Intune Permissions

This is the list of required permissions for Microsoft Intune.

API permissions

Sign in (Delegated permissions)

offline_access

openid

profile

Device Management (Application permissions)

Device.ReadWrite.All

DeviceManagementConfiguration.ReadWrite.All

DeviceManagementServiceConfig.ReadWrite.All

DeviceManagementManagedDevices.ReadWrite.All

DeviceManagementManagedDevices.PrivilegedOperations.All

Device Management (Delegated permissions)

BitlockerKey.Read.All

Application Deployment (Application permissions)

DeviceManagementApps.ReadWrite.All

Group.ReadWrite.All

Directory.Read.All

GroupMember.ReadWrite.All

Group Management (Application permissions)

RoleManagement.ReadWrite.Directory (only required to add members to role-assignable groups)

User Management (Application permissions)

User.ReadWrite.All

Mail (Delegated permissions)

Mail.Send (Note that the service accounts for Intune tenants much have an active mailbox)

Mail (Application permissions)

Mail.Send (This is only required, if you do not want to send mails on behalf of the service accounts)

Service Account

The service account must be created in Azure. It cannot be a synced on-prem account.

The service account defined under settings must be a member of one of the following roles in order to read bitlocker recovery keys:

Global administrator
Cloud device administrator
Helpdesk administrator
Intune service administrator
Security administrator
Security reader
Global reader

Use the below snippet to add the required permissions to your app registration manifest. Remember to grant admin consent after you have updated the manifest.

Manifest	Copy Code
"requiredResourceAccess": [ { "resourceAppId": "00000003-0000-0000-c000-000000000000", "resourceAccess": [ { "id": "14dad69e-099b-42c9-810b-d002981feec1", "type": "Scope" }, { "id": "7427e0e9-2fba-42fe-b0c0-848c9e6a8182", "type": "Scope" }, { "id": "e1fe6dd8-ba31-4d61-89e7-88639da4683d", "type": "Scope" }, { "id": "e383f46e-2787-4529-855e-0e479a3ffac0", "type": "Scope" }, { "id": "37f7f235-527c-4136-accd-4a02d197296e", "type": "Scope" }, { "id": "64a6cdd6-aab1-4aaf-94b8-3cc8405e90d0", "type": "Scope" }, { "id": "b27a61ec-b99c-4d6a-b126-c4375d08ae30", "type": "Scope" }, { "id": "62a82d76-70ea-41e2-9197-370581804d09", "type": "Role" }, { "id": "9e3f62cf-ca93-4989-b6ce-bf83c28f9fe8", "type": "Role" }, { "id": "2f51be20-0bb4-4fed-bf7b-db946066c75e", "type": "Role" }, { "id": "741f803b-c850-494e-b5df-cde7c675a1ca", "type": "Role" }, { "id": "b0afded3-3588-46d8-8b3d-9842eff778da", "type": "Role" }, { "id": "7ab1d382-f21e-4acd-a863-ba3e13f7da61", "type": "Role" }, { "id": "1138cb37-bd11-4084-a2b7-9f71582aeddb", "type": "Role" }, { "id": "78145de6-330d-4800-a6ce-494ff2d33d07", "type": "Role" }, { "id": "9241abd9-d0e6-425a-bd4f-47ba86e767a4", "type": "Role" }, { "id": "5b07b0dd-2377-4e44-a38d-703f09a0dc3c", "type": "Role" }, { "id": "243333ab-4d21-40cb-a475-36241daa0842", "type": "Role" }, { "id": "5ac13192-7ace-4fcf-b828-1a26f28068ee", "type": "Role" }, { "id": "dbaae8cf-10b5-4b86-a4a1-f871c94c6695", "type": "Role" } ] } ],

Manifest

Copy Code

"requiredResourceAccess": [
        {
            "resourceAppId": "00000003-0000-0000-c000-000000000000",
            "resourceAccess": [
                {
                    "id": "14dad69e-099b-42c9-810b-d002981feec1",
                    "type": "Scope"
                },
                {
                    "id": "7427e0e9-2fba-42fe-b0c0-848c9e6a8182",
                    "type": "Scope"
                },
                {
                    "id": "e1fe6dd8-ba31-4d61-89e7-88639da4683d",
                    "type": "Scope"
                },
                {
                    "id": "e383f46e-2787-4529-855e-0e479a3ffac0",
                    "type": "Scope"
                },
                {
                    "id": "37f7f235-527c-4136-accd-4a02d197296e",
                    "type": "Scope"
                },
                {
                    "id": "64a6cdd6-aab1-4aaf-94b8-3cc8405e90d0",
                    "type": "Scope"
                },
                {
                    "id": "b27a61ec-b99c-4d6a-b126-c4375d08ae30",
                    "type": "Scope"
                },
                {
                    "id": "62a82d76-70ea-41e2-9197-370581804d09",
                    "type": "Role"
                },
                {
                    "id": "9e3f62cf-ca93-4989-b6ce-bf83c28f9fe8",
                    "type": "Role"
                },
                {
                    "id": "2f51be20-0bb4-4fed-bf7b-db946066c75e",
                    "type": "Role"
                },
                {
                    "id": "741f803b-c850-494e-b5df-cde7c675a1ca",
                    "type": "Role"
                },
                {
                    "id": "b0afded3-3588-46d8-8b3d-9842eff778da",
                    "type": "Role"
                },
                {
                    "id": "7ab1d382-f21e-4acd-a863-ba3e13f7da61",
                    "type": "Role"
                },
                {
                    "id": "1138cb37-bd11-4084-a2b7-9f71582aeddb",
                    "type": "Role"
                },
                {
                    "id": "78145de6-330d-4800-a6ce-494ff2d33d07",
                    "type": "Role"
                },
                {
                    "id": "9241abd9-d0e6-425a-bd4f-47ba86e767a4",
                    "type": "Role"
                },
                {
                    "id": "5b07b0dd-2377-4e44-a38d-703f09a0dc3c",
                    "type": "Role"
                },
                {
                    "id": "243333ab-4d21-40cb-a475-36241daa0842",
                    "type": "Role"
                },
                {
                    "id": "5ac13192-7ace-4fcf-b828-1a26f28068ee",
                    "type": "Role"
                },
                {
                    "id": "dbaae8cf-10b5-4b86-a4a1-f871c94c6695",
                    "type": "Role"
                }
            ]
        }
    ],