)\",\r\n  \"CustomApiErrorPhrase\": \"\",\r\n  \"RetryAfter\": null,\r\n  \"ErrorSourceService\": \"\",\r\n  \"HttpHeaders\": \"{\\\"WWW-Authenticate\\\":\\\"Bearer realm=\\\\\\\"urn:intune:service,9225b241-44e1-44a8-8bfe-c10e39177505,3e9c57b9-808d-4aa0-9500-4b2d369279e7\\\\\\\"\\\"}\"\r\n}","Target":null,"Details":null,"InnerError":null,"InstanceAnnotations":[]}
WARNING: Query for Win32 apps returned an empty result, no apps matching type 'win32LobApp' was found in tenant

//Edit
Ok I forgot to press the button Grant admin consent for xxx

[MichaelGerman]

To use the IntuneWin32AppAssignment features, you also need the Group.Read.All permission

[aCID-sLAM]

Run my script here which will create an Azure application called "IntuneWin32App" and add the permissions... DeviceManagementApps.ReadWrite.All and DeviceManagementConfiguration.ReadWrite.All

You'll need the PowerShell module Microsoft.Graph installed to run it successfully

There is no script ;)

[alexhass]

@twelch-ricohnz May you able to share your script again, please? It is not available anymore.

[twelch-ricohnz]

@aCID-sLAM , @alexhass
Here is a basic version of it. It will create an application called IntuneWin32App with the correct permissions assigned.

Connect-MgGraph -Scopes "Application.ReadWrite.All, Directory.Read.All" -TenantId (Read-Host -Prompt "Enter Tenant ID or FQDN")
$NewApp = New-MgApplication -DisplayName "IntuneWin32App"
$BodyParams = '{
    "requiredResourceAccess": [
      {
        "resourceAppId": "00000003-0000-0000-c000-000000000000",
        "resourceAccess": [
          {
            "id": "78145de6-330d-4800-a6ce-494ff2d33d07",
            "type": "Role"
          },
          {
            "id": "9241abd9-d0e6-425a-bd4f-47ba86e767a4",
            "type": "Role"
          },
          {
            "id": "5b567255-7703-4780-807c-7be8301ae99b",
            "type": "Role"
          }
        ]
      }
    ]
}'

Update-MgApplication -ApplicationId $NewApp.Id -BodyParameter $BodyParams

Once you have this in place you'll have to work out how you are authenticating against it. We're using a self-signed certificate and storing the tenant id and application id within a JSON file. The below gets added to every application upload script...

$Cert = Get-ChildItem "Cert:\CurrentUser\My" | Where-Object FriendlyName -eq "IntuneWin32App"
Try {
    $Tenant = (Get-ChildItem -Path ".\tenant" -File *.json).Name |
        ForEach-Object {
        [PSCustomObject]@{
            Tenant = $_  # Set the property name to "Tenant"
        }
        } | Out-GridView -Title "Select a Tenant" -OutputMode Single
    $Params = Get-Content -Path ".\tenant\$($Tenant.Tenant)"
    If (-not($Params)) { Write-Warning "Tenant not selected"; Exit 1}
    Connect-MSIntuneGraph -TenantID $Params.TenantId -ClientID $Params.AppId -ClientCert $Cert
} Catch {
    Write-Warning "Error connecting to Tenant"
    Exit 1
}

[l4m3us3r]

It would be good to have this issue marked as a bug and the module updated so that users can at least register an azure app and then connect the module with something like:
Connect-MSIntuneGraph -TenantID "yourtenant.onmicrosoft.com" -ClientID "yourappregistrationid"

(The above doesn't currently work for me).

Below are the steps that I have compiled for the current user based auth workaround:

In azure, go to azure app registrations and register an app.
set the RedirectUri (public client/native) = "https://login.microsoftonline.com/common/oauth2/nativeclient"
Go to api permissions, add a permission, Microsoft graph, delegated permissions,
add:
DeviceManagementManagedDevices.ReadWrite.All
DeviceManagementApps.ReadWrite.All
Group.Read.All

(note that application permissions for these 3 roles may also be needed)

Get the appid for the app you just registered.

Edit the powershell module

Edit the Connect-MSIntuneGraph.ps1
You must update lines #106 and #107 in the Connect-MSIntuneGraph.ps1 file located in the C:\Program Files\WindowsPowerShell\Modules\IntuneWin32App\1.4.4\Public folder
If installed in a user area… C:\Users\username\OneDrive\Documents\PowerShell\Modules\IntuneWin32App\1.4.4\Public

in Connect-MSIntuneGraph.ps1, set the following old values > new values.
Old values:

$ClientID = "d1ddf0e4-d672-4dae-b554-9d5bdfd93547"
            $RedirectUri = `"urn:ietf:wg:oauth:2.0:oob"

New Values:

 # Define static variables
 $ClientID = "Your client ID/App ID (not object ID) of the custom App reg with proper DeviceManagement related permissions (Application permissions)"
            $RedirectUri = "https://login.microsoftonline.com/common/oauth2/nativeclient"

Now you should be able to connect with
Connect-MSIntuneGraph -TenantID "yourtenant.onmicrosoft.com”

[xenadmin]

I created an App registration with the following API permissions:

I altered Connect-MSIntuneGraph.ps1 with mit App-ID and the Redirect-Uri.
But when I execute Add-IntuneWin32App I still get an error:
WARNING: An error occurred while creating the Win32 application. Error message: UnknownError: {"ErrorCode":"Forbidden","Message":"{\r\n \"_version\": 3,\r\n \"Message\": \"An error has occurred - Operation ID (for customer support): 00000000-0000-0000-0000-000000000000 - Activity ID: 962e5aff-dax3-485e-94xa-a0941f993535 - Url: https://fef.msub03.manage.microsoft.com/AppLifecycle_2406/StatelessAppMetadataFEService/deviceAppManagement/mobileApps?api-version=5024-03-08\",\r\n \"CustomApiErrorPhrase\": \"\",\r\n \"RetryAfter\": null,\r\n \"ErrorSourceService\": \"\",\r\n \"HttpHeaders\": \"{\\\"WWW-Authenticate\\\":\\\"Bearer realm=\\\\\\\"urn:intune:service,9225x241-44e1-44a8-8bfe-c10e3917x505,3e9c57b9-808d-4aa0-9500-4b2x369279e7\\\\\\\"\\\"}\"\r\n}","Target":null,"Details":null,"InnerError":null,"InstanceAnnotations":[]}
And idea what I might have done wrong? I need to upload additional apps :-/