Try It
Print

Create Azure App Registration

Copy the URL link to this section to share

Synchronizing data from Intune, Azure AD, Log Analytics, and other cloud data sources is done using application permissions. Here we are configuring the permissions required for Power BI to connect to the data sources to get the data. 

Prerequisites:  The user performing this step requires Global Admin and Subscription Admin rights.

Step

  1. Login to portal.azure.com or entra.microsoft.com using a global administrator account.
  2. Search for and select App registrations.
  3. Select New registration.
(click to enlarge)
Step

  1. Enter a Name for the application. (This will not be seen by anyone other than admins.)
  2. Specify who can use the application as Accounts in this organizational directory only.
  3. Select Register.
(click to enlarge)
Step

  1. On the Enterprise App page select API Permissions.
(click to enlarge)
Step

  1. Remove the User.Read permission. 
(click to enlarge)
Step

  1. When prompted to remove the permission, select Yes, remove.
(click to enlarge)
Step

  1. Select Add a permission.
(click to enlarge)
Step

  1. Select Microsoft Graph.
(click to enlarge)
Step

  1. Select Application permissions.
(click to enlarge)
Step

  1. Search for DeviceManagement.
  2. Select the following permissions:
    1. DeviceManagementApps.Read.All
    2. DeviceManagementConfiguration.Read.All
    3. DeviceManagementManagedDevices.Read.All
    4. DeviceManagementRBAC.Read.All
    5. DeviceManagementServiceConfig.Read.All
  3. Do not select the Add permissions button until told to do so in a later step within this document. 
(click to enlarge)
Step

  1. Search for Directory.
  2. Select the following permissions:
    1. Directory.Read.All
  3. Do not select the Add permissions button until told to do so in a later step within this document. 
(click to enlarge)
Step

  1. Search for AuditLog.
  2. Select the following permissions:
    1. AuditLog.Read.All
  3. Do not select the Add permissions button until told to do so in a later step within this document.
(click to enlarge)
Step

  1. Search for Policy.
  2. Select the following permissions:
    1. Policy.Read.All
  3. Do not select the Add permissions button until told to do so in a later step within this document. 
(click to enlarge)
Step

Only Required for Windows 365 (Cloud PC)

  1. Search for CloudPC.
  2. Select the following permissions:
    1. CloudPC.Read.All
  3. Do not select the Add permissions button until told to do so in a later step within this document. 
cloudpc readall
(click to enlarge)
Step

  1. Search for Reports.
  2. Select the following permissions:
    1. Reports.Read.All
  3. Select the Add permissions button.
(click to enlarge)
Step

Skip Directly to Step 19 if You Do Not Plan to Use Our Custom Inventory Solution

  1. Select Add a permission.
(click to enlarge)
Step

Only Required for Custom Inventory for Windows

  1. Select APIs my organization uses.
(click to enlarge)
Step

Only Required for Custom Inventory for Windows

  1. Search for Log Analytics.
  2. Select Log Analytics API.
(click to enlarge)
Step

Only Required for Custom Inventory for Windows

  1. Select Application Permissions.
(click to enlarge)
Step

Only Required for Custom Inventory for Windows

  1. Select Data.Read.
  2. Select Add permissions.
(click to enlarge)
Step

  1. Select Grant admin consent for <your company name>.
(click to enlarge)
Step

  1. Select Yes at the prompt. 
(click to enlarge)
Step

  1. Select Certificates & secrets.
  2. Select New client secret.
(click to enlarge)
Step

  1. Enter a Description.
  2. Select a value for Expires.
  3. Select Add.
(click to enlarge)
Step

  1. Record the Value data as the Azure AD Client Secret. This will be used later in the installation process. The value can only be displayed once, if you fail to record it here you will have to create a new one. 
(click to enlarge)
Step

  1. Select Overview.
  2. Record the Application (client) ID as the Azure AD Client ID. This will be used later in the installation process. 
  3. Record the Directory (tenant) ID as the Azure AD Tenant ID. This will be used later in the installation process. 
  4. The Azure AD Application registration is now complete.
(click to enlarge)