Support Tip: Intune service discovery API endpoint will require specific permissions

Updated 03/11/22: The end of support timeline for Azure AD Graph has been extended to December 2022. The requirement changes detailed below are still required however if you have not updated the "serviceEndpoints", the timeline has been extended to December 2022.

For more information on Azure AD change management and timelines, please see: Azure AD: Change Management Simplified to learn more.

Beginning in January December 2022, the Microsoft Intune “serviceEndpoints” API will require specific permissions for all Azure Active Directory (Azure AD) Applications that call one of the following serviceEndpoints:

https://graph.windows.net/servicePrincipals/0000000a-0000-0000-c000-000000000000/serviceEndpoints
https://graph.microsoft.com/v1.0/servicePrincipals/0000000a-0000-0000-c000-000000000000/serviceEndpo... 

These serviceEndpoints will need to have assigned one of the following API permissions:

• Application.Read.All
• Application.ReadWrite.All
• Application.ReadWrite.OwnedBy
• Directory.Read.All

The preferred and most secure API permission is Application.Read.All.

Customers have requested Azure AD make this change to provide more granular permissions and roles in Azure AD. As part of the effort, the team reviewed the delegated and application permissions for endpoints and will require one of four permissions for an API call that Independent Software Vendors (ISV) integrated solutions often use. As part of our Intune ISV integration guidance documentation, many references include information about using the “serviceEndpoints” API for Intune.

Not a partner? Skip to how this may affect you as a customer under: Appendix C: Adding a New Permission to a Single Tenant Application (For Customers).

How does this affect you as a partner who has Intune integration?

If your solution makes the /servicePrincipals API call (listed above) to retrieve tenant specific service endpoints for Intune, this may affect you. Based on documentation that Microsoft has shared with partners, we expect this to apply to partners that integrate with Intune for the following scenarios:

• Telecom Expense Management
• Mobile Threat Defense
• Network Access Control
• 3rd Party Device Compliance
• SCEP Services

Please review the below to take the necessary steps to apply the permissions needed as applicable.

Applying permissions

Ensure that your Azure AD Application includes one of the required permission scopes:

• Application.Read.All
• Application.ReadWrite.All
• Application.ReadWrite.OwnedBy
• Directory.Read.All

No further action is required if one of the listed permission scopes are in effect. See: Appendix A: Verify API Permissions for instructions on how to verify permission scopes.

For multi-tenant application: If you are a partner who has created a multi-tenant application for your Intune integration, verify the API permissions in . If your application does not have one of the four listed permissions, you must update your application’s permissions by following instructions described in Appendix B: Add Permissions to a Multi-Tenant App. Then, customers must consent to the new permissions as described in Appendix D: Granting Admin Consent to New Permissions.

For single tenant applications: If you are a partner who has instructed your customers to create their own app registration as a single-tenant application, your customers need to confirm required permissions are in effect. Instruct your customers to follow steps in Appendix A: Verify API Permissions and then if permissions are required to be added, instruct your customers to follow steps in Appendix C: Adding a New Permission to a Single Tenant Application and Appendix D: Granting Admin Consent to New Permissions.

IMPORTANT NOTE: For all newly added permissions (whether it’s single-tenant or multi-tenant), a required consent is needed from your customers. Microsoft recommends you send a change notification to your customers about this new permissions requirement so they can plan appropriately. See Appendix D: Granting Admin Consent to New Permissions that describe the steps for consent.

How does this affect you as a customer who has Intune integration?

If you have a solution that makes the /servicePrincipals API call (listed above) to retrieve tenant specific service endpoints for Intune, this may affect you. Based on documentation that Microsoft has shared with partners, we expect this to apply to partners that integrate with Intune for the following scenarios:

• Telecom Expense Management
• Mobile Threat Defense
• Network Access Control
• 3rd Party Device Compliance
• SCEP Services

If you have received guidance from the partner with which you have an integrated solution, follow that guidance. If you have not received guidance from your partner, but want to verify that you are ready for the change, then:

1. Follow the instructions in Appendix A: Verify API Permissions.
   If your permissions are set correctly, you are done.
   
   
2. If your permissions need to be added, follow the steps in Appendix C: Adding a New Permission to a Single Tenant Application (For Customers) and then follow the steps in Appendix D: Granting Admin Consent to New Permissions (For Customers).

Appendix A: Verify API Permissions

To verify the assigned permissions for your multi-tenant application.

1. Open the Azure Portal for Azure AD https://portal.azure.com.
2. Authenticate as a user with permissions to manage Azure AD applications in the tenant that was used to create your multi-tenant application.
3. Navigate to your list of registered apps: https://portal.azure.com/#blade/Microsoft_AAD_IAM/ActiveDirectoryMenuBlade/RegisteredApps and select the multi-tenant application that needs permission verification.
   
   Figure 1 - List of App registrations in the Azure AD portal.
   
   Select API Permissions and verify that your application contains the correct API permissions for both Azure AD Graph and Microsoft Graph (one of the below):
   • Application.Read.All (preferred)
   • Application.ReadWrite.All
   • Application.ReadWrite.OwnedBy
   • Directory.Read.All
   
   
4. Figure 2 - List of assigned API permissions for the selected app with "Application.Read.All" highlighted.
   
   
5. Figure 3 - Example of API permissions needed.

Appendix B: Add Permissions to a Multi-Tenant App (for Partners)

To add permissions to your multi-tenant application.

1. Open the Azure Portal for Azure AD https://portal.azure.com.
2. Authenticate as a user with permissions to manage Azure AD applications in the tenant that was used to create your multi-tenant application.
3. Navigate to your list of registered apps: https://portal.azure.com/#blade/Microsoft_AAD_IAM/ActiveDirectoryMenuBlade/RegisteredApps and select the multi-tenant application that needs updated permissions.
   
   
4. Figure 4 - List of App registrations in the Azure AD portal.
   
   
5. Select API Permissions and verify that your application contains the correct API permissions. In this example, one of the required permissions is missing. (Application.Read.All) for Microsoft Graph and for Azure AD Graph. Both permissions are needed.
   
   Figure 5 - Example list of available API permissions with one of the required permissions missing.
   
   
6. Select Add a permission.
   
   Figure 6 - Request API permission flow on adding a new permission.
   
   

7. Choose Microsoft Graph.

   
   Figure 7 - Request API permission flow for the Microsoft Graph application.
   
   

8. Select Application permissions.
   
   Figure 8 - Requesting the Application permissions for the Microsoft Graph application.
   
   
9. Select "Application.Read.All" and click Add permissions.
   
   Figure 9 - Requesting the "Application.Read.All" permission for the Microsoft Graph application.
   
   
   
10. Select Add a permission
    
    Figure 10 - Adding a new permission.
    
    
11. Scroll down to choose Azure AD Graph
    
    Figure 11 - Adding a new API permission for Azure AD Graph.
    
    
12. Choose Application permissions: and select “Application.Read.All” and click Add permissions.
    
    Figure 12 - Adding the “Application.Read.All” permission.

Your application permissions are now updated. Any customers who have registered your application in their tenant will need to consent to the new permissions.

Appendix C: Adding a New Permission to a Single Tenant Application (For Customers)

If your customer registers your application as a single tenant application within their tenant, they will need to add the permission themselves.

1. Open the Azure Portal for Azure AD https://portal.azure.com.
2. Authenticate as a user with permissions to manage Azure AD applications in the tenant that was used to create your single tenant application.
3. Navigate to your list of registered apps: https://portal.azure.com/#blade/Microsoft_AAD_IAM/ActiveDirectoryMenuBlade/RegisteredApps.
   
   Figure 13 - List of App registrations in the Azure AD portal.
   
   
4. Select the single-tenant application that needs permission verification.
   
   Figure 14 - Screenshot of an example Azure application and details under the Overview blade.
   
   
5. Select API permissions.
   
   Figure 15 - Navigating to the API permissions blade in the Azure AD portal.
   
   
6. Click Add a permission.
   
   Figure 16 - Request API permission flow on adding a new permission.
   
   
7. Select Microsoft Graph.
   
   Figure 17 - Request API permission flow for the Microsoft Graph application.
   
   
8. Select Application permissions.
   
   Figure 18 - Requesting the Application permissions for the Microsoft Graph application.
   
   
9. Expand Application and choose "Application.Read.All" and choose Add permissions.
   
   Figure 19 - Requesting the "Application.Read.All" permission for the Microsoft Graph application.
   
   
10. Select Add a permission.
    
    Figure 20 - Adding a new permission.
11. Scroll down to choose Azure AD Graph.
    
    Figure 21 - Requesting a new API permission for Azure AD Graph.
12. Choose Application permissions and select “Application.Read.All” and click Add permissions.
    
    Figure 22 - Adding the “Application.Read.All” permission.
13. Click “Grant admin consent for <tenant>” and choose “Yes”.
    
    Figure 23 - Notice when selecting "Grant admin consent for <tenant>".
    
    
14. Verify that the permissions are granted for your tenant.
    
    Figure 24 - Example screenshot of granted API permissions for a tenant.
    
    Figure 25 - Example of API permissions needed.

Appendix D: Granting Admin Consent to New Permissions (For Customers)

For customers who have previously registered your application in their tenant, they will now need to consent to the new permissions that you added to your multi-tenant application. These are the instructions for customers to consent to the new permission:

1. Open the Azure Portal for Azure AD https://portal.azure.com.
2. Authenticate as a user with Global Administrator permissions to manage Azure AD applications in the tenant.
3. Navigate to your list of enterprise apps: https://portal.azure.com/#blade/Microsoft_AAD_IAM/StartboardApplicationsMenuBlade/AllApps/menuId/.
4. Search for the application that was registered for the Intune integration.
   
   Figure 26 - Example screenshot of an Azure AD app registered for the Intune integration.
   
   
5. Select the application to view the Overview.
   
   Figure 27 - Screenshot of an example Azure application and details under the Overview blade.
   
   
6. Select Permissions.
   
   Figure 28 - Permissions blade of an example Azure AD app registered for the Intune integration.
   
   
7. Click Grant admin consent for <tenant name>.
   
   Figure 29 - Notice when granting admin consent for the tenant.
   
   
8. Authenticate as a user with Global Administrator permissions.
   
   Figure 30 - Authenticating as a user with Global Administrator permissions.
   
   
9. Accept the updated permissions for the application.
   
   Figure 31 - Accepting the updated permissions for the Azure AD application.
   
   
10. Verify the consent was successful
    
    Figure 32 - Successful admin consent.

Let us know if you have any additional questions by replying to this post or reaching out to @IntuneSuppTeam on Twitter.

Known issues

As of 6/23, when using third-party certification authorities (CA) with SCEP in Microsoft Intune, additional permissions are required. For more information, see Set up third-party CA integration to learn more.

Post updates:

6/15/21: Updated with additional screenshots.

7/12/21: Updated with known issue section.

03/11/22: The end of support timeline for Azure AD Graph has been extended to December 2022. The requirement changes detailed below are still required however if you have not updated the "serviceEndpoints", the timeline has been extended to December 2022.