Illustration of a digital key and cloud security icons representing control of Intune and Entra ID environments.

Who Holds the Keys to Your Kingdom | PowerStacks

Who Holds the Keys to Your Kingdom?

As organizations extend their Intune and Entra ID environments with third-party integrations, one question looms large: Who truly controls access to your data?

Modern IT operations rely on automation and reporting platforms that connect to Microsoft Intune through Entra ID app registrations. But not all integrations are created equal. Some vendors require you to grant permissions to their cloud-hosted platform, while others deploy directly inside your own Azure tenant via the Microsoft Marketplace.

That difference defines who holds the keys to your kingdom — and who could unlock it.

The Two Integration Models:

1. Vendor-Hosted Cloud Apps

In this model, you create an app registration in your Entra ID tenant and grant permissions (for example, DeviceManagementServiceConfig.ReadWrite.All,DeviceManagementApps.ReadWrite.All) to a vendor’s cloud service. The vendor’s backend stores and uses those credentials to call Microsoft Graph on your behalf.

It’s convenient and low-maintenance — you sign in once, approve permissions, and the vendor handles the rest. But the risk lies in the trust boundary: your tenant now trusts a system you don’t control. If the vendor’s environment or any of its privileged users are compromised, attackers can leverage those same permissions against your tenant.

This is the same architectural pattern seen in Microsoft’s own 2023–24 incident, where attackers exploited an outdated app registration in a development tenant to access production systems. A weak link in a lower-security environment became the entry point to critical infrastructure.

Screenshot of Microsoft Entra app consent screen showing requested Intune permissions — **⚠️ Warning:** If a vendor asks you to accept this screen, stop and consider what you’re granting. You’re not just signing in — you’re authorizing access to your Intune environment. Review every permission carefully before clicking **Accept**.

2. Customer-Hosted Marketplace Apps

By contrast, apps deployed through Azure Marketplace run inside your own Azure subscription and authenticate using service principals and credentials that you control. The vendor provides the code, but the runtime, secrets, and data all live under your management and your compliance boundary.

This model aligns with Zero Trust and data sovereignty principles:

The app identity resides entirely in your tenant.
Credentials never leave your environment.
You can enforce your own conditional access, logging, and retention policies.
A vendor breach cannot directly compromise your tenant because there’s no persistent trust bridge.

The Trust Boundary Problem

A service principal in your tenant is only as secure as the system that uses it. When you grant a vendor’s cloud app permissions to manage your Intune environment, that vendor effectively becomes an extension of your privileged identity infrastructure.

If their admin account is phished or a session token stolen, attackers can issue the same API calls the vendor normally makes — reconfiguring policies, changing assignments, or exfiltrating data across every connected customer.

With a Marketplace-deployed solution, that blast radius stops at your boundary. An attacker would have to compromise your tenant, not the vendor’s, to gain access — a fundamentally different risk profile.

Data Privacy and Sovereignty

Beyond security, there’s the matter of data control. Vendor-hosted integrations often transmit device or configuration data to external clouds for processing or reporting. That means your Intune metadata — and sometimes sensitive user information — is stored in a system governed by the vendor’s retention and privacy policies, not yours.

By choosing solutions that install directly into your Azure environment:

Data remains inside your tenant and under your governance.
You retain the data controller role, not the vendor.
Auditing and access logging stay centralized in your tenant.
Your existing compliance framework applies automatically.

For regulated industries — healthcare, finance, insurance, or government — that distinction can make or break compliance with standards such as SOC 2, ISO 27001, HIPAA, or GDPR.

Rest assured — PowerStacks never has access to your data. We intentionally designed our solutions so your information remains fully inside your tenant. We believe your data should always stay with you — we don’t want the keys to your kingdom.

When Convenience Becomes Exposure

It’s tempting to pick the most convenient option — cloud apps that “just work.” But convenience often costs control.

Ask these questions before connecting any third-party app to your Intune environment:

Where does the code actually run — in their cloud or yours?
Who holds the credentials that access Microsoft Graph?
What happens if their environment is breached?
Can you revoke access instantly and independently?
Where is your data stored, and under whose policies?

If the answers to any of those questions make you uncomfortable, the integration likely shifts too much control outside your boundary!

Final Thoughts

Security isn’t just about permissions — it’s about where trust lives. Vendors that deploy directly into your Entra ID tenant through the Azure Marketplace give you something priceless: control. Your credentials, your data, your compliance boundary.

In contrast, vendors who manage your Intune environment from their cloud ask you to extend trust beyond your own walls — trust that their admins won’t be phished, their tokens won’t leak, and their infrastructure won’t be breached.

In the era of Zero Trust, that’s a gamble few organizations can afford.

Takeaway: When evaluating any Intune-connected service, remember this — whoever runs the app, runs the risk. Choose solutions that run in your environment and keep the keys to your kingdom firmly in your own hands.

TAGS: