Help with inTune integration please?

[Guest Paul Alexander]

I'm trying to get details of an inTune enabled device using an iBridge connector, but I'm getting this 'forbidden' error (I've got a key set up in our KeySafe). 

Any idea what the error means please?! 

[Guest Paul Alexander]

Anyone please?

[Steve G]

Hi @Paul Alexander,

I've just done some testing, and that error is returned from Intune if the Azure user who the Keysafe key is created with doesn't have an Intune license, or access to those records. If the key is created with the details of a user who does have access to the record, the connector returns the device details as expected.

I will improve that error message though!

Cheers,

Steve

[Guest Paul Alexander]

Hi @Steve G

Thanks for the info......BUT.......(there's always a but!)

I've gone in to KeySafe and removed the 'old' MS InTune option we had in there, and tried to create a new one, but it doesn't give me any options to re-add the username and password details. It just gives me the option to connect, which (when I press it) immediately logs in (presumably with the OLD details) and connects successfully. 

Obviously I could change the 'rights' of this account in our AD, but we'd rather use a different account. 

Any ideas please?

thanks

 

Paul

[Steve G]

Hi @Paul Alexander,

This will most likely be due to an Azure session being active in the current browser (or the Stay logged in option has been taken on a previous Azure login, so the session information is kept in the browser storage). So when keysafe launches the Microsoft page for authorisation, the MS page detects an existing account session and uses that for the key... Hard-logging out of Azure in your browser before trying to re-connect the key should fix this.

Cheers,

Steve

[Craig Watson]

Hi Steve,

We are still having a couple of problems with this, I have collated the below information and was hoping you might be able to point us in the right direction as to where we might be going wrong!

 

Scenario:

Paul who has access to the Hornbill admin area signs in to chrome as himself into the admin area

We set up the keysafe as per the wiki documentation and get to the Azure credential prompt where we can select "Sign-in as another account"

If I sign in with another account that has "Intune Service Administrator" or "Global Administrator" rights in our Azure environment I get the following Attachment1 error

If I grant Paul "Global Administrator" rights in our Azure environment and use his credentials to approve the application it works, we get the prompt to approve the application and it is a success, and the Enterprise application is created in our Azure environment

The next problem is when we try to then retrieve data from Intune in Hornbill, we get the Attachment2 error

 

The questions I have are:

Is there anything preventing a different administrator account from approving the application?

Can the account being used to approve the application be MFA enabled?

What permissions does the account being used require exactly to be able to approve the application and be used to retrieve the data from Intune?

 

Sorry for the long message, hope its enough!

Cheers

Craig

 

 

[Guest Paul Alexander]

Any thoughts on this please @Steve G? 

thanks

[Steve G]

Hi @Paul Alexander,

The first message I'm not sure about to be honest, your Azure admin may be able to help with that.

The second message suggests that the keysafe key that the integration node is configured against has been deleted? Could you check the integration node in your workflow and make sure it's got an active key defined against it?

Cheers,

Steve