To enable ZENworks to apply the protection policies, you need to first configure Microsoft Graph API, which acts as a gateway to Microsoft Azure services. Microsoft exposes Azure services through REST endpoints. Using this REST endpoint, ZENworks can send requests to Azure to perform specific operations related to Intune App Management.
To configure Microsoft Graph API in ZENworks, you need to navigate to Configuration > Management Zone Settings > Intune App Management. On the Intune App Management page, you need to perform the following tasks to configure Microsoft Graph API:
Registering an application: Register your app to obtain an application ID along with other relevant data required to authenticate to Azure Active Directory. A registered application is unique to a tenant. By registering an app, ZENworks can authenticate to Azure Active Directory to obtain an access token required to manage Intune apps related to your tenant. For more information on tenant, see the Microsoft Documentation.
Generating an access token: Generate an access token using the details obtained while registering your app. Using this token, ZENworks can make REST calls with Microsoft Graph, which in turn validates the entity (in this case ZENworks) and ensures that ZENworks has the relevant permissions to perform the requested operations.
Associating users: Associate the user contexts (that contains one or more user groups) within ZENworks that should be a part of this configuration. ZENworks can apply protection policies to only those user groups that are part of the associated user context.
NOTE:When you choose to manage Intune Apps using ZENworks, it is recommended to use only ZENWorks to perform any further management operations. Any edits made to the Intune App Protection policy directly in the Azure portal, will not be synced back to ZENworks. Also, these modifications might be overwritten, when the policy is re-published in ZENworks.
To register your application with the Microsoft App Registration Portal:
Navigate to Configuration > Management Zone Settings > Intune App Management
Click the Microsoft Application Registration portal link to register your app.
Sign in to the registration portal using your Microsoft account.
Select All Services in the left pane and select App Registrations. Alternatively, you can also search for app registrations in the search field.
Click New Registrations.
Specify the application Name.
Select Accounts in any organizational directory as Supported account types.
Paste the callback URL that you had copied earlier, in the Redirect URI field and click Register.
Copy the Application (client) ID displayed on the page that shows the details of the app. This Application ID, which is the unique identifier for your app, is required to generate an access token in ZCC.
Click Authentication in the left hand pane and select Access tokens and ID tokens in the Implict Grants section.
Click Certificates and Secrets in the left hand navigation pane and click New client secret to generate the application secret.
In the Add a client secret dialog box, specify a description and a time period for which the Client Secret should be valid. Click Add.
Copy the generated Client Secret.
In ZCC, navigate to Configuration > Management Zone Settings > Intune App Management
Click Generate Token.
Specify the Application ID and the Application Password that you had copied from the Microsoft Application Registration portal. Click OK.
You will be navigated to the Microsoft portal where you need to sign in using the same credentials that were used to register the app. After signing-in, accept the requested permissions. After generating the token, you will be redirected to ZCC and the token details will be populated.
After the token is generated, you can perform the following tasks, whenever required.
Test token: You need to perform this task if you want to validate the token and ensure that it is active.
Renew Token: You need to perform this task when any of the Intune app management related operations fail due to token expiry.
NOTE:If the tenant ID in the renewed token is different from the tenant ID used in the existing configuration, then all the associated policies in ZENworks will become ineffective. However, the policy will be retained both in ZENworks and Azure. You can continue to create new policies using the new tenant ID. However, if you want to remove the existing policies in ZENworks and in Azure, then you need to remove the Microsoft Graph API configuration and re-configure it by generating the token with the new tenant ID.
Remove Configuration: If you remove this configuration, the associated user contexts and all existing app protection policies are removed from ZENworks and Azure.
You can associate one or more user contexts with this configuration. You need to ensure that these selected user contexts are synced with Azure Active Directory. The Intune app management operations can only be performed on the user groups present in the selected user context:
Click Add.
Select the user context and then click OK.
After configuring Microsoft Graph API, click OK to save the updated configuration.