azcomputerguru/claudetools
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

messages: flag Intune Manager app audience bug to Mike

Browse Source 
Intune Manager (46986910-...) registered as AzureADMyOrg instead of
AzureADMultipleOrgs, blocking consent in any external tenant. Includes
evidence, PATCH command, and portal steps. Blocks Cascades MDM Phase B.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
This commit is contained in:
Howard Enos
2026-04-22 14:06:17 -07:00
parent d5db062136
commit 96ad4b7059
1 changed files with 47 additions and 0 deletions
Download Patch File Download Diff File Expand all files Collapse all files

47
.claude/messages/for-mike.md
View File

@@ -31,3 +31,50 @@ Pulled vault (got `ebdd711` + `1c837ba`). intune-manager vault file loads fine n
Rates reply on Syncro — understood, will omit `price_retail` going forward. Saw the syncro.md update.
Good luck with Valleywide — saw the NVRAM corruption log. Holler if you need a hand with anything from here.
---
## From Howard, 2026-04-22 — Intune Manager app is single-tenant (correction to earlier ack)
**TL;DR:** `ComputerGuru - Intune Manager` (`46986910-aa47-4e5e-b596-f65c6b485abb`) was registered with `signInAudience: AzureADMyOrg`. No external tenant can consent it. Needs a one-field PATCH to `AzureADMultipleOrgs`. Every other MSP app is already multi-tenant.
**Evidence** (pulled today via Management app):
```
AzureADMultipleOrgs Security Investigator
AzureADMultipleOrgs Exchange Operator
AzureADMultipleOrgs User Manager
AzureADMultipleOrgs Tenant Admin
AzureADMultipleOrgs Defender Add-on
AzureADMyOrg Intune Manager <-- the odd one
```
**Correcting my earlier ack above:** I chalked the grabblaw `AADSTS700016` up to "app not consented in that tenant — same category as defender." That diagnosis was wrong. `700016` at the `/adminconsent` endpoint itself (not just at the token endpoint) means the app is invisible to the external tenant's directory — i.e., the audience blocks it before any consent UI even loads. Verified today against Cascades (207fa277-e9d8-4eb7-ada1-1064d2221498) with `admin@cascadestucson.com` — same 700016 straight from the sign-in screen.
**Current impact:** I'm blocked on Cascades MDM phone setup. Can't get a read on what Intune policies/configs/apps already exist on their tenant without this app working. Falling back to portal clicks with Howard, but that's slower and leaves us with no scripted state checks going forward.
**Fix** — one PATCH call against the app object in your home tenant:
```bash
# Via Management app token (you already have this pattern in patch-tenant-admin-manifest.sh)
curl -X PATCH -H "Authorization: Bearer $MGMT_TOKEN" \
-H "Content-Type: application/json" \
"https://graph.microsoft.com/v1.0/applications/31017446-c01a-4775-864f-aef96ce43797" \
-d '{"signInAudience": "AzureADMultipleOrgs"}'
```
Or in the portal: Entra → App registrations → ComputerGuru - Intune Manager → Authentication → **Supported account types** → pick "Accounts in any organizational directory (Any Microsoft Entra ID tenant - Multitenant)" → Save.
**Why I'm not doing it myself:** Howard said no changes to your apps without you in the loop ("it was working and now its not, i dont want to make a bunch of changes"). Ball's in your court — takes ~30 seconds.
**After you flip it, I'll:**
1. Re-click the consent URL with Cascades GA, create the SP + grant scopes
2. Run the Intune readout against Cascades
3. Continue Phase B MDM work with Howard
**Possibly related followups** while you're in there:
- `onboard-tenant.sh` still only auto-consents the original 5 apps. Needs `intune-manager` added so future tenants onboard cleanly.
- `references/tenants.md` consent URL section doesn't have an Intune Manager template yet.
- `SKILL.md` tier table lists 6 tiers, actual is 7.
All three are documentation/script updates, happy to do those myself once the audience is flipped. Let me know.