Skip to main content

Linking and Managing Intune Tenants

Helvi
Updated

Managing Intune Tenants

When you first set up Eido, you will be prompted to link an Intune tenant. You can later add additional tenants or update the settings of existing ones. Eido supports multiple tenants, which is useful for managed service providers supporting multiple customers, or for organisations with separate production and non-production environments.

The Intune Tenants page allows administrators to link new tenants, manage existing tenant settings, control issue severity thresholds, configure app metering, and apply advanced device scoping rules.

 

Linking a New Intune Tenant

To link a new tenant, navigate to:

Admin > Intune Tenants

Then click Link New Tenant.

You will be asked to choose an access level for the tenant connection.

 

Choosing an Access Level

When linking a tenant, you can select one of the following access levels.

Read-Write Access

This option grants Eido read-write access to Intune devices and policies, including the ability to deploy and restore templates and configuration items.

User access remains read-only.

Read-write access is required for features such as Policy Management.

Read-Only Access

This option provides read-only access to Intune devices, policies, and users.

It is suitable when you want Eido to monitor and report on your environment without making changes.

Custom / Manual App Registration

This option allows you to use your own Entra app registration and client secret instead of the standard interactive admin consent flow.

This is typically used by organisations that prefer to manage permissions and authentication through their own application registration.

 

Granting Access

For Read-Write Access and Read-Only Access, Eido uses Microsoft’s admin consent flow.

After selecting the access level, you will be prompted to sign in with a Microsoft account and approve the requested permissions.

Make sure the account you use has sufficient privileges to grant consent for the tenant. If it does not, the request may be denied or require approval from a privileged administrator.

Once consent has been granted, you will be asked to enter a friendly name for the tenant.

After you confirm, Eido will begin syncing data from the linked tenant.

 

What Eido Syncs

When an Intune tenant is linked, Eido uses the Microsoft Graph API to collect information such as:

  • Devices

  • Compliance policies

  • Configuration policies

  • Managed applications

  • Discovered applications

Depending on the permissions granted, Eido can also use Microsoft Entra ID data to identify the primary user of a device. This allows dashboards, reports, and filtering to include additional attributes such as Office, Department, and Location.

 

Editing an Existing Tenant

To update an existing tenant, open it from the Intune Tenants page.

The Intune Tenant Settings screen includes several tabs that allow you to manage different aspects of the tenant configuration.

 

Tenant Settings

The Tenant Settings tab contains the main tenant configuration.

Here you can:

  • Update the tenant friendly name

  • Link the tenant to a customer

  • Enable or disable Backup Policies

  • Enable or disable App Metering

This tab also includes the default issue severity thresholds used for certain issue types.

 

Linking a Tenant to a Customer

If you are using Eido in a multi-customer environment, you can associate an Intune tenant with a specific customer. You need to ensure that Customer has been created by going to Admin > Customers.

This helps keep tenant data correctly organised and supports customer-based access control.

To do this, edit the tenant and select the customer from the Link to Customer dropdown.

 

Issue Severity Thresholds

The Tenant Settings tab allows you to configure how long certain issues remain at one severity level before they are escalated.

This currently applies to:

Missing Security Patch / Unsupported OS

You can configure:

  • Days until Medium

  • Days until High

Certificate Expiry

You can configure:

  • Days until Medium

  • Days until High

These thresholds determine when Eido escalates the severity of an issue as the problem remains unresolved.

 

Force Sync

You can manually trigger a new sync for the tenant from the Tenant Settings tab by clicking Sync Now.

This starts an immediate resync of tenant data from Microsoft Intune.

Use this when you want Eido to refresh data without waiting for the next scheduled sync.

 

Compliance Policy Severity

The Compliance Policies tab allows you to control how Eido treats individual compliance policies when issues are detected.

Each policy can be assigned one of the following severity levels:

  • Ignore

  • Medium

  • High

This allows you to decide which compliance issues should be surfaced and how important they should be considered.

 

Configuration Policy Severity

The Config Policies tab allows you to assign severity levels to individual configuration policies.

Each policy can be set to:

  • Ignore

  • Medium

  • High

This allows Eido to reflect the relative importance of different configuration issues in dashboards, trends, and alerts.

 

Managed App Severity

The Managed Apps tab allows you to configure severity levels for individual managed applications.

Each app can be set to:

  • Ignore

  • Medium

  • High

This makes it possible to prioritise more important application deployment issues over less critical ones.

 

App Metering

The App Metering tab is available for tenants where app metering is enabled.

This feature allows Eido to collect and report on application usage data for supported scenarios.

If app metering is enabled for the tenant, this tab provides access to its related configuration.

 

Device Scoping (Advanced)

The Device Scoping (Advanced) tab allows you to limit which devices are included for the tenant.

Scoping options include:

  • Enable device scoping

  • Device platforms:

    • All platforms

    • Windows

    • iOS / iPadOS

    • macOS

    • Android

  • Windows device type scope:

    • All

    • Azure Virtual Desktop (AVD)

    • Physical

    • Windows 365

  • Limit by Entra group:

    • None

    • User groups

    • Device groups

  • Include devices with no primary user

These settings are useful when you want Eido to focus only on specific device types, platforms, or group memberships.

 

Using Multiple Intune Tenants

Eido supports multiple linked tenants.

This is useful for:

  • MSPs managing separate customer tenants

  • Organisations with multiple business units

  • Production and non-production environments

  • Tenants added through mergers or acquisitions

Each tenant can be configured independently, including customer assignment, thresholds, severity settings, and scoping rules.

 

Advanced: Manual app registration (click to expand)

If you choose Custom / Manual App Registration, you will need to create and configure your own application registration in Microsoft Entra ID.

1. Open Microsoft Entra admin center

Navigate to the Microsoft Entra admin center.

2. Create an application registration

Go to Applications > App registrations and create a new app registration.

Use the following settings:

  • Name: Choose a meaningful name
  • Supported account types: Single tenant
  • Redirect URI: Leave empty

3. Configure API permissions

Open the application and navigate to API permissions > Add a permission > Microsoft Graph > Application permissions.

Add at least the following permissions:

  • Device.Read.All
  • DeviceManagementApps.Read.All
  • DeviceManagementConfiguration.Read.All
  • DeviceManagementManagedDevices.Read.All
  • DeviceManagementServiceConfig.Read.All
  • Group.Read.All
  • User.Read.All

Then grant admin consent for your organisation.

4. Create a client secret

Go to Certificates & secrets > Client secrets and create a new client secret.

Save the secret securely, as you will need it when linking the tenant in Eido.

5. Link the tenant in Eido

In Eido, go to Admin > Intune Tenants > Link New Tenant > Custom / Manual App Registration.

You will need to provide:

  • Friendly Name
  • Graph Login URL
  • Graph Query Endpoint
  • Entra Tenant ID
  • Entra Client ID
  • Entra Client Secret

Graph Login URL examples

  • Default: https://login.microsoftonline.com
  • Azure US Government: https://login.microsoftonline.us
  • Azure China operated by 21Vianet: https://login.chinacloudapi.cn

Graph Query Endpoint examples

  • Default: https://graph.microsoft.com
  • Microsoft Graph for US Government L4: https://graph.microsoft.us
  • Microsoft Graph for US Government L5 (DoD): https://dod-graph.microsoft.us
  • Microsoft Graph China operated by 21Vianet: https://microsoftgraph.chinacloudapi.cn

This option is typically used where organisations prefer to manage Microsoft Graph access through their own Entra application rather than using the standard admin consent flow.

 

Permissions and Access

The permissions Eido requests depend on the selected access level.

In general, Eido requires Microsoft Graph access to read tenant data such as devices, policies, managed apps, groups, and users. Read-Write access also includes permissions needed for features that make changes within Intune, such as policy management.

If your organisation requires tighter control over permissions, you can use the Custom / Manual App Registration option.

 

To remove a customer or a tenant, you can simply click the delete (bin) button in the customer or tenant page. 

Related articles

Comments

0 comments

Article is closed for comments.