30.2 Configuring Microsoft Graph API

To enable ZENworks to apply the protection policies, you need to first configure Microsoft Graph API, which acts as a gateway to Microsoft Azure services. Microsoft exposes Azure services through REST endpoints. Using this REST endpoint, ZENworks can send requests to Azure to perform specific operations related to Intune App Management.

To configure Microsoft Graph API in ZENworks, you need to navigate to Configuration > Management Zone Settings > Intune App Management. On the Intune App Management page, you need to perform the following tasks to configure Microsoft Graph API:

  • Registering an application: Register your app to obtain an application ID along with other relevant data required to authenticate to Azure Active Directory. A registered application is unique to a tenant. By registering an app, ZENworks can authenticate to Azure Active Directory to obtain an access token required to manage Intune apps related to your tenant. For more information on tenant, see the Microsoft Documentation.

  • Generating an access token: Generate an access token using the details obtained while registering your app. Using this token, ZENworks can make REST calls with Microsoft Graph, which in turn validates the entity (in this case ZENworks) and ensures that ZENworks has the relevant permissions to perform the requested operations.

  • Associating users: Associate the user contexts (that contains one or more user groups) within ZENworks that should be a part of this configuration. ZENworks can apply protection policies to only those user groups that are part of the associated user context.

    NOTE:When you choose to manage Intune Apps using ZENworks, it is recommended to use only ZENWorks to perform any further management operations. Any edits made to the Intune App Protection policy directly in the Azure portal, will not be synced back to ZENworks. Also, these modifications might be overwritten, when the policy is re-published in ZENworks.

30.2.1 Application Registration

To register your application with the Microsoft App Registration Portal:

  1. Navigate to Configuration > Management Zone Settings > Intune App Management

  2. Click Copy URL to copy the callback URL of the ZENworks server with which Microsoft Graph API is being configured. You need to specify this URL in the Microsoft portal.

  3. Click the Microsoft Application Registration portal link to register your app.

  4. Sign in to the registration portal using your Microsoft account.

  5. Click Add an app on the top right hand corner on the page.

  6. Specify the application name (example: ZENworks) and click Create Application. The properties of your app are displayed.

  7. Click Add Platform and select Web.

  8. Paste the callback URL that you had copied earlier, in the Redirect URLs field.

  9. Copy the application ID, which is the unique identifier for your app. This Application ID is required to generate an access token in ZCC.

  10. In the Application Secrets section, click Generate New Password. Copy the password, which will be used to generate an access token in ZCC.

  11. Click Save.

30.2.2 Access Token

  1. In ZCC, navigate to Configuration > Management Zone Settings > Intune App Management

  2. Click Generate Token.

  3. Specify the Application ID and the Application Password that you had copied from the Microsoft Application Registration portal. Click OK.

You will be navigated to the Microsoft portal where you need to sign in using the same credentials that were used to register the app. After signing-in, accept the requested permissions. After generating the token, you will be redirected to ZCC and the token details will be populated.

After the token is generated, you can perform the following tasks, whenever required.

  • Test token: You need to perform this task if you want to validate the token and ensure that it is active.

  • Renew Token: You need to perform this task when any of the Intune app management related operations fail due to token expiry.

    NOTE:If the tenant ID in the renewed token is different from the tenant ID used in the existing configuration, then all the associated policies in ZENworks will become ineffective. However, the policy will be retained both in ZENworks and Azure. You can continue to create new policies using the new tenant ID. However, if you want to remove the existing policies in ZENworks and in Azure, then you need to remove the Microsoft Graph API configuration and re-configure it by generating the token with the new tenant ID.

  • Remove Configuration: If you remove this configuration, the associated user contexts and all existing app protection policies are removed from ZENworks and Azure.

30.2.3 User Association

You can associate one or more user contexts with this configuration. You need to ensure that these selected user contexts are synced with Azure Active Directory. The Intune app management operations can only be performed on the user groups present in the selected user context:

  1. Click Add.

  2. Select the user context and then click OK.

After configuring Microsoft Graph API, click OK to save the updated configuration.