🏷️ Intune.TagManager

A web application for managing Microsoft Intune Scope Tags at scale.

Overview

Intune.TagManager is a Blazor Server web application that provides a modern UI for managing Microsoft Intune Scope Tags across devices and Intune objects (policies, apps, scripts). It features background job processing with real-time progress updates via SignalR.

Key Features

• 🔄 Background Processing — Scope tag assignments run as background jobs via Worker Service
• 📊 Real-time Progress — Live updates via SignalR as jobs execute
• 📋 Report Generation — Device and object scope tag reports with CSV export
• 🔍 Regex Filtering — Filter Intune objects by name patterns
• ⚡ Batch Operations — Efficient Graph API batch requests (up to 20 per batch)
• 🛡️ Retry Resilience — Exponential backoff with jitter for Graph API throttling
• 🔐 Dual Authentication — Client Secret or X.509 Certificate

Architecture

┌─────────────────┐   Channel    ┌──────────────────────┐
│  Blazor Server   │◄───────────►│  Worker Service       │
│  (UI + SignalR)  │  (in-proc)  │  (BackgroundService)  │
└──────┬───────────┘             └──────────┬─────────────┘
       │                                    │
┌──────▼────────────────────────────────────▼─────────────┐
│              Core Service Layer (Class Library)          │
│  IGraphService  ITokenService  IIntuneObjectService     │
└─────────────────────────┬───────────────────────────────┘
                          │
                   Microsoft Graph API

Solution Structure

Project	Description
Intune.TagManager.Core	Shared services, models, Graph API client
Intune.TagManager.Worker	Background job processing with Channel-based queue
Intune.TagManager.Web	Blazor Server UI, Minimal APIs, SignalR Hub

Prerequisites

• .NET 9 SDK
• Microsoft Entra ID App Registration with:
  • DeviceManagementManagedDevices.ReadWrite.All
  • DeviceManagementConfiguration.ReadWrite.All
  • Group.Read.All
  • Directory.Read.All

Getting Started

1. Clone the repository

git clone https://github.com/robgrame/Intune.TagManager.git
cd Intune.TagManager

2. Configure secrets (User Secrets)

cd src/Intune.TagManager.Web
dotnet user-secrets init
dotnet user-secrets set "IntuneTagManager:AppRegistration:TenantId" "your-tenant-id"
dotnet user-secrets set "IntuneTagManager:AppRegistration:ClientId" "your-client-id"
dotnet user-secrets set "IntuneTagManager:AppRegistration:ClientSecretPlainText" "your-secret"

3. Run the application

dotnet run --project src/Intune.TagManager.Web

Navigate to https://localhost:5001 to access the dashboard.

API Endpoints

Method	Route	Description
POST	/api/jobs	Create a new job
GET	/api/jobs	List all jobs
GET	/api/jobs/{id}	Get job status
DELETE	/api/jobs/{id}	Cancel a job
GET	/api/scopetags	List all scope tags
GET	/api/groups?filter=	Search Entra ID groups
GET	/api/health	Health check

Configuration

Configuration is loaded from appsettings.json under the IntuneTagManager section. Never commit secrets — use User Secrets for development or Azure Key Vault for production.

{
  "IntuneTagManager": {
    "AppRegistration": {
      "TenantId": "YOUR_TENANT_ID",
      "ClientId": "YOUR_CLIENT_ID"
    },
    "Graph": {
      "MaxRetries": 5,
      "RetryDelayMs": 2000,
      "MaxRetryDelayMs": 32000,
      "ThrottleLimit": 8
    }
  }
}

Security

• Secrets are managed via .NET User Secrets (dev) or Azure Key Vault (prod)
• appsettings.json contains only placeholder values
• appsettings.Development.json is excluded from source control via .gitignore
• See SECURITY.md for the full security policy

Contributing

Contributions are welcome! Please open an issue or submit a pull request.

License

This project is licensed under the MIT License — see LICENSE for details.