Connect to Microsoft Intune using OAuth with admin consent
Prerequisites
Before you begin, ensure you have:- Global Administrator or Intune Administrator role (required to grant admin consent)
- Devices enrolled in Microsoft Intune
Setup guide
1
Navigate to integrations
- Go to Settings > Integrations
- Find Microsoft Intune in the Device Management section
2
Start OAuth flow
Click Connect with Intune to begin the OAuth authorization flow. You will be redirected to Microsoft to sign in.
3
Grant admin consent
Sign in with an administrator account and grant consent for the requested permission:
Allows Ravenna to read managed device information and compliance status from your Intune tenant.
4
Complete setup
After granting consent, you are redirected back to Ravenna. The integration validates the connection by:
- Extracting your tenant ID from the Microsoft token
- Testing connectivity to the Microsoft Graph API
- Verifying the
DeviceManagementManagedDevices.Read.Allpermission is granted
Troubleshooting
Admin consent not granted
Admin consent not granted
Cause: The signed-in user does not have permission to grant admin consentSolution:
- Sign in with a Global Administrator or Intune Administrator account
- If your organization restricts admin consent, ask a Global Administrator to approve the permission from the Azure portal
API validation failed
API validation failed
Cause: The
DeviceManagementManagedDevices.Read.All permission has not propagated yetSolution:- Wait a few minutes for permission propagation across Microsoft services
- Retry the connection from Ravenna
- Verify the permission is listed under “API permissions” in your app registration in the Azure portal
No devices found for user
No devices found for user
Cause: Ravenna could not resolve the requester to a Microsoft Entra ID user, or the user has no devices assigned to them in IntuneSolution:
- Verify the requester exists as a user in your Microsoft Entra ID (Azure AD) tenant
- Confirm the user has devices enrolled in Intune with their Entra account set as the primary user
- If the requester’s email differs from their Entra UPN, ensure their email is listed as a verified or proxy address on the Entra user so Ravenna can match them
Token expired or invalid
Token expired or invalid
Cause: The OAuth access token has expired or been revokedSolution:
- Ravenna automatically refreshes tokens, but you may need to reconnect if the refresh token is also invalid
- Disconnect the integration and reconnect with OAuth
- Verify the app registration is still enabled in Entra ID
- Check that the service principal has not been deleted or disabled