Intune DevOps Tools – Move objects from Dev to Prod Tenant

The more clients are managed in your tenant and the more people have contributor rights in your tenant, the more important it becomes to have good release management processes. In this blog post I would like to introduce you to my Intune CI pipeline that allows you to transfer configurations from one tenant to another. This offers the possibility that only a small number of administrators have access in the Prod tenant and all others create configurations in a Dev tenant and these are then transferred to the Prod tenant via a DevOps pipeline.

Create a Service Principle

  • Open the Azure Portal
  • Serach for Azure Active Directory
  • Select App registration -> + New registration
  • Enter a Name
  • Click Register
  • Select API permissions
  • Click + Add a permission
  • Select Microsoft Graph
  • Select Application permissions
  • Select the following Graph permissions:
    • DeviceManagementConfiguration.ReadWrite.All
    • DeviceManagementApps.ReadWrite.All
  • Click App permissions
  • Click Grant admin consent
  • Confirm with Yes
  • Keep the browser tab open we need this again soon

Add Subscription to Azure DevOps

  • Open Azure DevOps in a new Task
  • Create a new Organization and Project
  • Open the Project
  • Select Pipelines and Library
  • Click +Variable group
  • Go back to the App Registration and copy the AppId, TenantId and create a secret
  • Navigate to Certificates & secrets
  • Click + New client secret
  • Add a Description and Expires date
  • Enter IntuneProd as name for the variable group
  • Create three variables (ProdAppSecret, ProdAppId, ProdTenantId) and insert the values from the App Registration
  • Select secure variable for the AppSecret
  • Click Save

Setup the Dev Environment

Repeat the same steps for your Dev Environment but select the following permissions:

  • DeviceManagementApps.Read.All
  • DeviceManagementConfiguration.Read.All

Setup Pipeline

  • Navigate to Repos -> Files
  • Select Import repository
  • Enter a Name and click Import
  • Navigate to Pipelines
  • Click New pipeline
  • Select Azure Repos Git
  • Select the imported Repository
  • Select Existing Azure Pipeline YAML file
  • Select the azure-pipelines.yaml
  • Click Continue
  • Click Save

How does it work

  • Copy the object id from the object you want to copy on the dev tenant. You can get the Id from the URL.
  • Enter the Object type and the Object Id in the Pipeline
  • Click Run

Get DevOps Runner

When you start the pipeline without purchasing an devops runner you will get the following error message.

  • Fill out the form under to get an free trial license (can take 2-3 days)
  • You can also install an runner on your pc or on an server in your organisation
  • You can also add a Billing in the Billing section in the Project settings


I hope that I can help you to simpify the transfer of configurations from a Dev to the Prod tenant. I appreciate any testers and feedback on my Intune DevOps pipeline so that I can include it in one of the next versions. Enclosed are the features I plan for the next releases:

  • Include Debug option
  • Include more Object types
  • Add naming convention check
  • Include Assignments
  • Include approval process

4 thoughts on “Intune DevOps Tools – Move objects from Dev to Prod Tenant

  1. I have some questions on this, I found the layout a little confusing.

    Setup Pipeline. Do I do this in both the Test and Prod tenant? I only did it in Test, and got the following error:

    An error occurred while loading the YAML build pipeline. Variable group was not found or is not authorized for use. For authorization details, refer to

    I’m in two different tenants, I’m assuming I’m missing something for Test to see Prod and vice versa?

    Does everything need to be named exactly the same in both instances? Apps, Projects, Variables, etc?


    • Hey Joe, you only need one pipeline for both. The variables groups need the exact name as I used in my blog or you have to change it in the yaml file. If you need help let me know


  2. Hi Thanks for the post.. i am getting the error in get object from dev. Something went wrong by getting the object from Intune remote server returned an error: (404) Not Found. I am not getting the object ID in url. i can see only policy ID and template ID also from some end point security polices. Can you please share how to get Object ID.
    Also you mentioned you could add more object types. please share the link if you have already published.


Comments are closed.