Upgrading TPP and Intune migration from ADAL to MSAL
Beginning with Trust Protection Platform 22.2, Microsoft Intune integration uses Microsoft Authentication Library (MSAL) instead of Active Directory Authentication Library (ADAL) to communicate with Microsoft APIs.
If you are using Intune in TPP 22.1 or earlier, before upgrading, please configure the Microsoft Graph Application.Read.All permission as described in Integrating with Microsoft Intune and in the section below.
Configure Azure permissions for Intune integration
-
Open Azure Active Directory Portal and find the App Registration you use to integrate Trust Protection Platform with Microsoft Intune.
-
Open the API permissions page and verify that Microsoft Graph Application.Read.All permission exists. If it does not exist:
-
Click Add permission.
-
Select Microsoft Graph.
-
Select Application Permission.
-
Select Application.Read.All.
-
Click Add Permission.
-
Grant admin consent after adding the permission.
-
-
The existing Azure Active Directory Graph Application.Read.All permission can now be removed after the upgrade to 22.2 (or later) has been completed, as it is no longer needed.
NOTE Pay attention to the permission name! Do NOT delete Microsoft Graph Application.Read.All.
If this permission is not configured properly, Intune certificate enrollment will fail with a 403 Forbidden error after the TPP 22.2 upgrade.