Needed Permissions
ExtensionsAssignments Manager
Needed Permissions
Complete guide to configuring permissions for the Intune Assistant Assignments Manager extension
Learn how to configure the required permissions for the Intune Assistant Assignments Manager extension and how to set up granular permissions for users in your organization.
The Assignments Manager extension requires the following Microsoft Graph API permissions to function properly:
DeviceManagementConfiguration.ReadWrite.All
Delegated
Read and write Intune configuration profiles and baselines
DeviceManagementApps.ReadWrite.All
Delegated
Read and write managed applications and app configurations
DeviceManagementServiceConfig.ReadWrite.All
Delegated
Read and write device management service configuration
DeviceManagementScripts.ReadWrite.All
Delegated
Read and write PowerShell and shell scripts
Group.Read.All
Delegated
Read group memberships and properties
ReadWrite permissions required
The Assignments Manager extension requires ReadWrite permissions to modify policy assignments, group assignments, and filters in your Intune tenant.
Instead of giving users full Intune Administrator permissions, you can configure granular role-based access control (RBAC) permissions for the Assignments Manager functionality.
Microsoft Intune uses role-based access control to determine what actions users can perform. Each role contains:
Permissions: What actions can be performed
Scope: Which resources the role applies to
Assignments: Which users or groups have the role
Users need roles with read and write permissions for the following categories:
Allows reading and modifying device configuration profiles and compliance policies.
Required permissions:
Device configuration policies: Read, Create, Update, Delete, Assign
Device compliance policies: Read, Create, Update, Delete, Assign
Device enrollment: Read
Application Configuration Manager
Allows reading and modifying application management data.
Required permissions:
Mobile applications: Read, Create, Update, Delete, Assign
Mobile application management policies: Read, Create, Update, Delete, Assign
Allows reading and modifying PowerShell and shell scripts.
Required permissions:
Device management scripts: Read, Create, Update, Delete, Assign
Allows reading group information for assignment purposes.
Required permissions:
Groups: Read
For optimal security, create a custom role with only the required permissions:
Navigate to Microsoft Intune admin center
Select Tenant administration > Roles > All roles
Configure permissions
Device configuration policies: Read, Create, Update, Delete, Assign ✓
Device compliance policies: Read, Create, Update, Delete, Assign ✓
Mobile applications: Read, Create, Update, Delete, Assign ✓
Mobile application management policies: Read, Create, Update, Delete, Assign ✓
Device management scripts: Read, Create, Update, Delete, Assign ✓
Organization: Read ✓
If you prefer using built-in roles, assign users to:
Intune Service Administrator (full read/write access)
Application Administrator (for app-related assignments only)
Recommended approach
We recommend creating a custom role with only the required assignment permissions to follow the principle of least privilege.
The Assignments Manager extension performs the following operations:
Assign policies to groups with include/exclude logic
Remove assignments from existing policies
Modify assignment filters and conditions
Bulk assignment operations across multiple policies
Assign applications to users and devices
Configure installation requirements and deadlines
Manage app protection policies assignments
Handle app configuration policy assignments
Assign PowerShell scripts to device groups
Configure script execution parameters
Manage shell scripts for macOS devices
Assignment impact
Changes made through the Assignments Manager directly affect your production environment. Always test in a non-production environment first.
Common permission issues:
Cannot modify assignments
Verify user has ReadWrite permissions for the specific resource type
Assignment operations fail
Check if user has "Assign" permission in their Intune role
Cannot see target groups
Ensure Group.Read.All permission is granted
Script assignments fail
Verify DeviceManagementScripts.ReadWrite.All permission
The Assignments Manager requires admin consent for the Graph API permissions. Ensure that a Global Administrator has granted consent for the application in your tenant.
New features may require additional permissions. If required consent is missing, you will be notified. Then run the consent process again.
For information about that process, check the Managing Admin Consent documentation.
When granting permissions for the Assignments Manager:
Limit scope using scope tags to restrict access to specific organizational units
Regular auditing of assignment changes through Intune audit logs
Monitor usage to ensure permissions are being used appropriately
Implement approval workflows for critical assignment changes
Best practice
Regularly review assignment changes and audit logs to ensure the Assignments Manager is being used according to your organization's policies.
Overview\ \ Microsoft Intune assignment management built for MSPs and enterprises. Standardize, monitor, and validate policy assignments at scale with CSV-driven automation. Create Assignment Templates\ \ Learn how to create CSV templates for bulk assignment management - manually or by exporting from your reference tenant.