Skip to main content

Permissions Required for Intune Client Apps to Communicate with App Portal

To establish connection between Intune and App Portal, the list of minimum permissions required for the Intune client app are:

  • Group.Create

  • Application.Read

  • Device.Read.All

  • User.Read.All

  • DeviceManagementApps.ReadWrite.All

  • DeviceManagementManagedDevices.Read.All

To configure these permissions, do the following:

  1. Select the registered account.

  2. Select API permissions from left navigation panel.

  3. Click Add a permission. The Request API permissions panel appears, select Microsoft Graph.

  4. In the Microsoft Graph, select Application Permissions.

    1. Device Management Permission—Under DeviceManagementApps, select DeviceManagementApps.Read.All and DeviceManagementApps.ReadWrite.All, and then click Add permissions.

    2. Application Permission—Under Application, select Application.Read and then click Add permissions.

    PermissionDescription
    Group.CreateOwners can create new groups within the organization.
    Application.ReadAllows reading all applications in the directory.
    Device.Read.AllAllows reading details of registered devices in the directory.
    User.Read.AllAllows reading details of all users in the directory.
    DeviceManagementApps.ReadWrite.AllAllows managing Microsoft Intune apps.
    DeviceManagementManagedDevices.Read.AllAllows reading details of Microsoft Intune devices.
    note

    To take effect of the above permissions it is mandatory to update the IntuneApiRoles.JSON file in following Install Location: C:\Program Files (x86)\Flexera Software\App Portal\Web\App_Data with below details:

  5. Click on Grant admin consent for [Tenant Name]. The status will turn to Granted. Make sure the permissions are of type Delegated.