Install App Store for Intune
App Store for Intune is a full-lifecycle application management platform for Microsoft Intune environments. It deploys into your own Azure tenant, no vendor-hosted cloud, no shared credentials, no external processor of your data, and gives end users a branded self-service catalog where they can request the applications they need. Admins get a packaging pipeline that pulls WinGet-sourced installers, hash-verifies them, wraps them with PSADT v4, converts to .intunewin, and deploys through Intune’s standard Win32 app pipeline. Custom MSI upload covers anything outside the WinGet catalog. Per-app approval workflows, Autopatch ring integration, version-rollback, programmatic API access, and Microsoft Teams notifications are included.
The install provisions an App Service, an Azure SQL database, a Key Vault, a storage account, an Application Insights workspace, and, when Teams notifications are enabled, an Azure Bot resource and a user-assigned managed identity for the bot. Database migrations apply on first start. After deploy, a one-time PowerShell snippet grants Microsoft Graph application permissions to the App Service’s managed identity, and a first-run setup wizard inside the portal walks you through admin group selection, license activation, and the first Intune sync.
Prerequisites
Section titled “Prerequisites”Review the Prerequisites before you start: the Microsoft Entra roles (Global Administrator, or Privileged Role Administrator with Cloud Application Administrator), the Azure role (Owner on the subscription), the App Service quota check, and what the install deploys.
Setup steps in order
Section titled “Setup steps in order”- Create the Entra app registration, one registration that both validates incoming user tokens (exposing the
access_as_userscope) and powers the SPA sign-in flow. - Deploy to Azure, run the custom-deployment wizard.
- Grant Microsoft Graph permissions to the App Service, one-time post-deploy PowerShell snippet that assigns the required Graph application roles to the App Service’s managed identity.
- Add the production redirect URI, add the App Service URL to the App Store app registration’s SPA platform so sign-in succeeds.
- Sign in and verify, confirm the portal is healthy and complete the in-portal Setup Wizard (admin group, license activation, first Intune sync).
Optional post-deploy configuration
Section titled “Optional post-deploy configuration”The portal is fully functional after step 5. The following are optional and can be configured at any time from the admin UI:
- Configure WinGet integration (recommended)
- Configure email notifications
- Configure Microsoft Teams Bot
- Configure Application Insights
- Configure a custom domain
For ongoing operations after install, see the Admin Guide.
Next step
Section titled “Next step”Continue to Create Entra app registrations.