HomeSetup guides › Register the multi-tenant Entra app for the Graph/Connect API
Setup guide · from scratch

Register the multi-tenant Entra app for the Graph/Connect API

Creates the app identity Decolla/Connect uses to drive Intune via Graph across customer tenants. Choose multi-tenant, add the Graph Intune permissions, and remember each customer admin must consent separately.

Microsoft Entra admin center (Entra ID > App registrations)
Step 1. Go to entra.microsoft.com and sign in (Application Developer to create; Cloud/Global Admin to consent).
Screenshot: Entra admin center home (captured during a live customer build — coming to this page)
Step 2. Browse to Entra ID > App registrations > New registration.
Screenshot: New registration pane (captured during a live customer build — coming to this page)
Step 3. Enter a Name (e.g. 'Decolla Connect') and under 'Supported account types' choose 'Multiple Entra ID tenants'.
Screenshot: New registration with 'Multiple Entra ID tenants' selected (captured during a live customer build — coming to this page)
Step 4. Set the Redirect URI: 'Web' for a server/confidential app (HTTPS callback) or 'Public client/native' for device-code; click Register.
Screenshot: Redirect URI + platform selection (captured during a live customer build — coming to this page)
Step 5. On Overview copy the Application (client) ID and Directory (tenant) ID.
Screenshot: Overview page showing client and tenant IDs (captured during a live customer build — coming to this page)
Step 6. Manage > API permissions > Add a permission > Microsoft Graph; add the Intune scopes (DeviceManagementApps.ReadWrite.All, DeviceManagementServiceConfig.ReadWrite.All, DeviceManagementConfiguration.ReadWrite.All). Choose DELEGATED permissions (not Application) - Decolla acts as the signed-in admin, per the Connect design.
Screenshot: API permissions with the Graph Intune scopes added (captured during a live customer build — coming to this page)
Step 7. Click 'Grant admin consent for <tenant>' and confirm Yes.
Screenshot: API permissions showing 'Granted' status (captured during a live customer build — coming to this page)
Step 8. Manage > Certificates & secrets > New client secret; set description + expiry, Add, and copy the secret VALUE immediately (shown once). Prefer a certificate for production.
Screenshot: New client secret with the value field visible (captured during a live customer build — coming to this page)
Step 9. (Optional) Under Authentication enable 'Allow public client flows' if using device-code.
Screenshot: Authentication blade public client flows toggle (captured during a live customer build — coming to this page)
Step 10. For each customer tenant an admin must consent via https://login.microsoftonline.com/{tenant}/adminconsent?client_id=... — you cannot consent silently on their behalf.
Screenshot: The admin-consent prompt a customer admin sees (captured during a live customer build — coming to this page)

See it on a real device.

Decolla is in private build — early-access members see a build defined, deployed and rolled back first.

Get early access