Setting up a Microsoft Graph Connection

I’m back with part two! 

If you missed my first blog – on Microsoft Graph actually is – make sure you give it a read.

Now, to connect to Azure and use the data within the various products, an application registration needs to be created within Azure Active Directory. This grants access to the specified elements of Azure Active Directory, Office 365 or Intune, depending on what the application is required for. The application registration can be configured for anonymous authentication or using a secret key within the application to provide authentication for a particular user account.

Setting up the Application Registration allows connection through media such as Powershell or Microsoft Graph Explorer (more on this later).

Let’s create a new application registration which will be used to connect to the Intune Graph API.

1. The first step is to log into the Azure portal as a Global Administrator. This account role is needed to grant admin access to the Intune components.

2. Navigate to Azure Active Directory -> App Registrations

image showing where to find app registrations in azure ad

3. Select New Registration

4. Enter a name for the new application. In this case, it will be called Intune-API

5. Under the Supported Account Types, select Accounts in this organisational directory only (Contoso only – Single tenant). This may change depending on how this application will be accessed.

6. Under the Redirect URI (optional) setting, select Public client/native (mobile and desktop) from the drop-down menu.

7. In the field to the right, add the following URI – urn:ietf:wg:oauth:2.0:oob

8. Select Register

Once registered, this will present an overview of the newly created application. Make note of the Application (client) ID. This is highlighted below. You may need to add the client ID to scripts or applications to obtain an authorization token.

image showing where to find app registrations in azure ad

9. From this menu, select Authentication.

10. Scroll down to Implicit Grant and select ID Tokens

11. Click Save

12. Within the menu on the left, select API permissions

where to find client id in in app registration azure ad

13. Microsoft Graph is already present. Click on Microsoft Graph (1)

At this stage it is worth pointing out that although the Microsoft Graph API is already present, we could have selected Add a permission and then selected Microsoft Graph from the list. We could also add other APIs such as SharePoint, OneNote or Exchange. As we are only interested in Microsoft Graph, we can leave this as default.

where to find api permissions in azure ad

14. Depending on how the application will access the API, in this case; Intune, there are two choices for the type of permissions to apply. Delegated permissions are used when the application will access the API as the user who is signed in to the application. Application permissions are used when the application runs as a background service with no signed-in user. In other words, anonymous authentication. For this example, we will select Delegated permissions.

15. The listed permissions relate to all areas of Microsoft 365 therefore we need to focus on the areas of Intune that are required. In this case, I will select the entries that start with the word

where to find api permissions in azure ad

16. Select the required permissions based on what the application, script or function is looking to achieve. As an example, the Read settings have been selected here. This allows the specified information to be read from Intune using the Graph API. Some of these settings require Admin consent.

Image showing adding permissions in azure AD

17. Click Update Permissions

18. The selected permissions will be added to the application. For those permissions that require admin consent, we need to select the Grant admin consent for Contoso button

request API permissions in azure ad

19. The application is now ready for use. In some cases, the script or application that is being developed will need the Application ID (mentioned in Step 8).

And that’s it!

Now if you’re interested in learning more, I’ll be releasing part three next Monday (edit: here’s the link!).

Next week – actually using Microsoft Graph!

(Plus bonus tutorial on accessing Intune Graph API using Powershell).

Any questions? Drop us a line at and we’ll get back to you.

Stephen Barnard

Stephen Barnard

More about this author
Share on Facebook
Share on Twitter
Share on LinkedIn

Related blogs

two people at desk looking at code

AOVPN DPC V4.0 is Now Live!

Today we’re very excited to announce the release of AOVPN DPC 4.0 with support for Windows 11! AOVPN Dynamic Profile Configurator is now functional with