Needed Permissions
Intune Assistant
Needed Permissions
Complete guide to configuring granular permissions for Intune Assistant users
Learn how to configure the required permissions for Intune Assistant and how to set up granular permissions for users in your organization.
Intune Assistant requires the following Microsoft Graph API permissions to function properly:
DeviceManagementConfiguration.Read.All
Delegated
Read Intune configuration profiles and baselines
DeviceManagementApps.Read.All
Delegated
Read managed applications and app configurations
DeviceManagementServiceConfig.Read.All
Delegated
Read device management service configuration
DeviceManagementScripts.Read.All
Delegated
Read PowerShell and shell scripts
Group.Read.All
Delegated
Read group memberships and properties
User.ReadBasic.All
Delegated
Read basic user information like name and email
Directory.AccessAsUser.All
Delegated only
Access directory data on behalf of the user
Policy.Read.ConditionalAccess
Delegated
Read Conditional Access policies
Read-only permissions
All permissions listed above are READ-ONLY permissions. Intune Assistant never modifies your tenant configuration.
Instead of giving users full Intune Administrator permissions, you can configure granular role-based access control (RBAC) permissions. This follows the principle of least privilege.
Microsoft Intune uses role-based access control to determine what actions users can perform. Each role contains:
Permissions: What actions can be performed
Scope: Which resources the role applies to
Assignments: Which users or groups have the role
Since Intune Assistant only reads data, users need roles with read permissions for the following categories:
Allows reading device configuration profiles and compliance policies.
Required permissions:
Device configuration policies: Read
Device compliance policies: Read
Device enrollment: Read
Allows reading application management data.
Required permissions:
Mobile applications: Read
Mobile application management policies: Read
Allows reading reports and analytics data.
Required permissions:
Reports: Read
Allows reading Conditional Access policies.
Required permissions:
Conditional Access: Read
For optimal security, create a custom role with only the required read permissions:
Navigate to Microsoft Intune admin center
Select Tenant administration > Roles > All roles
If you prefer using built-in roles, assign users to:
Intune Service Administrator (full read/write - not recommended)
Reports Reader (limited to reports only)
Global Reader (read access across Microsoft 365)
Recommended approach
We recommend creating a custom role with only the required read permissions to follow the principle of least privilege.
Common permission issues:
User cannot see any data
Check if user has required Intune role assigned
Missing device configurations
Verify DeviceManagementConfiguration.Read.All permission
Missing applications
Check DeviceManagementApps.Read.All permission
Intune Assistant requires admin consent for the Graph API permissions. Ensure that a Global Administrator has granted consent for the application in your tenant. New features may require additional permissions, if a required consent is missing you will get notified. Then run the consent again.
For information about that process, check the Managing Admin Consent documentation.
Best practice
Regularly review and audit user permissions to ensure they align with current job responsibilities and security requirements.