Prepare Microsoft Entra ID for Intune Integration

Learn how to create and configure an enterprise application in Microsoft Entra ID that enables authentication for the Staffbase Employee App.

Employee App

Microsoft Intune integration with the Staffbase enables you to apply and policies directly to your app. This allows you to enforce security controls such as restricting data transfer, requiring secure access, and ensuring that only compliant users and devices can access corporate content. To set up the integration, you need to create and configure an enterprise app in Microsoft Entra ID. Authentication is handled through the Microsoft Authentication Library (MSAL). MSAL enables the Employee App to authenticate users with Microsoft Entra ID and obtain the tokens required to access protected resources. Intune relies on this authenticated identity to apply the correct app protection and compliance policies.

In this guide, you:

  • You have Microsoft Intune.
  • You have a working Microsoft Entra ID SAML SSO integration for Staffbase.
  • You have one of the following permissions to configure provisioning in Entra ID:
    • Application Administrator
    • Cloud Application Administrator
    • Global Administrator
  • You have received the following app configuration details from Staffbase:
    • Package name or bundle ID
    • Signature hash

You need to create a dedicated app for setting up Microsoft Intune. This application represents the Employee App in your identity environment and is used by MSAL to authenticate users.

Always create a new enterprise application. Do not reuse an existing enterprise application that already has SAML SSO enabled.
  1. In Microsoft Azure, under Azure services, click Microsoft Entra ID.
  2. Navigate to Enterprise applications.
  3. Click New application.
  4. Click Create your own application.
    The Create your own application dialog opens.
  1. Provide a name for the application. For example, Staffbase Employee App Intune Integration or something similar to help you instantly identify the application.
  2. Select Integrate any other application you don’t find in the gallery (Non-gallery).
  3. Click Create.
    You have created an application to authenticate users using your Employee App.

After creating the enterprise application, you can decide which Entra ID users need in order to access the Employee App using the integration.

Users assigned to the application must have a Microsoft Intune license.

Staffbase recommends first adding a few users to test that everything works as expected.

  1. In the enterprise application you created, click Users and groups. The Users and groups page opens.
  2. Click Add user/group.
  1. Click None Selected.
    The Users and groups dialog opens.
  2. Search for the user or group you want to add and click Select.
  1. Click Assign.
    You have assigned users or groups to the application.

You need to define the app properties to prevent sign-in restrictions at the Entra level for the Employee App.

The Assignment required setting only controls whether users are explicitly assigned to the Enterprise Application in Entra ID to sign in. It does not control Intune app targeting, App Protection Policy assignment, or conditional access. These are managed in Intune.

To prevent sign-in failures for users targeted correctly in Intune, set the Assignment required option to No.

  1. In the enterprise application you created, click Properties.
    The Properties page opens.
  2. Set Assignment required? to No.
  1. Click Save.

The Employee App must request access tokens during authentication. To allow this, you need to expose an API and define the required permission scope in Microsoft Entra ID.

This configuration enables the app to request delegated access on behalf of the signed-in user.

  1. In Microsoft Entra admin center, navigate to App registrations > the enterprise app you created.
  2. Navigate to Expose an API.
  3. Click Add an Application ID URI.
    The Application ID URI page opens.
  1. Click Add.
    The Edit application ID URI dialog opens with the default application ID prefilled.
  2. Click Save.
    The Expose an API page opens. You have added the default application ID URI.

You need to replace appName with the enterprise application you created. For example, if your enterprise application is named Staffbase Employee App Intune Integration, replace appName with that name.

  1. In the Expose an API page, click Add a scope.
    The Add a scope dialog opens.
  2. In Scope name, enter user_impersonation.
  3. Set Who can consent? to Admins and users.
  4. In Admin consent display name, enter Access appName SSO.
  5. In Admin consent description, enter Allow the application to access appName SSO on behalf of the signed-in user.
  6. In User consent display name, enter Access appName SSO.
  7. In User consent description, enter Allow the application to access appName SSO on your behalf.
  8. Set State to Enabled.
  9. Click Add Scope.

You need to add the Application (client) ID to authorized applications. You can find the Application ID from the overview.

  1. In the Expose an API page, click Add a client application.
    The Add a client application dialog opens.
  2. In Client ID, enter the Application ID.
  3. Under Authorized scopes, select /user_impersonation.
  4. Click Add application.

You have added the client application.

You need to add Android and iOS platforms to enable authentication on mobile devices. This configuration enables MSAL to correctly redirect users during authentication.

Prerequisite:

  • You have the following values from Staffbase:
    • Package Name/ Bundle ID
    • Signing key signature (also known as Signature hash)
  1. In the Microsoft Entra admin center, navigate to App registrations > the enterprise app you created.
  2. Navigate to Authentication.
  3. Click Add a platform.
    The Configure platform dialog opens.
  4. Click Android.
  5. In Package name, provide the name you received from Staffbase.
  6. In Signature hash, provide the value you received from Staffbase.
  7. Click Configure.

The Redirect URI and MSAL Configuration are added automatically.

  1. In the Microsoft Entra admin center, navigate to App registrations > the enterprise app you created.
  2. Navigate to Authentication.
  3. Click Add a platform.
    The Configure platform dialog opens.
  4. Click iOS/macOS.
  5. In Bundle ID, provide the name you received from Staffbase.
  6. Click Configure.

The Redirect URI and MSAL Configuration are added automatically.

You need to provide API permissions to allow Intune to manage the Employee App.

  1. In the Microsoft Entra admin center, navigate to App registrations > the enterprise app you created > API permissions.
  2. Click Add a permission.
    The Request API permissions dialog opens.
  3. Search for and select Microsoft Mobile Application Management.
  4. Add Microsoft Mobile Application Management (delegated permission) under APIs my organization uses.
  5. Under Permissions, select DeviceManagementManagedApps.ReadWrite Read and Write the User’s App Management data.
  6. Click Add permissions.

The added permission appears under Configured permissions. 7. Click Grant admin consent for your tenant. A confirmatory message dialog opens. 8. Click Yes.
You have added API permissions.

You need Microsoft Authenticator to use modern authentication with MSAL.

  1. In the Microsoft Entra admin center, navigate to Authentication methods.
  2. Ensure that Microsoft Authenticator is set to Enabled.
    You have enabled Microsoft Authenticator.