Authentication
How does this app authenticate with Intune?
The authentication methods on this page are in the order of preference, the first one is the most secure and the last one is the least secure.
Authentication is needed for these commands:
Managed Identity
WinTuner supports Managed Identity authentication, this is the recommended way if you run WinTuner in the Azure Environment.
Deploy-WtWin32App -UseManagedIdentity $true
Specify the ClientId
if you want to use a specific Managed Identity, this is useful if you have multiple user-assigned Managed Identities in your environment.
Deploy-WtWin32App -UseManagedIdentity $true -ClientId <string>
You can also specify these parameters through the environment variables:
AZURE_USE_MANAGED_IDENTITY
=true
AZURE_CLIENT_ID
Default Credentials
A more extended version of the Managed Identity is the Default Credentials, this will use the DefaultAzureCredential, from the Azure.Identity
package. This will try several methods to authenticate, Environment Variables, Managed Identity, Azure CLI and more.
Deploy-WtWin32App -UseDefaultCredential $true
You can also specify these parameters through the environment variables:
AZURE_USE_DEFAULT_CREDENTIALS
=true
This method uses the Azure CLI credentials, so if you logged in with az login
, or if you call GitHub Action azure login before this command.
It will work out of the box.
You can also run it inside the AzureCLI devops task.
Interactive browser login
If you're running WinTuner on your local machine, you can use the interactive browser login. This will integrate with the native browser based login screen on Windows and with the default browser on other platforms.
Deploy-WtWin32App -Username <String>
By specifying the -Username
parameter you will need to login once, and after that it will try to use the cached tokens for several days.
Deploy-WtWin32App -Username <String> -TenantId <String>
If you are a guest in another tenant, you can specify the tenant with the -TenantId
parameter, this will trigger the same login screen but you're requesting a token for another tenant.
Use other application
WinTuner has an option to use your own app registration, this is useful if you don't trust the built-in app registration.
Deploy-WtWin32App -Username <String> -ClientId <String> [-TenantId <String>]
Client Credentials
Using client credentials is not recommended because you'll have to keep the secret, secret!
Please let us know if you have to use this method, we might be able to help you with a better solution.
If you cannot get the managed identity to work, you can use a client secret as a last resort. You will have to specify the TenantId
, ClientId
, and ClientSecret
.
Deploy-WtWin32App -ClientId <String> -ClientSecret <String> -TenantId <String>
You can also specify these parameters through the environment variables:
AZURE_CLIENT_ID
AZURE_CLIENT_SECRET
AZURE_TENANT_ID
Token
If you have a token from another source, you can use that token to authenticate with Intune.
Deploy-WtWin32App -Token <String>
You can also specify these parameters through the environment variables:
AZURE_TOKEN
We cannot refresh these tokens, to give us one that is still valid. It's generally recommended to use the other available methods.