When you first setup the product you will have been asked to link an Intune tenant, it is possible to make changes to this tenant or to add additional tenants, Eido can be linked to multiple tenants. This is great for MSPs who manage tenants for their customers or for enterprises who have prod & non prod tenants or have additional tenants through acquisitions.
Adding or Editing Intune tenants
To add or make changes to an Intune tenant you must be logged into Eido as a user with the Admin role. If you are logged in with the correct permissions navigate to Admin > Intune Tenants and click “Link new tenant” in the top right corner:
You are then asked which level of access you would like Eido to have to the Intune tenant being linked:
For a full list of permissions required by each of the above options please see the table at the end of this article. For the top 3 options we use Microsoft’s oauth technology which grants the required permissions only impersonating a user. Enterprises typically prefer to create a manual app registration so no user account is required for authentication - this is possible using the bottom “Custom / Manual App Registration” option.
Using Oauth - Read - Write, Read and Limited Access
Once you have selected your desired permission level you are asked to select an account to login with. Make sure the selected account has the required permissions before proceeding as proceeding with Read - Write, Read or Limited auth requires an account that we will impersonate for our connection to Intune.
The permissions requested are clearly specified before you are asked to accept the requested access
Once accepted you will be asked to give the Intune tenant a friendly name
The select Confirm and we will begin syncing your Intune tenant.
Custom / Manual App Registration
Navigate to Entra URL: Microsoft Entra admin center
Create an Application
Navigate to Applications -> App Registrations -> Register an application.
Enter the following details:
Name: (Provide a meaningful name)
Supported Accounts Type: Single Tenant
Redirect URI: Leave empty
Configure API Permissions
Open the created application.
Navigate to Api Permissions -> Add Permissions -> Microsoft Graph -> Application Permissions.
Add at least the following permissions:
Device.Read.All
DeviceManagementApps.Read.All
DeviceManagementConfiguration.Read.All
DeviceManagementManagedDevices.Read.All
DeviceManagementServiceConfig.Read.All
Group.Read.All
User.Read.All
Grant Admin consent for Eido Software Ltd.
Create a Client Secret
Navigate to Certificates & Secrets -> Client Secrets -> New Client Secret.
Save the client secret securely.
Link New Tenant in Eido
Login to Eido and browse to Admin -> Intune Tenants -> Link new tenant -> Custom/Manual App Registration.
Provide the following details:
Friendly Name: (Provide a friendly name for the tenant)
Graph Login URL:
Default: https://login.microsoftonline.com
Azure US Government: https://login.microsoftonline.us
Azure China operated by 21Vianet: https://login.chinacloudapi.cn
Graph Query URL:
Microsoft Graph for US Government L4: Microsoft Graph Dev Center | APIs and app development
Microsoft Graph for US Government L5 (DOD): https://dodMicrosoft Graph Dev Center | APIs and app development
Microsoft Graph China operated by 21Vianet: Microsoft Graph Dev Center | APIs and app development
Entra Tenant Id: This is your Entra TenantId
Entra ClientId: This is the ID of the application you created in Step 2.
Entra Client Secret: This is the secret you created in Step 4
Linking an Intune tenant to a specific customer
By default Intune tenants setup are not linked to any customer, our MSP functionality designed to make managing multiple customers easy and secure. In this case their data is visible when not filtering Eido on a specific customer and cannot be permissions guarded to prevent granular access. Learn more about Customers and about granular RBAC to limit who can see which customers' data.
To Link an Intune tenant to a specific customer the Customer record has to be created first (learn more), once the Intune tenant has been linked and a customer record created, edit the Intune tenant and select the customer to link them to from the dropdown menu
Synchronization
Once your Intune tenant is connected it will begin synchronization. You can tell when it has been completed when a date/time stamp is displayed against the tenant:
You can manually trigger a sync by clicking Edit > Sync.
For more info on synchronization including what is synced and its frequency, see the separate Synchronization section in this documentation.
Permissions required to your Intune tenant
Control over | Detail | Read-Write Access | Read-Only Access | Limited Access |
All Devices | Read allows Eido to read your organization's devices' configuration information without a signed-in user. Write also allows Eido to write all device properties without a signed in user. Does not allow device creation, device deletion or update of device alternative security identifiers. | Read and Write | Read | Read |
Microsoft Intune apps | Read allows Eido to read the properties, group assignments and status of apps, app configurations and app protection policies managed by Microsoft Intune, without a signed-in user. Write also allows Eido to write the properties, group assignments and status of apps, app configurations and app protection policies managed by Microsoft Intune, without a signed-in user. | Read and Write | Read | Read |
Microsoft Intune device configuration and policies | Read allows Eido to read properties of Microsoft Intune-managed device configuration and device compliance policies and their assignment to groups, without a signed-in user. Write also allows Eido to write properties of Microsoft Intune-managed device configuration and device compliance policies and their assignment to groups, without a signed-in user. | Read and Write | Read | Read |
Microsoft Intune devices | Read allows Eido to read the properties of devices managed by Microsoft Intune, without a signed-in user. Write also allows Eido to write the properties of devices managed by Microsoft Intune, without a signed-in user. Does not allow high impact operations such as remote wipe and password reset on the device’s owner | Read and Write | Read | Read |
Microsoft Intune configuration | Read allows Eido to read Microsoft Intune service properties including device enrollment and third party service connection configuration, without a signed-in user. Write also allows Eido to write Microsoft Intune service properties including device enrollment and third party service connection configuration, without a signed-in user. | Read and Write | Read | Read |
All groups | Allows Eido to read group properties and memberships, and read conversations for all groups, without a signed-in user. | Read | Read |
|
All users' full profiles | Allows Eido to read user profiles without a signed in user. | Read | Read |
|
Sign in and read user profile | Allows users to sign-in to the app, and allows the app to read the profile of signed-in users. It also allows the app to read basic company information of signed-in users. | Read | Read | Read |
Read and write Microsoft Intune RBAC settings | Allows the app to read and write the properties relating to the Microsoft Intune Role-Based Access Control (RBAC) settings, without a signed-in user. | Read and Write |
|
|