Skip to main content
The Microsoft Commercial cloud (also called Azure Public Cloud or Worldwide) is the standard cloud environment used by most organizations. This page covers configuration and app registration for the Commercial cloud.

Cloud Endpoints

Intune Commander uses the following endpoints for Microsoft Commercial cloud:
ServiceEndpoint
Graph APIhttps://graph.microsoft.com/beta
Authority Hosthttps://login.microsoftonline.com
OAuth 2.0 Authorizationhttps://login.microsoftonline.com/{tenant}/oauth2/v2.0/authorize
OAuth 2.0 Tokenhttps://login.microsoftonline.com/{tenant}/oauth2/v2.0/token
Graph Scopeshttps://graph.microsoft.com/.default

Implementation Details

From CloudEndpoints.cs: 
CloudEnvironment.Commercial => 
  ("https://graph.microsoft.com/beta", AzureAuthorityHosts.AzurePublicCloud)
The authority host constant AzureAuthorityHosts.AzurePublicCloud maps to:
  • Authority URI: https://login.microsoftonline.com

App Registration

Prerequisites

  • Global Administrator or Application Administrator role in Entra ID
  • Access to the Azure Portal: https://portal.azure.com

Registration Steps

1. Create App Registration

  1. Sign in to the Azure Portal
  2. Navigate to Entra ID > App registrations > New registration
  3. Configure the registration:
    • Name: Intune Commander (or your preferred name)
    • Supported account types: Accounts in this organizational directory only (single tenant)
    • Redirect URI:
      • Platform: Mobile and desktop applications
      • URI: http://localhost:45132
    • Click Register

2. Note Registration Details

After registration, copy the following values:
  • Application (client) ID - Found on the Overview page
  • Directory (tenant) ID - Found on the Overview page
You’ll need these values when creating a profile in Intune Commander.

3. Configure API Permissions

Navigate to API permissions and add the following Microsoft Graph Application permissions: Device Management 
DeviceManagementConfiguration.ReadWrite.All
DeviceManagementApps.ReadWrite.All
DeviceManagementServiceConfig.ReadWrite.All
DeviceManagementManagedDevices.Read.All
DeviceManagementRBAC.ReadWrite.All
DeviceManagementScripts.ReadWrite.All
Conditional Access & Identity 
Policy.ReadWrite.ConditionalAccess
Policy.Read.All
Agreement.ReadWrite.All
Organization & Branding 
Organization.Read.All
OrganizationalBranding.ReadWrite.All
Groups 
Group.Read.All
GroupMember.Read.All
Windows 365 (Optional) 
CloudPC.ReadWrite.All
Windows 365 permissions require an active Windows 365 license. Without proper licensing, Cloud PC endpoints return HTTP 403 regardless of app permissions.
  1. Still on the API permissions page
  2. Click Grant admin consent for [Your Organization]
  3. Click Yes to confirm
  4. Verify all permissions show a green checkmark in the Status column

5. (Optional) Configure Client Secret

For unattended/service principal authentication:
  1. Navigate to Certificates & secrets
  2. Click New client secret
  3. Add a description: Intune Commander Service Principal
  4. Select expiration: 6 months, 12 months, or 24 months (recommended: 12 months)
  5. Click Add
  6. Immediately copy the secret value - it will not be shown again
Client secrets are sensitive credentials. Store them securely in a password manager or Azure Key Vault. Never commit secrets to source control or share them via email.

Authentication Methods

Interactive Browser (Default)

Use Case: Individual administrators signing in with their credentials Configuration:
  • Auth Method: Interactive
  • Client Secret: (leave blank)
Behavior:
  • Opens browser window for authentication
  • Supports MFA, Conditional Access, and all Entra ID features
  • Token cached locally for persistent sessions
  • Tokens automatically refresh
Token Cache Location:
  • Windows: %LocalAppData%\.IdentityService\msal.cache
  • macOS: ~/.IdentityService/msal.cache
  • Linux: ~/.IdentityService/msal.cache
Azure.Identity Implementation: 
var credential = new InteractiveBrowserCredential(
    new InteractiveBrowserCredentialOptions
    {
        TenantId = profile.TenantId,
        ClientId = profile.ClientId,
        AuthorityHost = authorityHost,
        RedirectUri = new Uri("http://localhost:45132")
    }
);

Client Secret (Service Principal)

Use Case: Unattended automation, scheduled tasks, CI/CD pipelines Configuration:
  • Auth Method: ClientSecret
  • Client Secret: (paste the secret value from app registration)
Behavior:
  • No user interaction required
  • Authenticates as the application identity
  • All operations logged as the app (not a user)
  • Secrets are encrypted and stored in the profile file
Azure.Identity Implementation: 
var credential = new ClientSecretCredential(
    profile.TenantId,
    profile.ClientId,
    profile.ClientSecret,
    new ClientSecretCredentialOptions
    {
        AuthorityHost = authorityHost
    }
);
Audit Trail: Service principal operations appear in audit logs as the application name, not a specific user. For accountability, consider using separate app registrations for different automation scenarios.

Profile Configuration

Creating a Profile

From the Login Screen:
  1. Launch Intune Commander
  2. Fill in the profile details:
    • Profile Name: Contoso-Production (friendly name for this tenant)
    • Tenant ID: xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx
    • Client ID: xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx
    • Cloud: Commercial
    • Auth Method: Interactive or ClientSecret
    • Client Secret: (if using ClientSecret auth method)
  3. Click Save Profile
  4. Profile is encrypted and saved to local storage
Profile Storage Location:
  • Windows: %LocalAppData%\Intune.Commander\profiles.json
  • Linux: ~/.config/Intune.Commander/profiles.json
  • macOS: ~/Library/Application Support/Intune.Commander/profiles.json

Importing Profiles from JSON

From the Login Screen:
  1. Click Import Profiles
  2. Select a JSON file containing profile definitions
  3. Profiles are merged—duplicates (same Tenant ID + Client ID) are skipped
  4. Imported profiles appear in the Saved Profiles dropdown
JSON Format: 
[
  {
    "name": "Contoso-Production",
    "tenantId": "xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx",
    "clientId": "xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx",
    "cloud": "Commercial",
    "authMethod": "Interactive"
  },
  {
    "name": "Contoso-Dev",
    "tenantId": "yyyyyyyy-yyyy-yyyy-yyyy-yyyyyyyyyyyy",
    "clientId": "yyyyyyyy-yyyy-yyyy-yyyy-yyyyyyyyyyyy",
    "cloud": "Commercial",
    "authMethod": "ClientSecret",
    "clientSecret": "your-client-secret-here"
  }
]
Template: A ready-to-use template is available at .github/profile-template.json in the source repository.

Profile Encryption

Profiles are encrypted using Microsoft.AspNetCore.DataProtection:
  • Windows: Keys protected by DPAPI (user-scoped)
  • macOS/Linux: Keys protected by file system permissions
  • Encryption marker: File prefixed with INTUNEMANAGER_ENC:
  • Key storage: %LocalAppData%\Intune.Commander\keys directory
Plaintext profiles from older versions are automatically migrated to encrypted format on next save.

Supported Features

All Intune Commander features are fully supported in the Commercial cloud:
FeatureSupport Status
Device ConfigurationsFull support
Compliance PoliciesFull support
ApplicationsFull support
App Protection PoliciesFull support
Conditional AccessFull support
Endpoint SecurityFull support
Windows UpdatesFull support
Scripts & RemediationFull support
Enrollment ConfigurationsFull support
RBAC & Scope TagsFull support
GroupsFull support
Terms of UseFull support
Named LocationsFull support
Authentication StrengthsFull support
Conditional Access PowerPoint ExportFull support
Windows 365 Cloud PCFull support (requires license)

Network Requirements

Required Outbound Connectivity

Intune Commander requires outbound HTTPS (443) access to:
DestinationPurpose
login.microsoftonline.comAuthentication
graph.microsoft.comMicrosoft Graph API
*.microsoft.comCertificate validation, service discovery

Proxy Support

Intune Commander uses the system proxy configuration automatically:
  • Windows: Internet Options proxy settings
  • macOS/Linux: System environment variables (HTTP_PROXY, HTTPS_PROXY)
Authenticated proxies are supported through system credential storage.

Troubleshooting

Authentication Failures

Symptom: “AADSTS50011: The reply URL specified in the request does not match the reply URLs configured for the application” Solution:
  1. Verify redirect URI is configured as http://localhost:45132 (Mobile and desktop applications)
  2. Ensure no trailing slash in redirect URI
  3. Check that the Client ID matches the app registration
Symptom: “Insufficient privileges to complete the operation” Solution:
  1. Verify all required Graph API permissions are added
  2. Ensure admin consent has been granted (green checkmarks)
  3. Wait 5-10 minutes after granting consent for changes to propagate
  4. Try signing out and back in to refresh the token

Permission Errors

Symptom: “Forbidden” (HTTP 403) when listing resources Solution:
  1. Use the Permission Check feature in Intune Commander (View menu)
  2. Verify missing permissions in the JWT token claims
  3. Add missing permissions in Azure Portal
  4. Grant admin consent
  5. Sign out and sign back in

Client Secret Issues

Symptom: “AADSTS7000215: Invalid client secret provided” Solution:
  1. Verify the secret hasn’t expired (check Certificates & secrets page)
  2. Ensure you copied the secret value, not the secret ID
  3. Check for extra spaces when pasting the secret
  4. Generate a new secret if the original is lost

Migration from PowerShell Version

Intune Commander maintains backward compatibility with the PowerShell IntuneManagement tool:

Export Compatibility

  • Format: JSON files in subfolder structure
  • Migration table: migration-table.json at export root
  • Compatibility: PowerShell tool can read .NET exports (forward compatibility not required)

Profile Migration

PowerShell profiles are not compatible. Create new profiles using the app registration steps above.

Build docs developers (and LLMs) love

Get started for freeTalk to us