import-azure-app.md

ms.subservice	core-infra
ms.topic	include
ms.date	07/11/2022
ms.collection	tier3

Import a previously created Microsoft Entra application (optional)

During a new onboarding, an administrator can specify a previously created application during onboarding to tenant attach. Don't share or reuse Microsoft Entra applications across multiple hierarchies. If you have multiple hierarchies, create separate Microsoft Entra applications for each.

From the onboarding page in the Cloud Attach Configuration Wizard (Co-management Configuration Wizard in versions 2103 and earlier), select Optionally import a separate web app to synchronize Configuration Manager client data to Microsoft Intune Endpoint Manager center. This option will prompt you to specify the following information for your Microsoft Entra app:

• Microsoft Entra tenant name
• Microsoft Entra tenant ID
• Application name
• Client ID
• Secret key
• Secret key expiry
• App ID URI

Important

• The App ID URI must use one of the following formats:

  • api://{tenantId}/{string}, for example, api://aaaabbbb-0000-cccc-1111-dddd2222eeee/ConfigMgrService
  • https://{verifiedCustomerDomain}/{string}, for example, https://contoso.onmicrosoft.com/ConfigMgrService

  For more information on creating a Microsoft Entra app, see Configure Azure services.

• When you use an imported Microsoft Entra app, you aren't notified of an upcoming expiration date from console notifications.

Microsoft Entra application permissions and configuration

Using a previously created application during onboarding to tenant attach requires the following permissions:

• Configuration Manager Microservice permissions:

  • CmCollectionData.read
  • CmCollectionData.write

• Microsoft Graph permissions:

  • Directory.Read.All Applications permission
  • Directory.Read.All Delegated directory permission

• Ensure Grant admin consent for Tenant is selected for the Microsoft Entra application. For more information, see Grant admin consent in App registrations.

• The imported application needs to be configured as follows:

  • Registered for Accounts in this organizational directory only. For more information, see Change who can access your application.
  • Has a valid application ID URI and secret.