Skip to main content
Intune Commander supports multiple authentication methods to connect to Microsoft Graph API across different cloud environments.

Authentication Methods

Interactive Browser (Default)

Best for: Daily use by administrators on their workstation Interactive authentication opens a browser window where you sign in with your Azure AD credentials. The app uses Azure.Identity’s InteractiveBrowserCredential with persistent token caching. Features:
  • Multi-factor authentication (MFA) support
  • Conditional Access policy enforcement
  • Token refresh handled automatically
  • Tokens cached locally for seamless re-authentication
1

Select Interactive auth method

On the login screen, ensure Auth Method is set to “Interactive” (default).
2

Click Login

The app displays “Opening browser…” in the status bar.
3

Sign in

A browser window opens at http://localhost:45132. Sign in with your Azure AD account.
4

Grant consent

If this is your first time, you’ll be asked to grant consent for the requested Graph API permissions.
5

Return to app

Once authentication succeeds, the browser window closes and the app connects to your tenant.
The redirect URI http://localhost:45132 must be registered in your Azure AD app registration as a “Mobile and desktop application” platform.

Client Secret

Best for: Unattended automation scenarios (scheduled reports, CI/CD pipelines) Client Secret authentication uses a service principal with a pre-shared secret. No user interaction is required.
1

Select Client Secret auth method

On the login screen, set Auth Method to “ClientSecret”.
2

Enter the secret

The Client Secret field appears. Paste your app registration’s client secret.
3

Save and connect

Click Save Profile to persist the credentials, then Login to authenticate.
Security Considerations:
  • Client secrets are stored encrypted via DataProtection
  • Secrets are never logged or displayed in the UI after entry
  • Use certificate-based auth (not yet implemented) for production automation
  • Rotate secrets regularly per your organization’s policy

Device Code Flow

Best for: Headless environments, macOS (due to Avalonia browser limitations) Device Code flow displays a code that you enter on another device to complete authentication.
1

Select Device Code auth method

Set Auth Method to “DeviceCode”.
2

Click Login

The app displays:
  • A user code (e.g., ABCD1234)
  • A verification URL (e.g., https://microsoft.com/devicelogin)
3

Complete sign-in on another device

Open the verification URL in a browser, enter the code, and sign in with your Azure AD account.
4

Return to app

Once you’ve authenticated, the app connects to your tenant.
macOS users currently require Device Code flow due to Avalonia UI limitations preventing the interactive browser popup.

App Registration Setup

Before using Intune Commander, you must create an Azure AD app registration with the required permissions.
1

Create app registration

Go to Azure Portal → Entra ID → App Registrations → New registration.
2

Configure platform

Under Authentication:
  • Add a “Mobile and desktop applications” platform
  • Set redirect URI to http://localhost:45132
3

Add API permissions

Under API permissions, add Microsoft Graph delegated permissions:
  • DeviceManagementConfiguration.ReadWrite.All
  • DeviceManagementApps.ReadWrite.All
  • DeviceManagementServiceConfig.ReadWrite.All
  • DeviceManagementManagedDevices.ReadWrite.All
  • Directory.Read.All
  • Policy.Read.All
  • Policy.ReadWrite.ConditionalAccess
For a complete list, see docs/GRAPH-PERMISSIONS.md in the source repository.
4

Grant admin consent

Click Grant admin consent for the tenant to pre-approve permissions for all users.
For government clouds (GCC-High, DoD), you must create separate app registrations in the respective Azure portals (portal.azure.us, portal.apps.mil).

Token Caching

Interactive and Device Code authentication use Azure.Identity’s built-in token cache:
  • Location: %LocalAppData%/.IdentityService (Windows)
  • Encryption: DPAPI-encrypted per-user
  • Refresh: Tokens are automatically refreshed when expired
  • Persistence: Tokens persist across app restarts
Client Secret authentication does not use persistent token caching; tokens are acquired on-demand for each Graph API call.

Multi-Cloud Authentication

Each cloud environment uses different Azure AD and Graph API endpoints:
CloudAuthority EndpointGraph Endpoint
Commercialhttps://login.microsoftonline.comhttps://graph.microsoft.com
GCChttps://login.microsoftonline.comhttps://graph.microsoft.com
GCC-Highhttps://login.microsoftonline.ushttps://graph.microsoft.us
DoDhttps://login.microsoftonline.ushttps://dod-graph.microsoft.us
Intune Commander automatically selects the correct endpoints based on the Cloud setting in your profile.
GCC-High and DoD require separate app registrations in their respective Azure portals. You cannot use a Commercial tenant app registration in GCC-High or DoD.

Verifying Permissions

After authenticating, Intune Commander can verify that your access token contains all required Microsoft Graph permissions.

Permissions Window

Access Tools → Check Permissions to open the Permissions Window: What it shows:
  • Required Permissions — All Graph permissions needed by Intune Commander (60+ scopes)
  • Granted Permissions — Permissions present in your current access token (green checkmarks)
  • Missing Permissions — Required permissions absent from the token (red X marks)
  • Extra Permissions — Non-required permissions in your token (informational)
  • Claim Source — Shows whether token is delegated (scp claim) or application (roles claim)
Permission Check Results:
All required permissions are present in the access token. Intune Commander has full functionality.
  • Green summary banner
  • All checkboxes marked
  • No action required
Delegated vs Application Tokens:
  • Interactive Browser / Device Code → Delegated token (scp claim)
    • Permissions scoped to user’s rights
    • Admin consent still required for sensitive scopes
  • Client Secret → Application token (roles claim)
    • Permissions apply to service principal
    • Requires Application permissions (not Delegated)
The Permissions Window uses PermissionCheckService to decode the JWT access token and compare the scp or roles claim against the required permission list defined in GRAPH-PERMISSIONS.md.

When to Use Permission Checks

  • After initial app registration — Verify all permissions were added correctly
  • When features fail — Diagnose “Forbidden” or “Insufficient privileges” errors
  • After permission changes — Confirm new permissions are in the token
  • Multi-cloud setup — Verify government cloud app registrations have correct scopes

Troubleshooting Authentication

Browser doesn’t open (Interactive)

Cause: Firewall blocking localhost or browser not registered Solution:
  • Check that http://localhost:45132 is not blocked by firewall
  • Try Device Code flow as an alternative

”Insufficient privileges” error

Cause: Missing Graph API permissions or admin consent not granted Solution:
  • Verify all required permissions are added to the app registration
  • Ensure Grant admin consent was clicked
  • Ask your Azure AD admin to grant consent

Token cache errors

Cause: Corrupted token cache file Solution:
  • Delete %LocalAppData%/.IdentityService folder
  • Re-authenticate

GCC-High/DoD connection fails

Cause: Using a Commercial tenant app registration Solution:
  • Create a new app registration in the government cloud portal
  • Update your profile with the new Client ID

Build docs developers (and LLMs) love

Get started for freeTalk to us