Delegated vs app-only access
Choose the right Graph auth mode: delegated tokens from Microsoft sign-in, or app-only credentials for service automation.
Delegated access uses the signed-in admin’s permissions and avoids storing secrets—great for interactive admin workflows.
App-only can be useful for automation, but it requires careful secret handling and tenant configuration.
Key points
- Delegated-first is simplest for interactive admin UI
- App-only is helpful for scheduled automation
- Use least-privilege in both modes
Related guides
Multi-tenant IT portal best practices
Practical multi-tenant patterns: scoping data by organization, controlling admin access, and avoiding cross-tenant leakage.
Import identifiers during device refresh cycles
A practical approach to handling bulk refresh cycles: staged capture, verification, and safe Intune import workflows.
Least-privilege Graph permissions for IT tools
Minimize Graph permissions to what you truly need. This reduces security risk and simplifies approval.
Export device inventory for reporting
Exporting inventory enables reporting and reconciliation with other systems. Start with simple CSV exports and iterate.
Check existing identifiers in Intune (before import)
Avoid duplicates by checking whether identifiers already exist in Intune before importing new corporate identifiers.
Build a lightweight device inventory (without a CMDB)
A minimal device inventory can still be powerful: serial, manufacturer, model, verification status, and notes.
This guide is informational. If you’re using Intune features, ensure you have the right tenant permissions and administrator consent where required.