Microsoft Intune Setup Guide

How to configure an Entra App Registration so FreeITSM can sync from Intune

This guide walks you through registering an application in Microsoft Entra (formerly Azure AD) so FreeITSM can pull managed devices and detected software from Microsoft Intune via the Microsoft Graph API.

Unlike the mailbox integration, Intune sync runs as a background worker with no user interaction, so the App Registration uses application permissions with a client secret — there is no Redirect URI and no OAuth sign-in flow.

You will need an Entra account with permission to register applications and grant admin consent (typically a Global Administrator or Cloud Application Administrator), plus an Intune licence on the tenant.

Step 1: Register a New Application

  1. Sign in to the Entra admin centre at entra.microsoft.com (or portal.azure.com if you prefer)
  2. In the left-hand menu go to ApplicationsApp registrations
  3. Click "New registration"
  4. Enter a name — something descriptive like "FreeITSM Intune Sync"
  5. Under Supported account types, select "Accounts in this organizational directory only" (single tenant)
  6. Leave Redirect URI blank — this integration does not use OAuth user sign-in
  7. Click "Register"

Once registered, you will land on the application's overview page. Take note of these two values — you will need them in Step 4:

  • Application (client) ID – this is the Client ID
  • Directory (tenant) ID – this is the Tenant ID

Step 2: Create a Client Secret

The client secret is the password the FreeITSM background worker uses to authenticate to Microsoft Graph.

  1. From the application's overview page, click "Certificates & secrets" in the left-hand menu
  2. Under the Client secrets tab, click "New client secret"
  3. Enter a description (e.g. "FreeITSM Intune Sync")
  4. Choose an expiry period – 24 months is a sensible default. Diary the renewal date now, because the integration will silently stop syncing the day the secret expires
  5. Click "Add"
  6. Copy the secret Value immediately – it will only be shown once. The Secret ID column is not the secret you need; you want the Value column

Keep Your Client Secret Safe

Treat the client secret like a password. Don't share it, don't commit it to version control, and store it somewhere secure until you've pasted it into FreeITSM. Anyone with your Tenant ID, Client ID, and Client Secret can read every Intune-managed device in your tenant.

FreeITSM encrypts the client secret at rest in system_settings using your encryption key, so once it's saved you don't need to keep your own copy unless you also want a backup.

Step 3: Configure API Permissions

This is the step worth doing carefully. The principle is least privilege – the application should be granted only what FreeITSM actually needs and nothing more. For Intune sync, that is a single permission.

  1. From the application's page, click "API permissions" in the left-hand menu
  2. Remove the default User.Read delegated permission if it is listed – it isn't used by this integration. Click the "..." next to it and choose Remove permission
  3. Click "Add a permission"
  4. Select "Microsoft Graph"
  5. Choose "Application permissions" (not Delegated — this matters)
  6. In the search box, type DeviceManagementManagedDevices
  7. Expand the DeviceManagementManagedDevices group and tick DeviceManagementManagedDevices.Read.All
  8. Click "Add permissions"
  9. Back on the API permissions page, click "Grant admin consent for [your organisation]" and confirm when prompted

When you're done, the Configured permissions table should contain exactly one row:

  • DeviceManagementManagedDevices.Read.All – Application – Granted for [your organisation] (green tick)

Why only one permission?

FreeITSM's Intune sync calls just two Microsoft Graph endpoints:

  • /deviceManagement/managedDevices — to list managed devices
  • /deviceManagement/managedDevices/{id}?$expand=detectedApps — to read installed software per device

Both are covered by DeviceManagementManagedDevices.Read.All alone. Granting any wider permission (e.g. Directory.Read.All, DeviceManagementConfiguration.Read.All, DeviceManagementApps.Read.All) gives the app access it doesn't need — and the larger your blast radius if the client secret ever leaks.

Application Permissions, Not Delegated

Make sure you chose Application permissions in step 5, not Delegated. The background worker authenticates as the app itself (client-credentials flow), not on behalf of a signed-in user. If you accidentally added the Delegated version of the permission, sync requests will fail with HTTP 403.

Step 4: Configure Intune in FreeITSM

With the App Registration ready, paste the credentials into FreeITSM.

  1. Sign in to FreeITSM as an administrator
  2. Go to AssetsSettingsIntune tab
  3. Enter the values from your App Registration:
    • Tenant ID – the Directory (tenant) ID from Step 1
    • Client ID – the Application (client) ID from Step 1
    • Client Secret – the secret Value you copied in Step 2
    • Verify SSL – leave this on for production. Only disable it for local development with a proxy that intercepts TLS, and never in a tenant holding real data
  4. Click Save
  5. Click Sync devices to kick off the first device pull. A progress bar will appear and devices will start landing in your asset list, matched to existing assets by hostname (unknown hostnames are auto-created as stub assets)
  6. Once the device sync has finished at least once, click Sync software to pull installed-software inventory in batches

Ready to Go?

Use this checklist to confirm everything is in place:

  • Registered an application in Entra – single-tenant, no Redirect URI
  • Noted your Tenant ID and Client ID – from the application overview page
  • Created a client secret – copied the Value, diaried the expiry
  • Granted exactly one API permissionDeviceManagementManagedDevices.Read.All as an Application permission, with admin consent
  • Removed the default User.Read – if it was added at registration
  • Entered the credentials in FreeITSM – on the Assets → Settings → Intune tab
  • Verify SSL is enabled – the warning banner should not be showing
  • First sync ran successfully – managed devices appear in your asset list

All done? FreeITSM will now keep its asset list and software inventory in step with Intune whenever you run a sync.

→ Back to Getting Started

← Back to Getting Started