Permissions

Application Manager for Intune requires individually registered Azure AD enterprise applications with specific permissions for the Intune tenant.

Reads Azure AD users, devices and groups in the customer's tenant.
Requires customers Azure AD administrator (Global Administrator) to grant the application permissions.
Used by the Recast Portal to verify that an end user is allowed to link the tenant to AM for Intune. The logged-in user in the Recast Portal must be either Global Administrator or added as a member to Recast Azure AD Connector Enterprise application.

API name	Permissions	Description	Type	Granted through
Microsoft Graph	Read directory data	Allows the app to read data in your organization's directory, such as users, groups and apps, without a signed-in user.	Application	Admin consent
Windows Azure Active Directory	Sign in and read user profile	Allows users to sign into the app, and allows the app to read the profile of signed-in users. Also allows the app to read basic company information of signed-in users.	Delegated	Admin consent or User consent

Manages Intune apps and deployments.
Requires customers Azure AD administrator (Global Administrator) to consent the application permissions.

API name	Permissions	Description	Type	Granted through
Microsoft Graph	Read and write Microsoft Intune apps	Allows the app to read and write the properties, group assignments and status of apps, app configurations and app protection policies managed by Microsoft Intune.	Application	Admin consent
Microsoft Graph	Read Microsoft Intune devices	Allows the app to read the properties of devices managed by Microsoft Intune.	Application	Admin consent
Microsoft Graph	Read organization information	Allows the app to read the organization and related resources, without a signed-in user. Related resources include things like subscribed skus and tenant branding information.	Application	Admin consent
Windows Azure Active Directory	Sign in and read user profile	Allows users to sign in to the app, and allows the app to read the profile of signed-in users. It also allow the app to read basic company information of signed-in users.	Delegated	Admin consent or User consent

Manages memberships of devices to specified groups.

API name	Permissions	Description	Type	Granted Through
Microsoft Graph	Sign in and read user profile	Allows users to sign-in to the app, and allows the app to read the profile of signed-in users. It also allows the app to read basic company information of signed-in users.	Delegated	Admin consent
Microsoft Graph	Read Microsoft Intune devices	Allows the app to read the properties of devices managed by Microsoft Intune, without a signed-in user.	Application	Admin consent
Microsoft Graph	Read all devices	Allows the app to read your organization's devices' configuration information without a signed-in user.	Application	Admin consent
Microsoft Graph	Read and write all groups	Allows the app to create groups, read all group properties and memberships, update group properties and memberships, and delete groups. Also allows the app to read and write group calendar and conversations. All of these operations can be performed by the app without a signed-in user.	Application	Admin consent
Microsoft Graph	Read Microsoft Intune apps	Allows the app to read the properties, group assignments and status of apps, app configurations and app protection policies managed by Microsoft Intune, without a signed-in user.	Application	Admin consent

The Application Group feature requires additional permissions for Azure AD and Intune tenants.

To grant additional permissions for AM For Intune Application Groups:

1. Log into your Microsoft account with Global Administrator credentials.

2. Click to Accept the permissions.