Application Manager for Intune requires individually registered Azure AD enterprise applications with specific permissions for the Intune tenant.
Recast Azure AD Connector Enterprise Application
- Reads Azure AD users, devices and groups in the customer's tenant.
- Requires customers Azure AD administrator (Global Administrator) to grant the application permissions.
- Used by the Recast Portal to verify that an end user is allowed to link the tenant to AM for Intune. The logged-in user in the Recast Portal must be either Global Administrator or added as a member to Recast Azure AD Connector Enterprise application.
Required Permissions
API name | Permissions | Description | Type | Granted through |
---|---|---|---|---|
Microsoft Graph | Read directory data | Allows the app to read data in your organization's directory, such as users, groups and apps, without a signed-in user. | Application | Admin consent |
Windows Azure Active Directory | Sign in and read user profile | Allows users to sign into the app, and allows the app to read the profile of signed-in users. Also allows the app to read basic company information of signed-in users. | Delegated | Admin consent or User consent |
Application Manager for Intune Permissions
- Manages Intune apps and deployments.
- Requires customers Azure AD administrator (Global Administrator) to consent the application permissions.
Required Permissions
API name | Permissions | Description | Type | Granted through |
---|---|---|---|---|
Microsoft Graph | Read and write Microsoft Intune apps | Allows the app to read and write the properties, group assignments and status of apps, app configurations and app protection policies managed by Microsoft Intune. | Application | Admin consent |
Microsoft Graph | Read Microsoft Intune devices | Allows the app to read the properties of devices managed by Microsoft Intune. | Application | Admin consent |
Microsoft Graph | Read organization information | Allows the app to read the organization and related resources, without a signed-in user. Related resources include things like subscribed skus and tenant branding information. | Application | Admin consent |
Windows Azure Active Directory | Sign in and read user profile | Allows users to sign in to the app, and allows the app to read the profile of signed-in users. It also allow the app to read basic company information of signed-in users. | Delegated | Admin consent or User consent |
Application Group Permissions
Manages memberships of devices to specified groups.
Required Permissions
API name | Permissions | Description | Type | Granted Through |
---|---|---|---|---|
Microsoft Graph | Sign in and read user profile | Allows users to sign-in to the app, and allows the app to read the profile of signed-in users. It also allows the app to read basic company information of signed-in users. | Delegated | Admin consent |
Microsoft Graph | Read Microsoft Intune devices | Allows the app to read the properties of devices managed by Microsoft Intune, without a signed-in user. | Application | Admin consent |
Microsoft Graph | Read all devices | Allows the app to read your organization's devices' configuration information without a signed-in user. | Application | Admin consent |
Microsoft Graph | Read and write all groups | Allows the app to create groups, read all group properties and memberships, update group properties and memberships, and delete groups. Also allows the app to read and write group calendar and conversations. All of these operations can be performed by the app without a signed-in user. | Application | Admin consent |
Microsoft Graph | Read Microsoft Intune apps | Allows the app to read the properties, group assignments and status of apps, app configurations and app protection policies managed by Microsoft Intune, without a signed-in user. | Application | Admin consent |
Additional Permissions
The Application Group feature requires additional permissions for Azure AD and Intune tenants.
To grant additional permissions for AM For Intune Application Groups:
1. Log into your Microsoft account with Global Administrator credentials.
2. Click to Accept the permissions.