Introduction

The purpose of this PowerShell script is to assist with and automate the following tasks:

• Generate an App Registration within Azure for the Spider InTune Connector. 
• Add the required API permissions to the App Registration.
• Upload the required certificate into Azure to allow MSAL authentication.

Prerequisites

You will need the following:

• Credentials to login to Azure with rights to create new App Registration
• Ensure first that the Azure PowerShell module is is installed the Data Collector. Further details on the Azure PowerShell module can be found within the Microsoft Learn article found here. 
• A certificate for MSAL authentication with Azure, a guide on how to create and install a suitable certificate using the included script can be found here.  The certificate file that will be uploaded should be in the format *.crt, you will need to define the local path to this file within the script. 
  
• The exact Start (Valid from) and End (Valid to) date for the certificate also need to be defined in the script prior to running. You can verify these on the Details tab of the certificate: 
  

Instructions

1. Download this script to the Spider Data Collector
2. Find the required details for the Certificate (see Prerequisites above)
3. Edit the required variables in the script:
   • $dispname - The display name of the App Registration within Azure (Default "Spider-InTune")
   • $certpath - Local path on the Data Collector to the certificate file in the format *.crt
   • $certstart - Certificate start date in the format MM/dd/yyyy HH:mm:ss
   • $certend - Certificate start date in the format MM/dd/yyyy HH:mm:ss
4. Run the script, you will be prompted for your credentials to login to Azure with a popup 
5. After completion logon to the Azure Web portal to grant Admin Consent manually

Script

#Set the variables below; The Display name of the App Registration (how it will appear in Azure) and details for the certificate to upload.

#The display name of the App Registration within Azure (Default "Spider-InTune")
$dispname = "Spider-InTune"
#Local path to the certificate file in the format *.crt
$certPath = "C:\certs\flextest22.onmicrosoft.com.crt"
#Certificate start date in the format MM/dd/yyyy HH:mm:ss
$certstart = ('08/14/2023 11:56:21')
#Certificate end date in the format MM/dd/yyyy HH:mm:ss
$certend = ('08/14/2033 12:06:21')

#Authenticate with Azure credentials
Connect-AzAccount
#Create a New App Registration
$App = New-AzADApplication -Displayname $dispname
#Decalare the 'AppId' as a variable
$AppId = $App.AppId
#Add the MS Graph API permission for "AppCatalog.Read.All" of type 'Application'
Add-AzADAppPermission -ApiId 00000003-0000-0000-c000-000000000000 -PermissionId e12dae10-5a57-4817-b79d-dfbec5348930 -ApplicationID $AppId -Type Role
#Add the MS Graph API permission for "AuditLog.Read.All" of type 'Application'
Add-AzADAppPermission -ApiId 00000003-0000-0000-c000-000000000000 -PermissionId b0afded3-3588-46d8-8b3d-9842eff778da -ApplicationID $AppId -Type Role
#Add the MS Graph API permission for "Device.Read.All" of type 'Application'
Add-AzADAppPermission -ApiId 00000003-0000-0000-c000-000000000000 -PermissionId 7438b122-aefc-4978-80ed-43db9fcc7715 -ApplicationID $AppId -Type Role
#Add the MS Graph API permission for "DeviceManagementConfiguration.Read.All" of type 'Application'
Add-AzADAppPermission -ApiId 00000003-0000-0000-c000-000000000000 -PermissionId dc377aa6-52d8-4e23-b271-2a7ae04cedf3 -ApplicationID $AppId -Type Role
#Add the MS Graph API permission for "DeviceManagemenManagedDevices.Read.All" of type 'Application'
Add-AzADAppPermission -ApiId 00000003-0000-0000-c000-000000000000 -PermissionId 2f51be20-0bb4-4fed-bf7b-db946066c75e -ApplicationID $AppId -Type Role
#Add the MS Graph API permission for "Directory.Read.All" of type 'Application'
Add-AzADAppPermission -ApiId 00000003-0000-0000-c000-000000000000 -PermissionId 7ab1d382-f21e-4acd-a863-ba3e13f7da61 -ApplicationID $AppId -Type Role
#Add the MS Graph API permission for "Domain.Read.All" of type 'Application'
Add-AzADAppPermission -ApiId 00000003-0000-0000-c000-000000000000 -PermissionId dbb9058a-0e50-45d7-ae91-66909b5d4664 -ApplicationID $AppId -Type Role
#Add the MS Graph API permission for "Group.Read.All" of type 'Application'
Add-AzADAppPermission -ApiId 00000003-0000-0000-c000-000000000000 -PermissionId 5b567255-7703-4780-807c-7be8301ae99b -ApplicationID $AppId -Type Role
#Add the MS Graph API permission for "Reports.Read.All" of type 'Application'
Add-AzADAppPermission -ApiId 00000003-0000-0000-c000-000000000000 -PermissionId 230c1aed-a721-4c5d-9cb4-a90514e508ef -ApplicationID $AppId -Type Role
#Add the MS Graph API permission for "User.Read.All" of type 'Application'
Add-AzADAppPermission -ApiId 00000003-0000-0000-c000-000000000000 -PermissionId df021288-bdef-4463-88db-98f22de89214 -ApplicationID $AppId -Type Role
# Convert certificate to base64 encoded string
$base64Cert = [Convert]::ToBase64String([System.IO.File]::ReadAllBytes($certPath))
# Set the certificate as a valid credential to the App Registration
New-AzADAppCredential -ApplicationId $AppId -CertValue $base64Cert -StartDate $certstart -EndDate $certend

More Information

Please note: Admin Consent is required for the API permissions to function, there is currently no method to grant Admin Consent using PowerShell commands. To grant Admin Consent it is required to log into Azure using the web interface and perform this manually.