This is the list of required permissions for Microsoft Intune.
offline_access
openid
profile
Device.ReadWrite.All
DeviceManagementConfiguration.ReadWrite.All
DeviceManagementServiceConfig.ReadWrite.All
DeviceManagementManagedDevices.ReadWrite.All
DeviceManagementManagedDevices.PrivilegedOperations.All
BitlockerKey.Read.All
DeviceManagementApps.ReadWrite.All
Group.ReadWrite.All
Directory.Read.All
GroupMember.ReadWrite.All
RoleManagement.ReadWrite.Directory (only required to add members to role-assignable groups)
User.ReadWrite.All
Mail.Send (Note that the service accounts for Intune tenants much have an active mailbox)
Mail.Send (This is only required, if you do not want to send mails on behalf of the service accounts)
![]() |
The service account must be created in Azure. It cannot be a synced on-prem account. |
The service account defined under settings must be a member of one of the following roles in order to read bitlocker recovery keys:
Use the below snippet to add the required permissions to your app registration manifest. Remember to grant admin consent after you have updated the manifest.
Manifest |
Copy Code
|
---|---|
"requiredResourceAccess": [ { "resourceAppId": "00000003-0000-0000-c000-000000000000", "resourceAccess": [ { "id": "14dad69e-099b-42c9-810b-d002981feec1", "type": "Scope" }, { "id": "7427e0e9-2fba-42fe-b0c0-848c9e6a8182", "type": "Scope" }, { "id": "e1fe6dd8-ba31-4d61-89e7-88639da4683d", "type": "Scope" }, { "id": "e383f46e-2787-4529-855e-0e479a3ffac0", "type": "Scope" }, { "id": "37f7f235-527c-4136-accd-4a02d197296e", "type": "Scope" }, { "id": "64a6cdd6-aab1-4aaf-94b8-3cc8405e90d0", "type": "Scope" }, { "id": "b27a61ec-b99c-4d6a-b126-c4375d08ae30", "type": "Scope" }, { "id": "62a82d76-70ea-41e2-9197-370581804d09", "type": "Role" }, { "id": "9e3f62cf-ca93-4989-b6ce-bf83c28f9fe8", "type": "Role" }, { "id": "2f51be20-0bb4-4fed-bf7b-db946066c75e", "type": "Role" }, { "id": "741f803b-c850-494e-b5df-cde7c675a1ca", "type": "Role" }, { "id": "b0afded3-3588-46d8-8b3d-9842eff778da", "type": "Role" }, { "id": "7ab1d382-f21e-4acd-a863-ba3e13f7da61", "type": "Role" }, { "id": "1138cb37-bd11-4084-a2b7-9f71582aeddb", "type": "Role" }, { "id": "78145de6-330d-4800-a6ce-494ff2d33d07", "type": "Role" }, { "id": "9241abd9-d0e6-425a-bd4f-47ba86e767a4", "type": "Role" }, { "id": "5b07b0dd-2377-4e44-a38d-703f09a0dc3c", "type": "Role" }, { "id": "243333ab-4d21-40cb-a475-36241daa0842", "type": "Role" }, { "id": "5ac13192-7ace-4fcf-b828-1a26f28068ee", "type": "Role" }, { "id": "dbaae8cf-10b5-4b86-a4a1-f871c94c6695", "type": "Role" } ] } ], |