Create the Entra app registration
App Store for Intune uses one app registration in your tenant. It plays two roles, both bound to the same client ID:
- Sign-in: the portal’s sign-in page redirects users here, then receives an access token scoped to
access_as_user. - Token validation: the backend API trusts only tokens whose audience matches this client ID, then checks the scope.
A single app registration can do both: expose the access_as_user scope (the audience) and configure a Single-page application platform with redirect URIs (the sign-in surface).
Register the application
Section titled “Register the application”- Go to Azure Portal > Microsoft Entra ID > App registrations.
- Select New registration.
- Name:
App Store for Intune. - Supported account types: Single tenant only.
- Redirect URI: leave empty for now. After the deploy completes you’ll add the App Service URL, see Add the production redirect URI.
- Select Register.
- Record the Application (client) ID: you’ll supply this to the Deploy to Azure wizard. This is the only value you need from the app registration: the tenant ID is detected automatically during deployment, and there’s no client secret and no second app registration.
Expose the access_as_user scope
Section titled “Expose the access_as_user scope”This is what the backend uses to validate incoming tokens, and what the portal asks the user to consent to during sign-in.
- Select Expose an API > Add a scope.
- Application ID URI: accept the default (
api://<client-id>). - Select Save and continue.
- Scope name:
access_as_user - Who can consent: Admins and users
- Admin consent display name:
Access App Store for Intune - Admin consent description:
Allows the app to access the App Store for Intune backend as the signed-in user. - User consent display name:
Access App Store for Intune - User consent description:
Allows the app to access the App Store for Intune backend on your behalf. - State: Enabled
- Select Add scope.
Next step
Section titled “Next step”Continue to Deploy to Azure.