Prerequisites
Before installing and running Intune Commander, ensure your environment meets the following requirements.System Requirements
.NET 10 SDK
Intune Commander is built on .NET 10 and requires the SDK to build and run the application.Download .NET 10 SDK
Download and install the .NET 10 SDK from the official Microsoft website:Download .NET 10 SDK
Development Environment (Optional)
While you can run Intune Commander using the .NET CLI, a development environment is helpful for building and debugging:- Visual Studio 2022 (Windows)
- JetBrains Rider (Windows, macOS, Linux)
- Visual Studio Code with C# Dev Kit extension (Windows, macOS, Linux)
Operating System Requirements
Windows 10 1809 or higher is the recommended and fully supported platform.
| Platform | Support Level | Notes |
|---|---|---|
| Windows | ✅ Fully Supported | All features available, recommended platform |
| macOS | ⚠️ Limited Support | Avalonia limitations require Device Code authentication instead of interactive browser popup |
| Linux | 🔄 Planned | Initial support limited to headless/Core scenarios, scheduled report generation |
Hardware Requirements
- RAM: 512 MB minimum, 1 GB recommended
- Disk Space: 200 MB for application and dependencies
- .NET Runtime: Bundled with application (self-contained deployment)
Azure AD Requirements
App Registration
Intune Commander requires an Azure AD app registration to authenticate and access Microsoft Graph API.You need separate app registrations for each cloud environment (Commercial, GCC-High, DoD) because these environments use different Azure portals and authentication endpoints.
| Cloud Environment | Azure Portal URL |
|---|---|
| Commercial | https://portal.azure.com |
| GCC | https://portal.azure.com |
| GCC-High | https://portal.azure.us |
| DoD | https://portal.apps.mil |
Redirect URI Configuration
Your app registration must include the following redirect URI:Microsoft Graph API Permissions
Intune Commander requires Microsoft Graph API permissions to read and manage Intune configurations.Required Delegated Permissions
These permissions are required for the application to function:All permissions listed below must be granted Admin Consent by a Global Administrator or Privileged Role Administrator in your tenant.
Device Management
- DeviceManagementConfiguration.ReadWrite.All: Read and write device configurations, compliance policies, settings catalog
- DeviceManagementManagedDevices.ReadWrite.All: Read and write managed device information
- DeviceManagementServiceConfig.ReadWrite.All: Read and write service configuration (enrollment, scope tags, roles)
- DeviceManagementApps.ReadWrite.All: Read and write application management policies
Identity & Access
- Policy.Read.All: Read authentication methods, authorization policies, conditional access
- Policy.ReadWrite.ConditionalAccess: Read and write conditional access policies
- Application.Read.All: Read application registrations and service principals
Directory & Groups
- Directory.Read.All: Read directory data including users, groups, and organizational information
- Group.Read.All: Read group properties and memberships
- GroupMember.Read.All: Read group membership information
Permission Setup Steps
Navigate to API permissions
In the Azure portal:
- Go to Azure Active Directory → App registrations
- Select your app registration
- Click API permissions in the left navigation
Add Microsoft Graph permissions
- Click Add a permission
- Select Microsoft Graph
- Choose Delegated permissions
- Search for and select each permission listed above
- Click Add permissions
Read-Only Alternative
If you only need to view configurations without making changes, you can use read-only permissions:Authentication Methods
Intune Commander supports two authentication methods:Interactive Browser (Recommended)
- User Experience: Browser popup with Azure AD sign-in
- Token Storage: Persistent token cache per profile
- Security: User-based authentication with MFA support
- Use Case: Interactive desktop use, administrative tasks
- Redirect URI configured:
http://localhost:45132 - Port 45132 not blocked by firewall
- Browser available for sign-in
Client Secret
- User Experience: Silent authentication, no browser interaction
- Token Storage: Client secret stored encrypted locally
- Security: Service principal authentication
- Use Case: Automated scenarios, unattended operations, scheduled tasks
- Client secret created in app registration
- Secret value stored securely (encrypted in profile)
- App registration has application permissions (if needed)
macOS Users: Due to Avalonia UI limitations on macOS, interactive browser authentication may not work reliably. Use Device Code authentication or Client Secret authentication instead.
Network Requirements
Firewall Rules
Ensure your firewall allows outbound HTTPS (443) connections to: Commercial & GCC:Local Ports
For interactive browser authentication, port 45132 must be available on localhost for the OAuth redirect.Optional Components
Syncfusion License (PowerPoint Export)
The Conditional Access PowerPoint export feature uses Syncfusion.Presentation.Net.Core, which requires a license key.End users of the official release executable do not need a license key—it is embedded during the build process.
-
Community License (FREE):
- For companies/individuals with < $1M annual revenue
- Maximum 5 developers
- Register at: Syncfusion Community License
-
Commercial License:
- Required for companies exceeding Community License thresholds
- Visit: Syncfusion Products
-
Set environment variable:
Avalonia Accelerate (Optional)
Avalonia Accelerate is a community license that provides performance improvements for Avalonia UI applications. It is optional but recommended.Next Steps
Once you’ve verified all prerequisites are met:Installation
Build from source and run the application
App Registration
Create Azure AD app registrations for your cloud environments