This document explains how IntuneGet authenticates users and performs Intune operations.
- User authentication (client-side): MSAL with delegated permissions.
- Service authentication (server/packager): Azure app credentials with application permissions.
- Consent model: tenant-level admin consent before deployment actions.
- Environment variable:
NEXT_PUBLIC_AZURE_AD_CLIENT_ID - Flow: users sign in with Microsoft work accounts.
- Primary delegated scope:
User.Read - Token usage: identify user and tenant context in the UI/API.
- Environment variables:
- Web app:
AZURE_AD_CLIENT_SECRET(orAZURE_CLIENT_SECRET) - Packager/service:
AZURE_CLIENT_ID,AZURE_CLIENT_SECRET
- Web app:
- Required application permissions:
DeviceManagementApps.ReadWrite.AllDeviceManagementManagedDevices.Read.All(for unmanaged apps)
- Purpose: create/update Intune Win32 apps and related metadata.
Before deployments can run for a tenant, a Global Administrator must grant consent.
Consent URL format:
https://login.microsoftonline.com/{tenant-id}/adminconsent?client_id={client-id}&redirect_uri={redirect-uri}
IntuneGet checks consent status before accepting packaging jobs.
- Uses
GITHUB_WORKFLOWS_REPO(private repository) for packaging workflow runs. - Callback endpoint:
/api/package/callback - Callback signing:
CALLBACK_SECRET(HMAC-SHA256)
- Web app uses
PACKAGER_MODE=local. - Packager authenticates using
PACKAGER_API_KEY. - Packager API endpoints:
GET /api/packager/jobsPOST /api/packager/jobs(claim)PATCH /api/packager/jobs(progress/status)DELETE /api/packager/jobs(release)
- Secrets must never be exposed to client-side code.
- Access tokens are short-lived and tenant-scoped.
- Callback signatures should be verified in all production deployments.
- Rotate Azure client secrets and PATs periodically.