Skip to main content

Authentication

How does this app authenticate with Intune?

The authentication methods on this page are in the order of preference, the first one is the most secure and the last one is the least secure.

Authentication is needed for these commands:

Managed Identity

WinTuner supports Managed Identity authentication, this is the recommended way if you run WinTuner in the Azure Environment.

Authenticate with Managed Identity
Deploy-WtWin32App -UseManagedIdentity $true

Specify the ClientId if you want to use a specific Managed Identity, this is useful if you have multiple user-assigned Managed Identities in your environment.

Authenticate with Managed Identity and specify ClientId
Deploy-WtWin32App -UseManagedIdentity $true -ClientId <string>

You can also specify these parameters through the environment variables:

  • AZURE_USE_MANAGED_IDENTITY = true
  • AZURE_CLIENT_ID

Default Credentials

A more extended version of the Managed Identity is the Default Credentials, this will use the DefaultAzureCredential, from the Azure.Identity package. This will try several methods to authenticate, Environment Variables, Managed Identity, Azure CLI and more.

Authenticate with Default Credentials
Deploy-WtWin32App -UseDefaultCredential $true

You can also specify these parameters through the environment variables:

  • AZURE_USE_DEFAULT_CREDENTIALS = true
Works with Azure CLI

This method uses the Azure CLI credentials, so if you logged in with az login, or if you call GitHub Action azure login before this command. It will work out of the box.

You can also run it inside the AzureCLI devops task.

Interactive browser login

If you're running WinTuner on your local machine, you can use the interactive browser login. This will integrate with the native browser based login screen on Windows and with the default browser on other platforms.

Authenticate with interactive login (default tenant)
Deploy-WtWin32App -Username <String>

By specifying the -Username parameter you will need to login once, and after that it will try to use the cached tokens for several days.

Authenticate with interactive login and specify tenant

Deploy-WtWin32App -Username <String> -TenantId <String>

If you are a guest in another tenant, you can specify the tenant with the -TenantId parameter, this will trigger the same login screen but you're requesting a token for another tenant.

Use other application

WinTuner has an option to use your own app registration, this is useful if you don't trust the built-in app registration.

Authenticate with interactive login, own app id
Deploy-WtWin32App -Username <String> -ClientId <String> [-TenantId <String>]

Client Credentials

Last resort

Using client credentials is not recommended because you'll have to keep the secret, secret!

Please let us know if you have to use this method, we might be able to help you with a better solution.

If you cannot get the managed identity to work, you can use a client secret as a last resort. You will have to specify the TenantId, ClientId, and ClientSecret.

Authenticate with client secret
Deploy-WtWin32App -ClientId <String> -ClientSecret <String> -TenantId <String>

You can also specify these parameters through the environment variables:

  • AZURE_CLIENT_ID
  • AZURE_CLIENT_SECRET
  • AZURE_TENANT_ID

Token

If you have a token from another source, you can use that token to authenticate with Intune.

Authenticate with token
Deploy-WtWin32App -Token <String>

You can also specify these parameters through the environment variables:

  • AZURE_TOKEN
Token expiration

We cannot refresh these tokens, to give us one that is still valid. It's generally recommended to use the other available methods.