From 9dace83cfff35b2e9a81337ee740ac38a354b4ff Mon Sep 17 00:00:00 2001 From: Tomas Kracmar Date: Wed, 8 Apr 2026 19:10:45 +0200 Subject: [PATCH] Make browser auth app id optional --- Headless/IntuneManagement.Headless.psm1 | 23 ++++++++++++++++++----- Headless/README.md | 1 - README.md | 7 +++---- Scripts/Export-Policies.ps1 | 1 - Scripts/Import-Policies.ps1 | 1 - Start-HeadlessIntune.ps1 | 1 - 6 files changed, 21 insertions(+), 13 deletions(-) diff --git a/Headless/IntuneManagement.Headless.psm1 b/Headless/IntuneManagement.Headless.psm1 index b28b5c4..a5f920e 100644 --- a/Headless/IntuneManagement.Headless.psm1 +++ b/Headless/IntuneManagement.Headless.psm1 @@ -10,6 +10,11 @@ function Get-DefaultIntunePolicyObjectTypes ) } +function Get-DefaultBrowserAppId +{ + "14d82eec-204b-4c2f-b7e8-296a70dab67e" +} + function Get-IntuneManagementProjectRoot { Split-Path -Parent $PSScriptRoot @@ -38,6 +43,7 @@ function Test-AuthParameters { param( [string]$AuthMode, + [string]$AppId, [string]$Secret, [string]$Certificate ) @@ -47,6 +53,12 @@ function Test-AuthParameters return } + if(-not $AppId) + { + throw "Specify -AppId for AppOnly auth." + return + } + if((-not $Secret) -and (-not $Certificate)) { throw "Specify -Secret or -Certificate for AppOnly auth, or use -AuthMode Browser." @@ -59,7 +71,6 @@ function Invoke-IntuneHeadlessBatch [Parameter(Mandatory = $true)] [string]$TenantId, - [Parameter(Mandatory = $true)] [string]$AppId, [string]$Secret, @@ -79,7 +90,12 @@ function Invoke-IntuneHeadlessBatch [string]$BatchFile ) - Test-AuthParameters -AuthMode $AuthMode -Secret $Secret -Certificate $Certificate + if($AuthMode -eq "Browser" -and -not $AppId) + { + $AppId = Get-DefaultBrowserAppId + } + + Test-AuthParameters -AuthMode $AuthMode -AppId $AppId -Secret $Secret -Certificate $Certificate $projectRoot = Get-IntuneManagementProjectRoot $runtimeModule = Join-Path $projectRoot "Runtime/IntuneManagement.Runtime.psd1" @@ -145,7 +161,6 @@ function Export-IntunePolicies [Parameter(Mandatory = $true)] [string]$TenantId, - [Parameter(Mandatory = $true)] [string]$AppId, [string]$Secret, @@ -203,7 +218,6 @@ function Import-IntunePolicies [Parameter(Mandatory = $true)] [string]$TenantId, - [Parameter(Mandatory = $true)] [string]$AppId, [string]$Secret, @@ -272,7 +286,6 @@ function Invoke-IntunePolicyAction [Parameter(Mandatory = $true)] [string]$TenantId, - [Parameter(Mandatory = $true)] [string]$AppId, [string]$Secret, diff --git a/Headless/README.md b/Headless/README.md index 15b9c11..8bcf061 100644 --- a/Headless/README.md +++ b/Headless/README.md @@ -29,7 +29,6 @@ Export-IntunePolicies ` ```powershell Export-IntunePolicies ` -TenantId "" ` - -AppId "" ` -AuthMode Browser ` -RedirectUri "http://localhost" ` -ExportPath "/tmp/intune-export" diff --git a/README.md b/README.md index 9ffd651..98e8159 100644 --- a/README.md +++ b/README.md @@ -50,7 +50,6 @@ pwsh ./Scripts/Export-Policies.ps1 ` ```powershell pwsh ./Scripts/Export-Policies.ps1 ` -TenantId "" ` - -AppId "" ` -AuthMode Browser ` -ExportPath "/tmp/intune-export" ``` @@ -74,7 +73,6 @@ pwsh ./Scripts/Import-Policies.ps1 ` ```powershell pwsh ./Scripts/Import-Policies.ps1 ` -TenantId "" ` - -AppId "" ` -AuthMode Browser ` -ImportPath "/tmp/intune-export/SourceTenantName" ``` @@ -104,7 +102,6 @@ pwsh ./Start-HeadlessIntune.ps1 ` pwsh ./Start-HeadlessIntune.ps1 ` -Action Export ` -TenantId "" ` - -AppId "" ` -AuthMode Browser ` -RedirectUri "http://localhost" ` -ExportPath "/tmp/intune-export" @@ -115,4 +112,6 @@ pwsh ./Start-HeadlessIntune.ps1 ` * Export writes a migration table used during cross-tenant import. * Import can translate dependency IDs and recreate missing assignment groups. * This repo intentionally does not preserve the old Windows UI launch flow. -* Browser auth uses the system browser and a loopback redirect. If your app registration does not allow loopback redirects, pass `-RedirectUri "http://localhost"` and configure the same redirect URI in Entra ID. +* Browser auth uses the system browser and a loopback redirect. +* If you omit `-AppId` with `-AuthMode Browser`, the CLI defaults to the Microsoft Graph PowerShell public client app id `14d82eec-204b-4c2f-b7e8-296a70dab67e`. +* If your own app registration does not allow loopback redirects, pass `-AppId` and `-RedirectUri "http://localhost"` and configure the same redirect URI in Entra ID. diff --git a/Scripts/Export-Policies.ps1 b/Scripts/Export-Policies.ps1 index c6d97e5..88357f7 100644 --- a/Scripts/Export-Policies.ps1 +++ b/Scripts/Export-Policies.ps1 @@ -7,7 +7,6 @@ param( [Parameter(Mandatory = $true)] [string]$TenantId, - [Parameter(Mandatory = $true)] [string]$AppId, [string]$Secret, diff --git a/Scripts/Import-Policies.ps1 b/Scripts/Import-Policies.ps1 index 5e9eece..408fc4b 100644 --- a/Scripts/Import-Policies.ps1 +++ b/Scripts/Import-Policies.ps1 @@ -7,7 +7,6 @@ param( [Parameter(Mandatory = $true)] [string]$TenantId, - [Parameter(Mandatory = $true)] [string]$AppId, [string]$Secret, diff --git a/Start-HeadlessIntune.ps1 b/Start-HeadlessIntune.ps1 index b6c96ab..702f702 100644 --- a/Start-HeadlessIntune.ps1 +++ b/Start-HeadlessIntune.ps1 @@ -7,7 +7,6 @@ param( [Parameter(Mandatory = $true)] [string]$TenantId, - [Parameter(Mandatory = $true)] [string]$AppId, [string]$Secret,