Issue: Unable to Connect Custom App & Defaulting to Microsoft Graph Command Line Tools

[KeysAU]

Problem Description

In reference to the documentation provided here: MSALInfo.md, it's highlighted that a custom application can be specified in the Settings.

I am unfortunately encountering issues when trying to connect to a new custom app registration. The application doesn't seem to honour the settings and connect; accordingly, rather, it consistently defaults back to "Microsoft Graph Command Line Tools." This has been confirmed via sign-in logs in Entra ID, with App ID being signed into: 14d82eec-204b-4c2f-b7e8-296a70dab67e

Steps Taken:

I've made changes to the settings and tenant settings as below:

• App ID: xxxxx-xxxxx-xxxxx-xxxx (my custom app ID)
• Tenant: xxxx-xxxxx-xxxxx-xxxxx (my tenant)
• Redirect URL: blank (couldn't find any doco)

Request for Help:

I would appreciate if you could help test and confirm whether this functionality is still operational. If it is, would you please provide a detailed doco, mentioning all the necessary settings that require configuration for setting up a custom app?
Thank you for your attention to this issue.

[Micke-K]

Hello!

I've been away a couple of days. I'll try to write some instructions on the weekend.

I use this myself in one of the test environments. So it should be possible.

Cheers!

[Micke-K]

Hello,

Documentation by Microsoft: Quickstart: Register an application with the Microsoft identity platform

I hope this will get you going:

Go to the Entra Portal

• Register a new App registration in Entra

• Note Application Id

• Add Delegated permissions

  • Microsoft Graph

  • For full support of the app is requires:
    DeviceManagementConfiguration.ReadWrite.All,Policy.Read.All,Policy.ReadWrite.ConditionalAccess,Application.Read.All,Agreement.ReadWrite.All,DeviceManagementApps.ReadWrite.All,Organization.ReadWrite.All,DeviceManagementServiceConfig.ReadWrite.All,DeviceManagementMana
    gedDevices.ReadWrite.All,DeviceManagementRBAC.ReadWrite.All,CloudPC.ReadWrite.All

  • It will also need User.ReadWrite.All,Group.ReadWrite.All but you could set these to read only unless you will let the app create Groups.

  • Grant permissions for the environment

• Go to Authentication

  • Click + Add platform
  • Click on Mobile and desktop applications
  • Check https://login.microsoftonline.com/common/oauth2/nativeclient
  • msal value can also be used

Start the Tool

• Go to Settings

• Change Application in Endpoint Manager/Intune

  • Set drop down to Empty. It will only use custom app if drop down is empty.
  • Specify App Id
  • Specify Redirect URL to https://login.microsoftonline.com/common/oauth2/nativeclient

• Save Settings

Restart the Tool

• Custom app settings are only used during startup

Check log for missing permissions. It will have a line stating: "WARNING: Missing scopes:"

You can add missing permissions in the Tool UI by going to you profile picture and click Request Consent. That will only be available if it detects missing permissions. If you feel like the app is adding too many permissions, you can remove them for the App Registration in the Entra portal.

Let me know how you go.

Cheers!

[KeysAU]

You are a legend! Thank you for the quick write up. Will get it tested tomorrow and let you know.

[KeysAU]

Thanks @Micke-K - instructions worked perfectly. I was missing the redirect URI in my config.

Graph Permissions:

DeviceManagementConfiguration.ReadWrite.All
Policy.Read.All
Policy.ReadWrite.ConditionalAccess
Application.Read.All
Agreement.ReadWrite.All
DeviceManagementApps.ReadWrite.All
Organization.ReadWrite.All
DeviceManagementServiceConfig.ReadWrite.All
DeviceManagementManagedDevices.ReadWrite.All
DeviceManagementRBAC.ReadWrite.All
CloudPC.ReadWrite.All

Optional:

User.ReadWrite.All
Group.ReadWrite.All