Microsoft Endpoint Manager integration instructions - Multi-Tenant

Use this article to integrate Lifecycle Manager with Microsoft Endpoint Manager. Two configured applications are required to grant access to the device and software information of your tenant and your customer tenants, in order to integrate Microsoft Endpoint Manager with Lifecycle Manager.

Microsoft Endpoint Manager (MEM) Integration Requires Alternate Steps
The integration with Microsoft Endpoint Manager (MEM) - Multi Tenant is currently not optimal due to recent changes by Microsoft, specifically the enforcement of GDAP (Granular Delegated Admin Privileges).

Action Required
Contact our Support team at directly for assistance. They will provide you with the alternate steps for the integration while a fix is under development.

Known limitation with indirect or unmanaged resellers - The Microsoft Endpoint Manager integration does not support indirect or unmanaged resellers because you need direct access to manage client devices. Indirect providers and Cloud Solution Provider (CSP) direct partners should have no issues, but this is something to be aware of if you purchase through a reseller.


To use either Microsoft Endpoint Manager integration, users will need:

  • Work (or school) accounts from Microsoft. This includes organizations that use Office 365

  • An active Intune subscription

  • Administrator user credentials for Microsoft Azure, and Microsoft Partner.

  • Administrator user credentials for Lifecycle Manager or member permissions of Manage Sync Settings selected

  • Access to the App Management module

Microsoft Partner application setup

Granting Partner application process

If you can access the App Management module (Steps 1 - 3), you have the access to the API required for a multi-tenant integration. The multi-tenant integration cannot be completed if the App Management module is not visible. To continue, you are able to set up multiple instances of a Microsoft Endpoint Manager single-tenant integration.

To enable multiple instances of Microsoft Endpoint Manager single-tenant integration, please contact support at

  1. Sign in to your Microsoft Partner Center Dashboard using a global administrator account.

  2. From the Settings menu (gear icon), select Account settings.

  3. On the Account settings page, choose App management.

  4. If

    1. You do not have an existing web app registered:

      1. Add a new web app

    2. You have an existing web app registered:

      1. Choose the Add key button

  5. The keys are in the table below the app details. Copy the app registration details:

    1. App ID / Client ID

    2. Account ID / Tenant ID

    3. Key / Client secret

The Key value is not retrievable after navigating away from the page, so please ensure it is recorded in a safe place.

Configuring Partner application permissions

  1. Sign in to Azure AD from the Azure portal using a global administrator account.

  2. From the Azure Directory admin center, navigate to Azure Active Directory App registrations All applications.

  3. Select the application that is registered to the Partner Center in the previous step by using the App Name. By default, this may be called Partner Center Web App.

  4. Navigate to the API permissions section

  5. Ensure that the application has the delegated permissions with admin consent (if this is not the case, see below):

    1. Azure Active Directory Graph

      1. Directory.AccessAsUser.All

      2. User.Read

    2. Microsoft Partner Center

      1. User_impersonation

  6. Grant the following application permission to:

    1. Azure Active Directory Graph

      1. Directory.Read.All

If the application does not have the delegated permissions:

  1. Click the add a permission button

  2. In the Request API permissions screen, select APIs my organization uses

  3. Select Windows Azure Active Directory, and then Delegated Permissions

  4. Search and select: User.Read

  5. Search and select: Directory.AccessAsUser.All

  6. Search and select: user_impersonation

  7. Click Add permissions

  8. Click Grant admin consent

Microsoft Lifecycle Manager application setup

Creating the Lifecycle Manager application setup

We recommend creating a dedicated application that Lifecycle Manager uses to access device and software information.

  1. Sign in to Microsoft Azure as a global administrator

  2. From the Azure Directory admin center, navigate to Azure Active Directory App registrations

  3. Click the +New Registration button

  4. Enter a user-facing display name for the new application registration (for example, Lifecycle Manager MEM Integration).

  5. Under Supported account types, make sure Accounts in any organizational directory (Any Azure AD directory – Multitenant) is selected. The rest of the defaults for registration should be left as is.

  6. Click Register to create the application

  7. Under your newly created application, take note of the Application (client) ID and the Directory (tenant) ID.

Tracking Microsoft Defender for Endpoint through Microsoft Endpoint Manager

If you have assets with Windows Defender for Endpoint that you want to track, you have to add API permissions through Microsoft Endpoint Manager so that we can provide reporting on endpoint protection by consuming windows defender information through Microsoft Endpoint Manager.

Here are the steps to track Microsoft Defender for Endpoint through Microsoft Endpoint Manager.

  1. Click the add a permission button

  2. In the Request API permissions screen, select APIs my organization uses

  3. Manually type in WindowsDefenderATP, select WindowsDefenderATP, and then Application Permissions

  4. Search and select: Machine

5. Search and select: Machine.Read.All

6. Click Grant admin consent


Ensure that the Include Microsoft Defender for Endpoint option is selected when setting your sync settings for Microsoft Endpoint Manager - Multi-Tenant.

When adding the Microsoft Endpoint Manager integration to Lifecycle Manager, you will need to add the Application (client) ID and Directory (tenant) ID to the Microsoft Endpoint Manager add integration page.

Configuring Lifecycle Manager application permissions

Users/admins are required to grant permissions to applications before they can call APIs. For full functionality, the following permissions are required:

  • Organization.Read.All

  • DeviceManagementManagedDevices.Read.All

  • DeviceManagementApps.Read.All

  1. Navigate to the *API permissions* section

  2. Click the Add a permission button

  3. In the Request API permissions screen, select Microsoft Graph and then select Application permissions

  4. In the Select permissions section, click the arrows next to *DeviceManagementManagedDevices*, *DeviceManagementManagedApps*, and *Organization* to expand each section or start typing the permission to filter the results.

    * In the *DeviceManagementManagedApps* module, select the DeviceManagementApps.Read.All.

    1. In the DeviceManagementManagedDevices module, select the


    2. In the Organization module, select the Organization.Read.All.

  5. Click Add permissions

  6. After selecting Add permissions, we will need to add administrator consent. This is done by selecting Grant admin consent.

  7. (Optional) Grant the following application permission to: - Only applicable if you want to track Microsoft Defender for Endpoint through Microsoft Endpoint Manager.

    1. Machine

      1. Machine.Read.All

After adding permissions, you need to add administrator consent for each permission name.

Configuring Lifecycle Manager application process:

  1. Navigate to the Azure Active Directory Groups section

  2. Search for AdminAgents, and then select it. The name must only be AdminAgents

  3. Navigate to the Members section for the group

  4. Select Add members, and search for the Lifecycle Manager application that was created (e.g. Lifecycle Manager MEM Integration), then click Select.

Granting Lifecycle Manager application access

Client secrets, also known as application passwords, are secret strings that the application uses to prove its identity when it requests a token.

  1. Navigate to the Certificates & secrets section

  2. In the Client secrets section, click the New client secret button

  3. Add a description for the client secret. After entering a description, we recommend leaving the default expiry settings to 6 months.

  4. Click the Add button.

  5. Take note of the Secret ID, as this value is required when adding the integration to Lifecycle Manager.

Why 6 months for expiry? - We follow Microsoft's recommendation of a 6-month expiration for client secrets as this period of time is a balance between securing the application's access and convenience of use for our partners. Expiry dates can range from 1 day to 2 years, but Microsoft client secrets must expire eventually. Before a client secret expires, a new one can be created and saved in the existing integration with no downtime.

Keep the Client secret value in a secure location, because this value is not recoverable once navigating away.

Adding Lifecycle Manager integration

  1. Navigate to the Microsoft Endpoint Manager Multi-Tenant add integration page and fill in the following information gathered previously, mapping to the following fields:

    1. Microsoft Partner Account ID -- Azure Tenant ID

    2. Microsoft Partner App ID -- Partner Application (client) ID

    3. Microsoft Partner App Key -- Partner Application Client Secret

    4. Microsoft Lifecycle Manager App ID -- ScalePad Application (client) ID

    5. Microsoft Lifecycle Manager App Key -- ScalePad Application Client Secret

  2. Click Save Microsoft Endpoint Manager Setup

When you click Save Microsoft Endpoint Manager (Multi-Tenant) Setup, Lifecycle Manager performs a full sync. When finished, you should be able to view your hardware assets in your account, as well as any software assets.

What's next