feat(auth): sync full Graph permission set and patch existing apps

- Unified required Microsoft Graph app roles in Initialize-IntuneAuth.ps1 - Added permission patching for existing app registrations - Logs the change and operations for audit
2026-04-14 12:15:14 +02:00
parent 9dace83cff
commit 87b7af25a7
3 changed files with 446 additions and 0 deletions
--- a/CHANGELOG_macOS_IntuneToolkit.md
+++ b/CHANGELOG_macOS_IntuneToolkit.md
@@ -0,0 +1,49 @@
+# macOS Intune Toolkit Changelog
+
+## 2026-04-13 — API Permissions Sync for `Initialize-IntuneAuth.ps1`
+
+### Modified
+- **`Scripts/Initialize-IntuneAuth.ps1`**
+  - Unified the required Microsoft Graph application permissions into a single `$requiredRoles` list defined before app creation/reuse logic:
+    - `DeviceManagementApps.ReadWrite.All`
+    - `DeviceManagementConfiguration.ReadWrite.All`
+    - `DeviceManagementManagedDevices.ReadWrite.All`
+    - `DeviceManagementScripts.ReadWrite.All`
+    - `DeviceManagementServiceConfig.ReadWrite.All`
+    - `DeviceManagementRBAC.ReadWrite.All`
+    - `Group.ReadWrite.All`
+    - `Directory.Read.All`
+    - `User.Read.All`
+    - `Organization.Read.All`
+    - `Policy.ReadWrite.ConditionalAccess`
+    - `Agreement.ReadWrite.All`
+    - `CloudPC.ReadWrite.All`
+    - `Application.Read.All`
+  - **Existing app patching**: When reusing an existing app registration, the script now inspects its current `RequiredResourceAccess`. If any required permissions are missing, it patches the app via `Update-MgApplication`, refreshes the local app object, and the downstream admin-consent loop automatically grants consent for the newly added roles.
+
+---
+
+## Prior delivered changes (context summary)
+
+### New scripts added
+- `Scripts/Bulk-AppAssignment.ps1` — bulk-assign apps to groups/All Users/All Devices
+- `Scripts/Bulk-AssignmentManager.ps1` — add/remove assignments for any policy type using correct `@odata.type` and bulk `/assign` endpoint
+- `Scripts/Backup-Restore-Assignments.ps1` — JSON backup with cross-tenant group name resolution
+- `Scripts/Export-AssignmentsToCsv.ps1` — CSV and Markdown documentation output
+- `Scripts/Bulk-RenamePolicies.ps1` — search/replace, add/strip prefix across displayName/description
+- `Scripts/Bulk-DeviceOperations.ps1` — delete/retire/wipe/lock/sync with `-WhatIf` safeguards
+- `Scripts/Start-IntuneToolkit.ps1` — unified reverse-numbered `fzf`-based launcher
+- `Scripts/Initialize-IntuneAuth.ps1` — one-time Entra app + secret + Keychain setup
+
+### Core / Extensions / Headless changes
+- **`Extensions/MSGraph.psm1`**
+  - `Invoke-GraphRequest` now throws on 4xx/5xx HTTP errors (was silently returning null)
+  - Added `-AllPages` support to `Get-GraphObjects` and toolkit queries for large tenants
+- **`Headless/IntuneManagement.Headless.psm1`**
+  - Expanded `Get-DefaultIntunePolicyObjectTypes` to ~45 types, including `DeviceManagementIntents`
+  - Threaded `NameSearchPattern` / `NameReplacePattern` through export/import/action flows
+- **Settings Catalog fixes**
+  - Uses `name` property instead of `displayName` for queries/labels
+  - Assignments use `#microsoft.graph.deviceManagementConfigurationPolicyAssignment` and the bulk `POST …/assign` endpoint
+- **TUI / `fzf`**
+  - Spacebar toggle, Esc to go back, reverse numbering (10→1) in unified launcher