Microsoft Intune Powershell Approval Required. The App requires your admin approval.

Recently deployed Windows Autopilot solution and to simplify the Autopilot Device registration experience, users can register their devices themselves from the OOBE (Out of box experience) page by using the Get-WindowsAutopilotinfo -online command. Some organizations may not allow this approach and only want their IT Administrators to complete this process using an administrator account, which is a good approach.

However, in another scenario, if a user is at a remote location and the IT Admin cannot get physical access to the laptop, I have used an approach where you elevate the user’s role/rights for the duration of device registration and then remove the elevated rights once the device is successfully imported/registered. Through this blog post, I will share this solution with you.

There are other methods to register the device, e.g., generating hardware hash on the device in a CSV file and uploading the CSV file directly to the Intune admin center under Devices -> Windows -> Windows Enrollment -> Devices -> Import.

This way, you can pre-assign a particular device to the user and pre-assign the Autopilot profile. If you go with this approach, then there will not be any need to provide elevated access to the user, or there will not be any need for the IT Administrator to register the device via the OOBE screen, User can reset the Windows device, and follow the instructions as per Autopilot Profile to Setup / Sign-in as the device is already pre-registered.

Let’s now see what a Temporary Elevated Permission looks like for a user who will register their device:

  • The user will have an Intune Administrator Role.
  • Users must be bypassed from any Conditional Access Policy, which blocks users to sign-in to Non-Compliant Devices.
  • User will be provided access to Microsoft Intune Powershell Service Principal [Azure AD Enterprise Application]

Once the device is registered and Imported successfully, Remove the elevated permissions given to the user, as they are no longer required.

When users register the device from the OOBE screen after pressing Shift + F10 and then using get-windowsautopilotinfo -online, users may get a popup (as shown in the screenshot): Approval required. Microsoft Intune Powershell. Therefore, users will not be able to register their devices until they are provided the required permissions.

Microsoft Intune Powershell Approval Required
Microsoft Intune Powershell Approval Required

Checking the App Registrations or Enterprise Applications, I could not find an application called Microsoft Intune Powershell. As the admin user must consent to create this Application in your tenant, we must use the Connect-MSgraph -adminconsent command to create the Microsoft Intune Powershell app in Enterprise Applications on the Entra admin center. Let’s see how to add this application.

Let’s first check the list of Apps currently available under the Enterprise application on my Entra ID admin center. Navigate to Entra ID admin center > Applications > Enterprise applications.

At present, there is no existing Microsoft Intune PowerShell service principal. Let’s explore how to create one and grant users access.

Microsoft Intune Powershell Approval Required
Microsoft Intune Powershell Approval Required
  • Type the Command Connect-MSGraph -AdminConsent and use administrator credentials.
Microsoft Intune Powershell Approval Required
Microsoft Intune Powershell Approval Required
  • Provide Administrator Password.
Microsoft Intune Powershell Approval Required
Microsoft Intune Powershell Approval Required
  • Click on Accept to provide admin consent. Review the permissions for which this app will have the consent.
Microsoft Intune Powershell Approval Required
Microsoft Intune Powershell Approval Required
  • Once you are successful, it will return UPN and Tenant ID on the Portal. The command succeeded, and the Microsoft Intune Powershell application object was added under Enterprise Applications.
Microsoft Intune Powershell Approval Required
Microsoft Intune Powershell Approval Required
  • The screenshot below shows that the Microsoft Intune PowerShell Application object has been successfully created.
Microsoft Intune Powershell Approval Required
Microsoft Intune Powershell Approval Required
  • Click on this Application, and on the left-hand side, click on Permissions to learn about the admin-consent permissions provided to this app.
Microsoft Intune Powershell Approval Required
Microsoft Intune Powershell Approval Required

To enable users to register their devices through the Autopilot process using the OOBE screen or PowerShell console, the best practice is to create an Entra security group and use it to provide the permissions. Then, add this group to the application.

In the future, when a user wants to register or import their device, they can use their regular user account and run the “Get-WindowsAutopilotinfo -online” command.

This will enable device registration. Once the device is registered, removing the user from the Entra security group is important because the user was temporarily granted elevated access for this specific task. Keeping the user in this group would provide unnecessary privileges, so it’s best to remove them to maintain security.

Microsoft Intune Powershell Approval Required
Microsoft Intune Powershell Approval Required

Conclusion

In this blog post. We discussed different ways to register a device in the Microsoft Intune Admin Center. How can we enable end users to register their new devices with temporarily elevated permissions? How to register Microsoft Intune Powershell Application/service principal using Connect-MSgraph -adminconsent and add users to this application so that users have admin consent to register their devices.

READ NEXT

Leave a Comment