IntuneAssistant Docs
Intune Assistant

Needed Permissions

Complete guide to configuring granular permissions for Intune Assistant users

Permissions Overview

Learn how to configure the required permissions for Intune Assistant and how to set up granular permissions for users in your organization.

Required Graph API Permissions

Intune Assistant requires the following Microsoft Graph API permissions to function properly:

PermissionTypeDescription
DeviceManagementConfiguration.Read.AllDelegatedRead Intune configuration profiles and baselines
DeviceManagementApps.Read.AllDelegatedRead managed applications and app configurations
DeviceManagementServiceConfig.Read.AllDelegatedRead device management service configuration
DeviceManagementScripts.Read.AllDelegatedRead PowerShell and shell scripts
Group.Read.AllDelegatedRead group memberships and properties
User.ReadBasic.AllDelegatedRead basic user information like name and email
Directory.AccessAsUser.AllDelegated onlyAccess directory data on behalf of the user
Policy.Read.ConditionalAccessDelegatedRead Conditional Access policies

Read-only permissions

All permissions listed above are READ-ONLY permissions. Intune Assistant never modifies your tenant configuration.

Configuring Granular User Permissions

Instead of giving users full Intune Administrator permissions, you can configure granular role-based access control (RBAC) permissions. This follows the principle of least privilege.

Understanding Intune RBAC

Microsoft Intune uses role-based access control to determine what actions users can perform. Each role contains:

  • Permissions: What actions can be performed
  • Scope: Which resources the role applies to
  • Assignments: Which users or groups have the role

Required Intune Roles for Intune Assistant

Since Intune Assistant only reads data, users need roles with read permissions for the following categories:

Device Configuration Reader

Allows reading device configuration profiles and compliance policies.

Required permissions:

  • Device configuration policies: Read
  • Device compliance policies: Read
  • Device enrollment: Read

Application Reader

Allows reading application management data.

Required permissions:

  • Mobile applications: Read
  • Mobile application management policies: Read

Reports Reader

Allows reading reports and analytics data.

Required permissions:

  • Reports: Read

Conditional Access Reader

Allows reading Conditional Access policies.

Required permissions:

  • Conditional Access: Read

Creating a Custom Role

For optimal security, create a custom role with only the required read permissions:

  1. Navigate to Microsoft Intune admin center

  2. Create new role

    • Click Create
    • Enter role name: Intune Assistant Reader
    • Add description: Read-only access for Intune Assistant users

  3. Configure permissions

    • Device configuration policies: Read ✓
    • Device compliance policies: Read ✓
    • Device enrollment: Read ✓
    • Mobile applications: Read ✓
    • Mobile application management policies: Read ✓
    • Reports: Read ✓
    • Organization: Read ✓

  4. Set scope and assignments

    • Define which users/groups should have this role
    • Set appropriate scope tags if needed

Built-in Roles Alternative

If you prefer using built-in roles, assign users to:

  • Intune Service Administrator (full read/write - not recommended)
  • Reports Reader (limited to reports only)
  • Global Reader (read access across Microsoft 365)

Recommended approach

We recommend creating a custom role with only the required read permissions to follow the principle of least privilege.

Troubleshooting

Common permission issues:

IssueSolution
User cannot see any dataCheck if user has required Intune role assigned
Missing device configurationsVerify DeviceManagementConfiguration.Read.All permission
Missing applicationsCheck DeviceManagementApps.Read.All permission

Intune Assistant requires admin consent for the Graph API permissions. Ensure that a Global Administrator has granted consent for the application in your tenant. New features may require additional permissions, if a required consent is missing you will get notified. Then run the consent again.

For information about that process, check the Managing Admin Consent documentation.

Additional Resources

Best practice

Regularly review and audit user permissions to ensure they align with current job responsibilities and security requirements.

Overview

Comprehensive Microsoft Intune management module

Overview

Microsoft Intune assignment management built for MSPs and enterprises. Standardize, monitor, and validate policy assignments at scale with CSV-driven automation.

On this page

Permissions OverviewRequired Graph API PermissionsConfiguring Granular User PermissionsUnderstanding Intune RBACRequired Intune Roles for Intune AssistantDevice Configuration ReaderApplication ReaderReports ReaderConditional Access ReaderCreating a Custom RoleBuilt-in Roles AlternativeTroubleshootingConsent missingAdditional Resources