How does Devicie connect to Intune?
Up Next: Adding your Intune Tenant to Devicie
Devicie automates deployment of applications, configuration profiles, and assignments, and is able to report on customers' Intune environments using data from the Microsoft Graph API.
In order for us to be able to do the above in a secure and automated fashion, we require certain access to customers' environments through an Entra ID enterprise application.
The permissions are granted when customers authorise the Devicie API using an Microsoft Entra global admin account. The "Devicie Automation" enterprise application will appear in customers' enterprise applications blade.
Permissions are different depending on the level of access which is needed. Access to the portal itself requires only Azure Data Explorer (ADX) read permissions, while full access to the tenant requires the permissions in the following section.
Customer Portal Permissions
Maintain Access to data you have given it access to
Reference: Offline_access
Explanation: Allows the app to see and update the data you gave it access to, even when users are not currently using the app. This does not give the app any additional permissions.
Sign in and read user profile
Reference: Permissions for an app registration
Explanation: Allows users to sign-in to the app, and allows the app to read the profile of signed-in users. It also allows the app to read basic company information of signed-in users. Used during first-time setup.
Access Azure Data Explorer
Reference: Cluster Permissions
Explanation: The data store is used by Devicie for reporting and dashboards. We require permissions for the ADX service so that, on behalf of the customer, we can connect to the Devicie tenant-hosted ADX store and leverage the Federated Entra ID identity to enforce RLS security
Tenant Permissions
Below are the list of permissions required for the Devicie API to connect to and administer your Intune Tenant.
Read and write all Windows update deployment settings
Reference: WindowsUpdates.ReadWrite.All
Explanation: Allows the app to read and write all Windows update deployment settings for the organization without a signed-in user.
Read and write Microsoft Intune apps
Reference: DeviceManagementApps.ReadWrite.All
Explanation: Allows the app to read and write the properties, group assignments and status of apps, app configurations and app protection policies managed by Microsoft Intune, without a signed-in user.
Read and write Microsoft Intune device configuration and policies
Reference: DeviceManagementConfiguration.ReadWrite.All
Explanation: Allows the app to read and write properties of Microsoft Intune-managed device configuration and device compliance policies and their assignment to groups, without a signed-in user.
Read and write Microsoft Intune devices
Reference: DeviceManagementManagedDevices.ReadWrite.All
Explanation: Allows the app to read and write the properties of devices managed by Microsoft Intune, without a signed-in user. Does not allow high impact operations such as remote wipe or BitLocker key rotation.
Read and write Microsoft Intune RBAC settings
Reference: DeviceManagementRBAC.ReadWrite.All
Explanation: Allows the app to read and write the properties relating to the Microsoft Intune Role-Based Access Control (RBAC) settings, without a signed-in user.
Read and write Microsoft Intune configuration
Reference: DeviceManagementServiceConfig.ReadWrite.All
Explanation: Allows the app to read and write Microsoft Intune service properties including device enrollment and third party service connection configuration, without a signed-in user.
Read all applications (Entra ID)
Reference: Application.Read.All
Explanation: Allows the app to read all applications and service principals without a signed-in user. Used to access the Intune data warehouse.
Read all group memberships
Reference: GroupMember.Read.All
Explanation: Allows the app to read memberships and basic group properties for all groups without a signed-in user. Used for orchestrating app and configuration assignments.
Read all devices
Reference: Device.Read.All
Explanation: Allows the app to read your organization's devices' configuration information without a signed-in user.
Sign in and read user profile
Reference: Permissions for an app registration
Explanation: This allows users to sign in to the app and read their profiles and basic company information. It is used during first-time setup.
Read all applications (Intune)
Reference: Application.Read.All
Explanation: Allows the app to read applications and service principals without a signed-in user. Used to access the Intune data warehouse.
Get data warehouse information from Microsoft Intune
Reference: get_data_warehouse
Explanation: Grants access to the Intune data warehouse API.