Skip to content

Create the Microsoft Entra app registration

Synchronizing data from Intune, Microsoft Entra ID, Log Analytics, and other cloud data sources is done using application permissions. The steps here configure the permissions required for Power BI to connect to those data sources to get the data.

Prerequisites

The user performing these steps requires Global Admin and Subscription Admin rights.

Step 1: Register the application in Microsoft Entra ID

  1. Sign in to portal.azure.com or entra.microsoft.com using a global administrator account.
  2. Search for and select App registrations.
  3. Select New registration.
  4. Enter a Name for the application. (This will not be seen by anyone other than admins.)
  5. Specify who can use the application as Accounts in this organizational directory only.
  6. Select Register.

Step 2: Add Microsoft Graph permissions

  1. On the app registration page select API Permissions.
  2. Remove the User.Read permission.
  3. When prompted, select Yes, remove.
  4. Select Add a permission.
  5. Select Microsoft Graph.
  6. Select Application permissions.

  7. Search for DeviceManagement and select these permissions. Do not select Add permissions yet — you add several permissions before applying them.

    • DeviceManagementApps.Read.All
    • DeviceManagementConfiguration.Read.All
    • DeviceManagementManagedDevices.Read.All
    • DeviceManagementRBAC.Read.All
    • DeviceManagementScripts.Read.All
    • DeviceManagementServiceConfig.Read.All

  8. Search for Directory and select Directory.Read.All.

  9. Search for AuditLog and select AuditLog.Read.All.
  10. Search for Policy and select Policy.Read.All.
  11. Search for IdentityRiskyUser and select IdentityRiskyUser.Read.All.
  12. (Optional — only for Windows 365 / Cloud PC) Search for CloudPC and select CloudPC.Read.All. cloudpc readall
  13. Search for Reports, select Reports.Read.All, and select Add permissions.

Step 3: Add Log Analytics permissions

Only required for the Enhanced Inventory solution

Skip this step if you do not plan to use the Enhanced Inventory solution.

  1. Select Add a permission.
  2. Select APIs my organization uses.
  3. Search for Log Analytics and select Log Analytics API.
  4. Select Application Permissions.
  5. Select Data.Read and select Add permissions.
  1. Select Grant admin consent for your tenant.
  2. Select Yes at the prompt.

Step 5: Add a client secret

  1. Select Certificates & secrets, then select New client secret.
  2. Enter a Description, select a value for Expires, and select Add.
  3. Record the Value as the Microsoft Entra ID Client Secret. The value displays only once — if you fail to record it here, you must create a new client secret.

Step 6: Record the application IDs

  1. Select Overview.
  2. Record the Application (client) ID as the Microsoft Entra ID Client ID. You use this later in the installation.
  3. Record the Directory (tenant) ID as the Microsoft Entra ID Tenant ID. You use this later in the installation.

The Microsoft Entra app registration is now complete.