Connection to MECM
A service account is required to connect MECM sites.
The web application is executed in the context of the service account (see IIS configuration) and the service account is also used to connect the MECM sites.
Permissions
No Configuration Manager console is required to work with Intune Manager.
With Intune Manager, it is possible to read existing MECM applications and import them into Intune. The following administrative permissions within MECM are required for this:
- Application: Read
- Collection: read; read resource;
- Site: Read
The easiest way to provide these rights is to import a security role within the Configuration Manager console:
The following XML file can be used to import this security role:
<SMS_Roles>
<SMS_Role CopiedFromID="SMS0001R" RoleName="Intune Manager" RoleDescription="Intune Manager Role">
<Operations>
<Operation GrantedOperations="4097" ObjectTypeID="1" />
<Operation GrantedOperations="1" ObjectTypeID="6" />
<Operation GrantedOperations="1" ObjectTypeID="31" />
</Operations>
</SMS_Role>
</SMS_Roles>
Then the Service account is added to the administrative Users and assigned the previously create security role.
In the Administrative User's Workspace, the Administrative User can be added.
Open the Add User or Group context menu.
Use Browse to select the Service Account to be authorized.
In this example, the System-Account of the Server on Which Intune Manager is installed was used.
After the Account has been selected, the authorization can be selected with Add.
Here, the Previously created role Intune Manager must be selected.
Finally, the item All instances of the objects that are related to the assigned security roles must be selected.
Then the Administrative User can be Created with OK.
Configuration Manager sites are connected via the appsettings.json File.