Intune Permissions

This is the list of required permissions for Microsoft Intune.

API permissions

Sign in (Delegated permissions)

email

offline_access

openid

profile

 

Device Management (Application permissions)

Device.ReadWrite.All

DeviceManagementConfiguration.ReadWrite.All

DeviceManagementServiceConfig.ReadWrite.All

DeviceManagementManagedDevices.ReadWrite.All

DeviceManagementManagedDevices.PrivilegedOperations.All

WindowsUpdates.ReadWrite.All

 

Device Management (Delegated permissions)

BitlockerKey.Read.All

 

Application Deployment (Application permissions)

Application.ReadWrite.All

DeviceManagementApps.ReadWrite.All

Group.ReadWrite.All

Directory.Read.All

GroupMember.ReadWrite.All

 

Group Management (Application permissions)

RoleManagement.ReadWrite.Directory (only required to add members to role-assignable groups)

 

User Management (Application permissions)

User.ReadWrite.All

Auditlog.Read.All

 

User Management (Delegated permissions)

UserAuthenticationMethod.ReadWrite.All

 

Mail (Delegated permissions)

Mail.Send (Note that the service accounts for Intune tenants much have an active mailbox)

 

Mail (Application permissions)

Mail.Send (This is only required, if you do not want to send mails on behalf of the service accounts)

 

Azure Database

If your database is located in Azure, the following application permission is required:

Azure SQL Database - app_impersonation

If you cannot find this permission in the Azure portal, try the following fix:

1. Create an Azure SQL database and add yourself as either an admin or a user.

2. Login to that database with Microsoft SQL Management Studio using your Entra ID credentials.

3. You can now search for the permission "Azure SQL Database".

 

When you select "Azure SQL Database", choose "Application permissions" and "app_impersonation".

 

Service Account

A service account is required to read bitlocker recovery keys. If you do not need to read bitlocker recovery keys, you do not have to add a service account.

The service account must be created in Azure. It cannot be a synced on-prem account.

The service account defined under settings must be a member of one of the following roles in order to read bitlocker recovery keys:

 

Use the below snippet to add the required permissions to your app registration manifest. Remember to grant admin consent after you have updated the manifest.

Manifest
Copy Code
    "requiredResourceAccess": [
        {
            "resourceAppId": "022907d3-0f1b-48f7-badc-1ba6abab6d66",
            "resourceAccess": [
                {
                    "id": "c39ef2d1-04ce-46dc-8b5f-e9a5c60f0fc9",
                    "type": "Role"
                }
            ]
        },
        {
            "resourceAppId": "00000003-0000-0000-c000-000000000000",
            "resourceAccess": [
                {
                    "id": "14dad69e-099b-42c9-810b-d002981feec1",
                    "type": "Scope"
                },
                {
                    "id": "7427e0e9-2fba-42fe-b0c0-848c9e6a8182",
                    "type": "Scope"
                },
                {
                    "id": "e1fe6dd8-ba31-4d61-89e7-88639da4683d",
                    "type": "Scope"
                },
                {
                    "id": "1bfefb4e-e0b5-418b-a88f-73c46d2cc8e9",
                    "type": "Role"
                },
                {
                    "id": "e383f46e-2787-4529-855e-0e479a3ffac0",
                    "type": "Scope"
                },
                {
                    "id": "37f7f235-527c-4136-accd-4a02d197296e",
                    "type": "Scope"
                },
                {
                    "id": "64a6cdd6-aab1-4aaf-94b8-3cc8405e90d0",
                    "type": "Scope"
                },
                {
                    "id": "b27a61ec-b99c-4d6a-b126-c4375d08ae30",
                    "type": "Scope"
                },
                {
                    "id": "62a82d76-70ea-41e2-9197-370581804d09",
                    "type": "Role"
                },
                {
                    "id": "9e3f62cf-ca93-4989-b6ce-bf83c28f9fe8",
                    "type": "Role"
                },
                {
                    "id": "2f51be20-0bb4-4fed-bf7b-db946066c75e",
                    "type": "Role"
                },
                {
                    "id": "741f803b-c850-494e-b5df-cde7c675a1ca",
                    "type": "Role"
                },
                {
                    "id": "b0afded3-3588-46d8-8b3d-9842eff778da",
                    "type": "Role"
                },
                {
                    "id": "7ab1d382-f21e-4acd-a863-ba3e13f7da61",
                    "type": "Role"
                },
                {
                    "id": "1138cb37-bd11-4084-a2b7-9f71582aeddb",
                    "type": "Role"
                },
                {
                    "id": "78145de6-330d-4800-a6ce-494ff2d33d07",
                    "type": "Role"
                },
                {
                    "id": "9241abd9-d0e6-425a-bd4f-47ba86e767a4",
                    "type": "Role"
                },
                {
                    "id": "5b07b0dd-2377-4e44-a38d-703f09a0dc3c",
                    "type": "Role"
                },
                {
                    "id": "243333ab-4d21-40cb-a475-36241daa0842",
                    "type": "Role"
                },
                {
                    "id": "5ac13192-7ace-4fcf-b828-1a26f28068ee",
                    "type": "Role"
                },
                {
                    "id": "dbaae8cf-10b5-4b86-a4a1-f871c94c6695",
                    "type": "Role"
                },
                {
                    "id": "b7887744-6746-4312-813d-72daeaee7e2d",
                    "type": "Scope"
                },
                {
                    "id": "7dd1be58-6e76-4401-bf8d-31d1e8180d5b",
                    "type": "Role"
                }
            ]
        }
    ],

 

See Also

 

 


© Copyright - SoftwareCentral

https://softwarecentral.cloud/help