Create Azure App Registration¶
Synchronizing data from Intune, Azure AD, Log Analytics, and other cloud data sources is done using application permissions. Here we are configuring the permissions required for Power BI to connect to the data sources to get the data.
Prerequisites: The user performing this step requires Global Admin and Subscription Admin rights.
Step 1: Open App registrations in Azure¶
- Log in to portal.azure.com or entra.microsoft.com using a global administrator account.
- Search for and select App registrations.
- Select New registration.
Step 2: Register a new application¶
- Enter a Name for the application. (This will not be seen by anyone other than admins.)
- Specify who can use the application as Accounts in this organizational directory only.
- Select Register.
Step 3: Navigate to API Permissions¶
- On the Enterprise App page select API Permissions.
Step 4: Remove the User.Read permission¶
- Remove the User.Read permission.
Step 5: Confirm permission removal¶
- When prompted to remove the permission, select Yes, remove.
Step 6: Add a new permission¶
- Select Add a permission.
Step 7: Select Microsoft Graph¶
- Select Microsoft Graph.
Step 8: Select Application permissions¶
- Select Application permissions.
Step 9: Add DeviceManagement permissions¶
- Search for DeviceManagement.
- Select the following permissions:
- DeviceManagementApps.Read.All
- DeviceManagementConfiguration.Read.All
- DeviceManagementManagedDevices.Read.All
- DeviceManagementRBAC.Read.All
- DeviceManagementServiceConfig.Read.All
- Do not select the Add permissions button yet — you will do so in a later step.
Step 10: Add Directory.Read.All permission¶
- Search for Directory.
- Select Directory.Read.All.
- Do not select the Add permissions button yet — you will do so in a later step.
Step 11: Add AuditLog.Read.All permission¶
- Search for AuditLog.
- Select AuditLog.Read.All.
- Do not select the Add permissions button yet — you will do so in a later step.
Step 12: Add Policy.Read.All permission¶
- Search for Policy.
- Select Policy.Read.All.
- Do not select the Add permissions button yet — you will do so in a later step.
Step 13: Add CloudPC.Read.All permission¶
Note
Only required for Windows 365 (Cloud PC).
- Search for CloudPC.
- Select CloudPC.Read.All.
- Do not select the Add permissions button yet — you will do so in the next step.
Step 14: Add Reports.Read.All and apply¶
- Search for Reports.
- Select Reports.Read.All.
- Select Add permissions.
Step 15: Add another permission¶
Note
Skip directly to Step 20 if you do not plan to use the Custom Inventory solution.
- Select Add a permission.
Step 16: Select organization APIs¶
Note
Only required for Custom Inventory.
- Select APIs my organization uses.
Step 17: Select Log Analytics API¶
Note
Only required for Custom Inventory.
- Search for Log Analytics.
- Select Log Analytics API.
Step 18: Select Application permissions¶
Note
Only required for Custom Inventory.
- Select Application Permissions.
Step 19: Add Data.Read permission¶
Note
Only required for Custom Inventory.
- Select Data.Read.
- Select Add permissions.
Step 20: Grant admin consent¶
- Select Grant admin consent for your tenant.
Step 21: Confirm admin consent¶
- Select Yes at the prompt.
Step 22: Create a new client secret¶
- Select Certificates & secrets.
- Select New client secret.
Step 23: Configure the client secret¶
- Enter a Description.
- Select a value for Expires.
- Select Add.
Step 24: Record the client secret value¶
- Record the Value data as the Azure AD Client Secret. This will be used later in the installation process. The value can only be displayed once, if you fail to record it here you will have to create a new one.
Step 25: Record the application IDs¶
- Select Overview.
- Record the Application (client) ID as the Azure AD Client ID. This will be used later in the installation process.
- Record the Directory (tenant) ID as the Azure AD Tenant ID. This will be used later in the installation process.
- The Azure AD Application registration is now complete.
