<# .SYNOPSIS Creates a Microsoft Entra app registration for headless Intune export/import. .DESCRIPTION Uses the Microsoft Graph PowerShell SDK to create an app, add required Graph permissions, generate a client secret, and output the values needed for AppOnly authentication. Requires: Microsoft.Graph.Authentication, Microsoft.Graph.Applications Install if missing: Install-Module Microsoft.Graph -Scope CurrentUser #> [CmdletBinding()] param( [string]$DisplayName = "IntuneManagement-Headless", [ValidateSet("Export","Import","Both")] [string]$PermissionLevel = "Both" ) $requiredModules = @("Microsoft.Graph.Authentication", "Microsoft.Graph.Applications") foreach ($mod in $requiredModules) { if (-not (Get-Module $mod -ListAvailable)) { throw "Module '$mod' is not installed. Run: Install-Module Microsoft.Graph -Scope CurrentUser" } } Import-Module Microsoft.Graph.Authentication -Force Import-Module Microsoft.Graph.Applications -Force Write-Host "Connecting to Microsoft Graph..." -ForegroundColor Cyan Write-Host "A browser window will open for authentication." -ForegroundColor Cyan Connect-MgGraph -Scopes "Application.ReadWrite.All", "AppRoleAssignment.ReadWrite.All" -NoWelcome $graphSp = Get-MgServicePrincipal -Filter "appId eq '00000003-0000-0000-c000-000000000000'" if (-not $graphSp) { throw "Could not retrieve Microsoft Graph service principal." } $exportRoles = @( "DeviceManagementApps.Read.All", "DeviceManagementConfiguration.Read.All", "DeviceManagementManagedDevices.Read.All", "DeviceManagementScripts.Read.All", "DeviceManagementServiceConfig.Read.All", "Group.Read.All", "Organization.Read.All" ) $importRoles = @( "DeviceManagementApps.ReadWrite.All", "DeviceManagementConfiguration.ReadWrite.All", "DeviceManagementManagedDevices.ReadWrite.All", "DeviceManagementScripts.ReadWrite.All", "DeviceManagementServiceConfig.ReadWrite.All", "Group.ReadWrite.All", "Organization.Read.All" ) $roles = switch ($PermissionLevel) { "Export" { $exportRoles } "Import" { $importRoles } "Both" { ($exportRoles + $importRoles) | Select-Object -Unique } } $resourceAccess = @() foreach ($roleName in $roles) { $appRole = $graphSp.AppRoles | Where-Object { $_.Value -eq $roleName } | Select-Object -First 1 if (-not $appRole) { Write-Warning "Could not find app role: $roleName" continue } $resourceAccess += @{ id = $appRole.Id type = "Role" } } $appParams = @{ DisplayName = $DisplayName SignInAudience = "AzureADMyOrg" RequiredResourceAccess = @(@{ resourceAppId = "00000003-0000-0000-c000-000000000000" resourceAccess = $resourceAccess }) } Write-Host "Creating application '$DisplayName'..." -ForegroundColor Cyan $app = New-MgApplication @appParams Write-Host "Creating service principal..." -ForegroundColor Cyan $sp = New-MgServicePrincipal -AppId $app.AppId Write-Host "Adding client secret..." -ForegroundColor Cyan $passwordCred = @{ displayName = "IntuneManagementSecret" endDateTime = (Get-Date).AddYears(1) } $secret = Add-MgApplicationPassword -ApplicationId $app.Id -PasswordCredential $passwordCred Write-Host "`n=============================================================" -ForegroundColor Green Write-Host "App Registration created successfully!" -ForegroundColor Green Write-Host "=============================================================" -ForegroundColor Green Write-Host "TenantId : $(Get-MgContext | Select-Object -ExpandProperty TenantId)" Write-Host "AppId : $($app.AppId)" Write-Host "Secret : $($secret.SecretText)" Write-Host "=============================================================" -ForegroundColor Green Write-Host "IMPORTANT: Go to the Entra portal > API Permissions and click" -ForegroundColor Yellow Write-Host " 'Grant admin consent for ' before using" -ForegroundColor Yellow Write-Host " the app for Export or Import." -ForegroundColor Yellow Write-Host "=============================================================" -ForegroundColor Green Disconnect-MgGraph | Out-Null