Enterprise applications and permissions

Overview of the Microsoft Azure enterprise applications used by Devicie and their permissions

1. Overview

As part of your onboarding, you will need to grant permissions to a set of enterprise applications within your Microsoft Azure tenant. There are three applications, each with a different purpose described below. 

1. Devicie Dashboard
   This application is used manage user access to the Devicie portal.
2. Devicie Dashboard Backend
   This application is used to maintain access to relevant Intune reporting data via Azure Data Explorer. Consent for this application is provided in conjunction with the Devicie Dashboard application. 
3. Devicie Automation
   This is the management application that does the work of deploying, managing and monitoring Devicie content in your Intune environment.

These applications are approved via two processes, described below.

In the case of single tenant customers you will be required to approve the Devicie Automation application first. If you are planning to manage multiple tenants, then you will  need to approve the Devicie portal first, and approve the Devicie Automation application per tenant. 

2. Devicie portal

There are two enterprise applications (Devicie Dashboard and Devicie Dashboard Backend) required to manage user access to the Devicie portal, as well as the necessary reporting data to enrich the dashboard reporting. 

Approval of these applications is provided in one action during onboarding. This is no specific permission required, but your organisation will like limit this type of approval to an admin role. 

Grant permissions to the Devicie portal

1. During onboarding, you will be notified when the Devicie portal has been provisioned for your tenant. At this time the relevant user should login via SSO at https://app.devicie.com/ 
2. Most likely the user will be prompted to request approval of the relevant applications' permissions. The process for approving this request will depend on your organisation's own policies. 
   
3. Once the application has been approved, you will be able to access the Devicie Portal along with any other user in your tenant who is a member of the relevant access groups.

Permissions detail

Maintain Access to data you have given it access to

Reference: Offline_access

Explanation: Allows the app to see and update the data you gave it access to, even when users are not currently using the app. This does not give the app any additional permissions.

Sign in and read user profile

Reference: Permissions for an app registration

Explanation: Allows users to sign-in to the app, and allows the app to read the profile of signed-in users. It also allows the app to read basic company information of signed-in users. Used during first-time setup.

Access Azure Data Explorer

Reference: Cluster Permissions

Explanation: The data store is used by Devicie for reporting and dashboards. We require permissions for the ADX service so that, on behalf of the customer, we can connect to the Devicie tenant-hosted ADX store and leverage the Federated Entra ID identity to enforce RLS security

3. Devicie Automation permissions

Devicie automates the deployment of applications, configuration profiles, and assignments, and is able to report on customers' Intune environments using data from the Microsoft Graph API.

In order for us to be able to do this in a secure and automated fashion, we require certain access to customers' environments through the Devicie Automation enterprise application.

Single tenant customers

If you are a managing a single tenant, you will be asked to authorize the Devicie Automation application prior to the portal access permissions. After this process you will be provisioned access to the customer portal and will need to provide Devicie portal access at that point (described above).

Process for approving Device Automation:

1. During onboarding, you will receive the authorization URL in your welcome email.
2. The user will be prompted to provide approval of the application's permissions. They will need to be a Global Administrator of the tenant to approve this application.
3. After approving the application, they will be redirected to a form with a shortlist of foundational variables needed as part of onboarding.
4. The Devicie telemetry application will be assigned as a required application for all users in the tenant with 24 hours of Devicie Automation approval. This application will run on all devices to ensure we capture the necessary telemetry data.

Multi-tenant customers

If you are a managing multiple tenants, you will provide authorization of the Devicie Automation application as part of the new tenant set up wizard, within the Devicie portal. 

Permissions detail

Below are the list of permissions required for the Devicie API to connect to and administer your Intune Tenant.

Read and write all Windows update deployment settings

Reference: WindowsUpdates.ReadWrite.All

Explanation: Allows the app to read and write all Windows update deployment settings for the organization without a signed-in user.

Read and write Microsoft Intune apps

Reference: DeviceManagementApps.ReadWrite.All

Explanation: Allows the app to read and write the properties, group assignments and status of apps, app configurations and app protection policies managed by Microsoft Intune, without a signed-in user.

Read and write Microsoft Intune device configuration and policies

Reference: DeviceManagementConfiguration.ReadWrite.All

Explanation: Allows the app to read and write properties of Microsoft Intune-managed device configuration and device compliance policies and their assignment to groups, without a signed-in user.

Read and write Microsoft Intune devices

Reference: DeviceManagementManagedDevices.ReadWrite.All

Explanation: Allows the app to read and write the properties of devices managed by Microsoft Intune, without a signed-in user. Does not allow high impact operations such as remote wipe or BitLocker key rotation.

Read and write Microsoft Intune RBAC settings

Reference: DeviceManagementRBAC.ReadWrite.All

Explanation: Allows the app to read and write the properties relating to the Microsoft Intune Role-Based Access Control (RBAC) settings, without a signed-in user.

Read and write Microsoft Intune configuration

Reference: DeviceManagementServiceConfig.ReadWrite.All

Explanation: Allows the app to read and write Microsoft Intune service properties including device enrollment and third party service connection configuration, without a signed-in user.

Read all applications (Entra ID)

Reference: Application.Read.All

Explanation: Allows the app to read all applications and service principals without a signed-in user. Used to access the Intune data warehouse.

Read all group memberships

Reference: GroupMember.Read.All

Explanation: Allows the app to read memberships and basic group properties for all groups without a signed-in user. Used for orchestrating app and configuration assignments.

Read all devices

Reference: Device.Read.All

Explanation: Allows the app to read your organization's devices' configuration information without a signed-in user.

Sign in and read user profile

Reference: Permissions for an app registration

Explanation: Allows users to sign-in to the app, and allows the app to read the profile of signed-in users. It also allows the app to read basic company information of signed-in users. Used during first-time setup.

Read all applications (Intune)

Reference: Application.Read.All

Explanation: Allows the app to read applications and service principals without a signed-in user. Used to access the Intune data warehouse.

Get data warehouse information from Microsoft Intune

Reference: get_data_warehouse

Explanation: Grants access to the Intune data warehouse API.