Contents
Azure Active Directory
AAD must be in hybrid mode and have either of these two options enabled:
- Pass-through authentication with Seamless single sign-on (SSO)
- Federation
Both options are illustrated to the right.
Define the two AAD authentication applications required
You'll need to set up two Intune authentication applications for Shopping:
- Console authentication application, in this example named ShoppingConsoleAuthenticationClientApp
- Central Service authentication application, in this example named ShoppingServiceAuthenticationClientApp
Use the following steps to create and configure each App. It is vital to get the right configuration in order for Shopping to work with Intune.
In most cases the configuration steps are the same for each App, and the steps will tell you where they are different, but it is easy to get confused between each App.
You are recommended to configure one App at a time, going through the whole sequence of steps. If you want to configure both Apps at the same time, then do so in separate browser windows.
Depending on the version of Microsoft Azure you use, although you may see some differences in the UI, the steps required to set up the authentication applications will be the same.
Microsoft information can be found at https://docs.microsoft.com/en-us/graph/permissions-reference .
Most of the steps in the sequence are needed for both the Console and Central Service authentication applications. Where there are exceptions and the instructions apply to one or the other they will be called out explicitly.
Create your own application
In your AAD console, go to the Enterprise applications node and click New application.
In the Create your own application blade
- Provide a name for the application.
- Console authentication application, in this example named ShoppingConsoleAuthenticationClientApp
- Central Service authentication application, in this example named ShoppingServiceAuthenticationClientApp
- Select Integrate any other application you don't find in the gallery
- Click on the Create button
Note the Application (client) ID
You will then see an Overview tab.
You will need the Application (client) ID when you configure Shopping (as detailed in During installation or upgrade below), so copy it to a text or document file you can reference later. While you can retrieve the Application (client) ID at any time, this is a convenient opportunity to do so.
Ensure you note which application the ID corresponds to:
- Console authentication application, in this example named ShoppingConsoleAuthenticationClientApp
- Central Service authentication application, in this example named ShoppingServiceAuthenticationClientApp
Add users and groups to the application
On the Overview page, click on the 1. Assign users and groups tile.
On the Users and groups page, click on Add user (which can also be used to add groups).
Click on the Users and groups None Selected row.
If you are using an evaluation version of AAD, a message will be displayed on this page indicating that groups are not available for assignment. AAD groups are not required for Shopping's Intune integration (though it's recommended to use them).
Select from the Users and groups as appropriate.
- For the Console authentication application, this should be group(s) or users that you expect to use the Shopping console. In our example, for the console app we choose the group ShoppingConsole_Admins used for our Active Directory implementation.
- For the Central Service authentication application, this should be the Shopping Central service account.
Click on Select to make the selections effective.
The number of users and/or groups will be displayed. If this is correct, click the Assign button.
The users and/or groups will be displayed under the Users and groups node for the application.
Configure the App registrations
Click the App registrations node of your AAD directory. Click All applications. You will see your application (or applications) listed.
Click on the application name.
Configure API permissions for the App registration
In the Overview node of the selected application, click on the API permissions node, then click Add a permission .
In the Request API permissions dialog, click on the Microsoft Graph tile.
Click on Delegated permissions.
You will see a long list of API permissions, scroll through them and check them as appropriate. Then, click Add permissions.
For the Console authentication application, check off the following:
Permission | Purpose |
---|---|
DeviceManagementApps.Read.All | To get application status, application type, and target type |
DeviceManagementManagedDevices.Read.All | To discover devices when Trigger User and Device Intune Sync button is clicked |
Directory.Read.All | To discover users. Also to verify groups have been successfully added to the directory |
User.Read.All | To get user email address |
For the Central Service authentication application, check off the following:
Permission | Purpose |
---|---|
DeviceManagementApps.Read.All | To get application status, application type, and target type. Also to verify application assignments |
DeviceManagementApps.ReadWrite.All | To add assignment to an Intune application |
DeviceManagementManagedDevices.PrivilegedOperations.All | To initiate client synchronization (to expedite deployments) |
DeviceManagementManagedDevices.Read.All | To discover devices when the Shopping Central service is started and then routinely after that |
DeviceManagementManagedDevices.ReadWrite.All | To set flag for a device object that it has a deployment available? |
Directory.AccessAsUser.All | To discover users and groups to whatever extent the Shopping service account is permitted |
Directory.Read.All | To discover users. Also to verify groups have been successfully added to the directory |
Directory.ReadWrite.All | So groups are can be added to or removed from the directory |
Group.ReadWrite.All | To create or remove groups to assign Intune applications to that have been added to Shopping |
GroupMember.ReadWrite.All | To add or remove users or devices from a group, and to verify they've been added or removed as intended |
User.Read.All | To get status when app is user targeted? |
User.ReadBasic.All | To get user email address |
User.ReadWrite.All |
Click Grant admin consent for <tenant> In our example the tenant is ACME.
Configure Authentication for the App registration
Click on the Authentication node.
Scroll to the bottom of the page and select Yes for Treat application as a public client.
Click Save.
Configure Administrator and Service Accounts
In the AAD console, click Users and select the name of a user that will be a Shopping console user and who might need to manage Intune applications or initiate AAD user and device synchronization.
- Click on the Assigned roles node.
- Click Add assignments.
- Check the Intune administrator Directory role and click Add.
Update license assignments
In the AAD console, go to the list of users and select the name of a user that will be a Shopping console user and who might need to manage Intune applications or initiate AAD user and device synchronization. The steps below are also required for the Shopping Central service account to synchronize users and devices from Intune.
The usage location for your chosen user and for the Shopping Central Service account must be defined in their User Profile in AAD, otherwise you will get a License cannot be assigned to a user without a usage location specified error.
- Click on the Licenses node.
- Click on Assignments.
- Select an appropriate license, such as Enterprise Mobility + Security E5.
- Click Save.
Make appropriate settings for Intune in Shopping
You can do this either during an installation or upgrade or from the Shopping Admin Console after an installation or upgrade.
During installation or upgrade
Early in the Shopping Central installation wizard, when you specify the installation type you can indicate whether Intune integration should be enabled by checking Enable integration with Intune.
If you enabled integration with Intune, later in the installation wizard you can specify the Intune Integration details:
ID | Note |
---|---|
Tenant Id | This is the same as your Azure tenant ID, available in the Overview node of your AAD console. |
Console Authentication Client App ID | Available in the Overview node for the app in the App Registrations or Enterprise applications nodes of your AAD console. |
Service Authentication Client App ID | Available in the Overview node for the app in the App Registrations or Enterprise applications nodes of your AAD console. |
After installation or upgrade
You could have enabled Intune integration while installing Shopping or upgrading to it. If you did not do so, start the Shopping Admin Console and go to the Intune Integration group of settings in the Settings node.
You need the following details:
Intune Integration | Note |
---|---|
Intune Integration Enabled | True. |
Tenant Id | This is the same as your Azure Tenant ID, available in the Overview node of your AAD console. |
Console Authentication Client App ID | Available in the Overview node for the app in the App Registrations or Enterprise applications nodes of your AAD console. |
Service Authentication Client App ID | Available in the Overview node for the app in the App Registrations or Enterprise applications nodes of your AAD console. |
Click Save.
Restart the Shopping Central service and then the Shopping Admin Console.
Configuration Manager Co-management
This section describes where the co-management settings would be configured by a Configuration Manager administrator. The Intune clients will not try to do software distribution if this feature is not enabled. Please refer to your Configuration Manager documentation for full instructions on how to configure co-management. No additional configuration is needed in Shopping to support this feature.
Using a ConfigMgr console, in the Administration node, under Cloud Services, Azure Services, in the ribbon click on Configure Azure Services and add Cloud Management.
Under Cloud Services, Co-management, configure the co-management.
Set Client apps to use Intune.
The ConfigMgr clients must be restarted to reflect these changes (as reflected in the client-side CoManagementHandler log).
Conclusion
You are now ready to use Shopping with Intune. If you have appropriate applications set up in Intune, you can define the applications in Shopping (refer to Managing Intune applications for details) so that they can be made available to users.
Users can then request the applications from the Shopping web interface. The applications will be delivered by Intune and status will be returned to Shopping. The features of Shopping, such as approvals and rentals, can be used with these applications.
If you have any difficulties, refer to the Intune integration FAQs in the troubleshooting section.