Enabling Intune integration

You can use Shopping 6.0 with Microsoft Intune in much the same way as with Configuration Manager.

Requirements

We assume that you have a working Intune and Azure Active Directory (AAD) environment.

Intune

To use Shopping's Intune integration, then you require the following:

have a working Intune instance
clients must be Intune enabled for them to receive Intune applications
user accounts must have email addresses
the relevant Shopping Requirements must be met.

You can then:

define the two Azure Active Directory (AAD) authentication applications required
configure administrator and service accounts
make appropriate settings for Intune in Shopping
enable Configuration Manager's co-management feature.

Using the Intune integration is very similar to using Configuration Manager with Shopping for both administrators and end-users.

On this page:

Azure Active Directory

AAD must be in hybrid mode and have either of these two options enabled:

Pass-through authentication with Seamless single sign-on (SSO)
Federation

Both options are illustrated to the right.

AAD SSO settings

Define the two AAD authentication applications required

You'll need to set up two Intune authentication applications for Shopping:

Console authentication application, in this example named ShoppingConsoleAuthenticationClientApp
Central Service authentication application, in this example named ShoppingServiceAuthenticationClientApp

Use the following steps to create and configure each App. It is vital to get the right configuration in order for Shopping to work with Intune.

In most cases the configuration steps are the same for each App, and the steps will tell you where they are different, but it is easy to get confused between each App.

You are recommended to configure one App at a time, going through the whole sequence of steps. If you want to configure both Apps at the same time, then do so in separate browser windows.

Depending on the version of Microsoft Azure you use, although you may see some differences in the UI, the steps required to set up the authentication applications will be the same.

Microsoft information can be found at https://docs.microsoft.com/en-us/graph/permissions-reference .

Most of the steps in the sequence are needed for both the Console and Central Service authentication applications. Where there are exceptions and the instructions apply to one or the other they will be called out explicitly.

Create your own application

In your AAD console, go to the Enterprise applications node and click New application.

In the Create your own application blade

Provide a name for the application.
- Console authentication application, in this example named ShoppingConsoleAuthenticationClientApp
- Central Service authentication application, in this example named ShoppingServiceAuthenticationClientApp
Select Integrate any other application you don't find in the gallery
Click on the Create button

The application names are not important except for ease of identification. The important distinction is that one relates to the Shopping console (as used by administrators) and the other relates to the Shopping Central service (as used by Shopping itself).

At this point and similar points where objects are created or adjusted, you should see a success message in the upper right corner of the AAD console.

Create your own app

Note the Application (client) ID

You will then see an Overview tab.

You will need the Application (client) ID when you configure Shopping (as detailed in During installation or upgrade below), so copy it to a text or document file you can reference later. While you can retrieve the Application (client) ID at any time, this is a convenient opportunity to do so.

Ensure you note which application the ID corresponds to:

Console authentication application, in this example named ShoppingConsoleAuthenticationClientApp
Central Service authentication application, in this example named ShoppingServiceAuthenticationClientApp

App Overview

Add users and groups to the application

On the Overview page, click on the 1. Assign users and groups tile.

On the Users and groups page, click on Add user (which can also be used to add groups).

Add user

Click on the Users and groups None Selected row.

If you are using an evaluation version of AAD, a message will be displayed on this page indicating that groups are not available for assignment. AAD groups are not required for Shopping's Intune integration (though it's recommended to use them).

Users and groups None Selected

Select from the Users and groups as appropriate.

For the Console authentication application, this should be group(s) or users that you expect to use the Shopping console. In our example, for the console app we choose the group ShoppingConsole_Admins used for our Active Directory implementation.
For the Central Service authentication application, this should be the Shopping Central service account.

All the accounts or groups have to be from your Active Directory implementation (as opposed to being AAD-only accounts or groups). If you are not sure which are AD users or groups, use another AAD console and review the users and groups under the corresponding nodes. AD users and groups have a source of Windows Server AD.

The users and groups you click on will be listed under Selected Items.

Click on Select to make the selections effective.

Select users and groups

The number of users and/or groups will be displayed. If this is correct, click the Assign button.

The users and/or groups will be displayed under the Users and groups node for the application.

Assign users and groups

Configure the App registrations

Click the App registrations node of your AAD directory. Click All applications. You will see your application (or applications) listed.

Click on the application name.

App registrations

Configure API permissions for the App registration

In the Overview node of the selected application, click on the API permissions node, then click Add a permission .

API permissions

In the Request API permissions dialog, click on the Microsoft Graph tile.

Microsoft Graph

Click on Delegated permissions.

Delegated permissions

You will see a long list of API permissions, scroll through them and check them as appropriate. Then, click Add permissions.

For the Console authentication application, check off the following:

Permission	Purpose
DeviceManagementApps.Read.All	To get application status, application type, and target type
DeviceManagementManagedDevices.Read.All	To discover devices when Trigger User and Device Intune Sync button is clicked
Directory.Read.All	To discover users. Also to verify groups have been successfully added to the directory
User.Read.All	To get user email address

For the Central Service authentication application, check off the following:

Permission	Purpose
DeviceManagementApps.Read.All	To get application status, application type, and target type. Also to verify application assignments
DeviceManagementApps.ReadWrite.All	To add assignment to an Intune application
DeviceManagementManagedDevices.PrivilegedOperations.All	To initiate client synchronization (to expedite deployments)
DeviceManagementManagedDevices.Read.All	To discover devices when the Shopping Central service is started and then routinely after that
DeviceManagementManagedDevices.ReadWrite.All	To set flag for a device object that it has a deployment available?
Directory.AccessAsUser.All	To discover users and groups to whatever extent the Shopping service account is permitted
Directory.Read.All	To discover users. Also to verify groups have been successfully added to the directory
Directory.ReadWrite.All	So groups are can be added to or removed from the directory
Group.ReadWrite.All	To create or remove groups to assign Intune applications to that have been added to Shopping
GroupMember.ReadWrite.All	To add or remove users or devices from a group, and to verify they've been added or removed as intended
User.Read.All	To get status when app is user targeted?
User.ReadBasic.All	To get user email address
User.ReadWrite.All

Select API permissions

Click Grant admin consent for <tenant> In our example the tenant is ACME.

This means that a tenant administrator for your organization, you're consenting that the users of the application would want to use these permissions. The users in this case would be people that would use the Shopping console and/or set up the Shopping service.

Grant admin consent for ACME

Configure Authentication for the App registration

Click on the Authentication node.

Scroll to the bottom of the page and select Yes for Treat application as a public client.

Click Save.

For Shopping's purposes, this allows the use of Integrated Windows Authentication.

Treat application as a public client

Configure Administrator and Service Accounts

In the AAD console, click Users and select the name of a user that will be a Shopping console user and who might need to manage Intune applications or initiate AAD user and device synchronization.

Click on the Assigned roles node.
Click Add assignments.
Check the Intune administrator Directory role and click Add.

You must repeat this process for the service account used to run the Shopping Central service. Both the Shopping console user and Shopping Central service accounts must be licensed for Intune.

The user account must be a hybrid account and so in the list of users the source of the account must be Windows Server AD.

Assigned directory roles

Update license assignments

In the AAD console, go to the list of users and select the name of a user that will be a Shopping console user and who might need to manage Intune applications or initiate AAD user and device synchronization. The steps below are also required for the Shopping Central service account to synchronize users and devices from Intune.

The usage location for your chosen user and for the Shopping Central Service account must be defined in their User Profile in AAD, otherwise you will get a License cannot be assigned to a user without a usage location specified error.

Click on the Licenses node.
Click on Assignments.
Select an appropriate license, such as Enterprise Mobility + Security E5.
Click Save.

Licenses node

Make appropriate settings for Intune in Shopping

You can do this either during an installation or upgrade or from the Shopping Admin Console after an installation or upgrade.

During installation or upgrade

Early in the Shopping Central installation wizard, when you specify the installation type you can indicate whether Intune integration should be enabled by checking Enable integration with Intune.

Enable integration with Intune

If you enabled integration with Intune, later in the installation wizard you can specify the Intune Integration details:

ID	Note
Tenant Id	This is the same as your Azure tenant ID, available in the Overview node of your AAD console.
Console Authentication Client App ID	Available in the Overview node for the app in the App Registrations or Enterprise applications nodes of your AAD console.
Service Authentication Client App ID	Available in the Overview node for the app in the App Registrations or Enterprise applications nodes of your AAD console.

Azure authentication client information

After installation or upgrade

You could have enabled Intune integration while installing Shopping or upgrading to it. If you did not do so, start the Shopping Admin Console and go to the Intune Integration group of settings in the Settings node.

You need the following details:

Intune Integration	Note
Intune Integration Enabled	True.
Tenant Id	This is the same as your Azure Tenant ID, available in the Overview node of your AAD console.
Console Authentication Client App ID	Available in the Overview node for the app in the App Registrations or Enterprise applications nodes of your AAD console.
Service Authentication Client App ID	Available in the Overview node for the app in the App Registrations or Enterprise applications nodes of your AAD console.

Click Save.

Restart the Shopping Central service and then the Shopping Admin Console.

Shopping Admin console

Configuration Manager Co-management

This section describes where the co-management settings would be configured by a Configuration Manager administrator. The Intune clients will not try to do software distribution if this feature is not enabled. Please refer to your Configuration Manager documentation for full instructions on how to configure co-management. No additional configuration is needed in Shopping to support this feature.

Using a ConfigMgr console, in the Administration node, under Cloud Services, Azure Services, in the ribbon click on Configure Azure Services and add Cloud Management.

Under Cloud Services, Co-management, configure the co-management.

Set Client apps to use Intune.

The ConfigMgr clients must be restarted to reflect these changes (as reflected in the client-side CoManagementHandler log).

Enable Configuration Manager co-management

Conclusion

You are now ready to use Shopping with Intune. If you have appropriate applications set up in Intune, you can define the applications in Shopping (refer to Managing Intune applications for details) so that they can be made available to users.

Users can then request the applications from the Shopping web interface. The applications will be delivered by Intune and status will be returned to Shopping. The features of Shopping, such as approvals and rentals, can be used with these applications.

If you have any difficulties, refer to the Intune integration FAQs in the troubleshooting section.

Page tree

Publish this draft for everyone to see.

Other users have edits for this page:

Permanently discard changes to this page.

This cannot be undone.

Contents