Microsoft Graph API access
Last updated
Last updated
The following task sequence step definitions use the Microsoft Graph API indirectly; the DeployR server performs the actual Graph API calls on behalf of the clients. This ensures that the Graph API application secrets are never transmitted from the DeployR server and are therefore kept secure.
Register with Windows Autopilot
Add to Entra ID group
Set Intune device owner
In order for the DeployR server to perform these actions, an Entra ID application needs to be created with the required permissions. The Entra ID app will authenticate to Entra using a certificate that you select; the public key of this certificate will be uploaded to Entra so that it can confirm that the requests are indeed coming from the defined application.
Perform the following steps to create the Entra ID application.
From the Entra ID "App registrations" node, click "New registration" to create an app. Specify a unique, descriptive name and then click "Register."
This will create the application. Click on the "API permissions" node, then add the needed application permissions:
Device.ReadWrite.All (for Add to Entra ID group)
DeviceManagementConfiguration.ReadWrite.All (for Register with Windows Autopilot)
DeviceManagementManagedDevices.ReadWrite.All (for Register with Windows Autopilot and Set Intune device owner)
DeviceManagementServiceConfig.ReadWrite.All (for Register with Windows Autopilot)
Group.Read.All (for Add to Entra ID group)
GroupMember.ReadWrite.All (for Add to Entra ID group)
User.Read.All (for Add to Entra ID group)
User.Read (delegated permission, present by default)
Once these are added, click the "Grant admin consent" button to grant the needed rights.
Next, export a certificate that exists in the computer's personal certificate store. Using the Certificates MMC, select the needed certificate then right click and choose Export. Specify "No, do not export the private key."
Choose the default "DER encoded binary X.509 (.CER)" format, and specify a file location, then click "Next" and "Finish" to complete the export.
Back in the Entra ID portal, select the "Certificates & secrets" node. Click the "Upload certificate" button and then select the file for the certificate that you previously executed.
Next, DeployR needs to be configured with the Entra ID tenant ID, application ID, and the cert thumbprint of the exported certificate. Open the "Configure DeployR" config utility and select "Show advanced." Scroll to the "Entra ID Settings" section and fill in the tenant ID and application ID from the Entra ID app's "Overview" page:
For the Entra ID certificate thumbprint, copy it from the "Certificates & secrets" page:
Once all of the values have been configured in the Config Editor (your specific values will be different):
Click "Verify" and then "Save" to save the configuration, then ensure that the DeployR service starts as expected.