A community where customers and the community can provide feedback to make a better product for everyone! For more details on how we prioritize requests, please see:
Problem Statement: The current PMPC Cloud integration with Entra ID and Intune utilizes application permissions. While this model is effective for establishing the service-to-service trust, it has a significant drawback for auditing and accountability. All actions performed by PMPC within Intune (e.g., application creation, deployments, etc) are attributed to the PMPC service principal in the Entra/Intune audit logs, rather than the specific administrator who initiated the action in the PMPC console. This lack of user context forces our security team to cross-reference logs between the PMPC portal and the Intune portal to determine who performed a specific action, creating inefficiency and making compliance checks more complex.
Proposed Solution: We request an enhancement to the Entra ID integration to support a delegated permissions model. Under this model, PMPC would perform actions on behalf of the logged-in administrator. The user would authenticate to the PMPC service using their Entra ID credentials, and PMPC would then use an OAuth token with delegated permissions to interact with the Microsoft Graph API for Intune.
Key Benefits:
Centralized and Unified Auditing: All actions initiated from PMPC would appear in the Intune audit logs with the actual user's User Principal Name (UPN). This creates a single, authoritative source for all deployment and configuration changes, drastically simplifying audit processes.
Enhanced Security and Accountability: It would be immediately clear which administrator performed any given action, improving security posture and accountability. This is critical for incident response and change management tracking.
Adherence to the Principle of Least Privilege: Using delegated permissions would allow PMPC actions to be constrained by the logged-in user's assigned Intune RBAC (Role-Based Access Control) roles, ensuring administrators cannot exceed their designated permissions through a third-party tool.
Use Case Example: An administrator, jane.doe@company.com
, uses the PMPC console to publish a new version of Google Chrome to a user group.
Current Behavior: The Intune audit log shows the application was created and assigned by the "PMPC Cloud" application.
Proposed Behavior: The Intune audit log would show the application was created and assigned by jane.doe@company.com
.
This enhancement would be a significant improvement for organizations that prioritize security, compliance, and streamlined administrative workflows.