cqrenet/macOS_IntuneManagement
3
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases 3 Wiki Activity
Files
87b7af25a7abee03026fe82cc574cf9226609bd0
macOS_IntuneManagement/CHANGELOG_macOS_IntuneToolkit.md
Tomas Kracmar 87b7af25a7 feat(auth): sync full Graph permission set and patch existing apps 
- Unified required Microsoft Graph app roles in Initialize-IntuneAuth.ps1
- Added permission patching for existing app registrations
- Logs the change and operations for audit
2026-04-14 12:15:14 +02:00

2.8 KiB
Raw Blame History

macOS Intune Toolkit Changelog

2026-04-13 — API Permissions Sync for Initialize-IntuneAuth.ps1

Modified

  • Scripts/Initialize-IntuneAuth.ps1
    • Unified the required Microsoft Graph application permissions into a single $requiredRoles list defined before app creation/reuse logic:
      • DeviceManagementApps.ReadWrite.All
      • DeviceManagementConfiguration.ReadWrite.All
      • DeviceManagementManagedDevices.ReadWrite.All
      • DeviceManagementScripts.ReadWrite.All
      • DeviceManagementServiceConfig.ReadWrite.All
      • DeviceManagementRBAC.ReadWrite.All
      • Group.ReadWrite.All
      • Directory.Read.All
      • User.Read.All
      • Organization.Read.All
      • Policy.ReadWrite.ConditionalAccess
      • Agreement.ReadWrite.All
      • CloudPC.ReadWrite.All
      • Application.Read.All
    • Existing app patching: When reusing an existing app registration, the script now inspects its current RequiredResourceAccess. If any required permissions are missing, it patches the app via Update-MgApplication, refreshes the local app object, and the downstream admin-consent loop automatically grants consent for the newly added roles.

Prior delivered changes (context summary)

New scripts added

  • Scripts/Bulk-AppAssignment.ps1 — bulk-assign apps to groups/All Users/All Devices
  • Scripts/Bulk-AssignmentManager.ps1 — add/remove assignments for any policy type using correct @odata.type and bulk /assign endpoint
  • Scripts/Backup-Restore-Assignments.ps1 — JSON backup with cross-tenant group name resolution
  • Scripts/Export-AssignmentsToCsv.ps1 — CSV and Markdown documentation output
  • Scripts/Bulk-RenamePolicies.ps1 — search/replace, add/strip prefix across displayName/description
  • Scripts/Bulk-DeviceOperations.ps1 — delete/retire/wipe/lock/sync with -WhatIf safeguards
  • Scripts/Start-IntuneToolkit.ps1 — unified reverse-numbered fzf-based launcher
  • Scripts/Initialize-IntuneAuth.ps1 — one-time Entra app + secret + Keychain setup

Core / Extensions / Headless changes

  • Extensions/MSGraph.psm1
    • Invoke-GraphRequest now throws on 4xx/5xx HTTP errors (was silently returning null)
    • Added -AllPages support to Get-GraphObjects and toolkit queries for large tenants
  • Headless/IntuneManagement.Headless.psm1
    • Expanded Get-DefaultIntunePolicyObjectTypes to ~45 types, including DeviceManagementIntents
    • Threaded NameSearchPattern / NameReplacePattern through export/import/action flows
  • Settings Catalog fixes
    • Uses name property instead of displayName for queries/labels
    • Assignments use #microsoft.graph.deviceManagementConfigurationPolicyAssignment and the bulk POST …/assign endpoint
  • TUI / fzf
    • Spacebar toggle, Esc to go back, reverse numbering (10→1) in unified launcher
Reference in New Issue View Git Blame Copy Permalink