search

aaronparker / packagefactory

A packaging factory for Microsoft Intune using Evergreen, VcRedist, and IntuneWin32App
https://stealthpuppy.com/packagefactory/
MIT License
62 stars 19 forks source link

Required permissions and devops authentication #45

Open Flory321 opened 9 months ago

Flory321 commented 9 months ago

Hey guys, we tried the intune package factory in our test tenant and in fact it's really an awesome tool ! It's definitely helpful for apps where versions changes a lot and which are not available in intune's ms store integration (new).

But there are following 2 things which currently blocks us from using it in production:

  1. We do not understand why the service principal needs the right "DeviceManagementRBAC.ReadWrite.All". This permission should as per my opinion only granted if it's really required.
  2. The azure devops uses a client secret as "Service Principal". Here we would need it to support "workload identity federation".

Don't get me wrong - we do honor what's there right now, but our internal guidelines block us from using it as it is now. Are there any changes planned to address above topics?

Thanks Florian

aaronparker commented 4 months ago

Authentication to Entra ID is managed with the IntuneWin32App module (I have not plans to write my own authentication methods). See: https://github.com/MSEndpointMgr/IntuneWin32App

Flory321 commented 4 months ago

thanks so much for response. Do you know why the permission "DeviceManagementRBAC.ReadWrite.All" is required?