# API Permissions

*Applies to: Patch My PC Publisher*

## Overview

To permit the Publisher to automatically create, update, and assign Win32 applications in Microsoft Intune, the Entra ID app registration must be granted a specific set of Microsoft Graph application permissions.

The table below lists the required and optional permissions, along with an explanation of how each permission is used by the Publisher.

| Permission                                  | Description                                 | Used For                                       |
| ------------------------------------------- | ------------------------------------------- | ---------------------------------------------- |
| DeviceManagementApps.ReadWrite.All          | Read and write Intune applications          | Create, update, and manage Win32 applications  |
| DeviceManagementConfiguration.Read.All      | Read Intune configuration data              | Read assignment filter properties              |
| DeviceManagementManagedDevices.Read.All     | Read managed device information             | Device inventory used by auto-publishing logic |
| DeviceManagementRBAC.Read.All               | Read role-based access control information  | Read scope tags and RBAC assignments           |
| DeviceManagementServiceConfig.ReadWrite.All | Read and write Intune service configuration | Manage Enrollment Status Page (ESP) settings   |
| GroupMember.Read.All                        | Read group memberships                      | Assign applications to Entra ID groups         |

{% hint style="warning" %}
**Important**

**DeviceManagementServiceConfig.ReadWrite.All**

The Read and write Microsoft Intune configuration permission is required to manage blocking apps in the Enrollment Status Page (ESP). This is the only feature in the Publisher that relies on this permission.

We understand this permission may appear broad, however, Microsoft does not currently provide a more granular Graph permission for updating the blocking apps configuration within ESP profiles.

If you choose to revoke this permission from the app registration application, the Publisher will no longer be able to manage or keep ESP blocking apps up to date in Intune.
{% endhint %}

These permissions are not strictly required for publishing, but improve the user experience within the Publisher UI.

| Permission             | Description                         | Used For                                          |
| ---------------------- | ----------------------------------- | ------------------------------------------------- |
| **User.ReadBasic.All** | Read basic user profile information | Display user names when resolving group members   |
| **Device.Read.All**    | Read device properties              | Display device names when resolving group members |

{% hint style="info" %}
**Note**

Without the optional permissions above, the Publisher can detect that groups contain members, but it cannot resolve those members into readable **user or device names** in any group picker interface.
{% endhint %}

## How to add an API Permission

Follow the steps below to add the required Microsoft Graph **Application permissions** to the Entra ID app registration used by the Publisher.

1. Sign in to the **Microsoft Entra admin center**.
2. Navigate to **Entra ID > App registrations**.
3. Select the app registration created for Patch My PC Publisher (for example, *Patch My PC Publisher – Intune Connector*).
4. In the left-hand menu, select **API permissions**.
5. Select **Add a permission**.

<figure><img src="https://3773699522-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2F-MX7dvS0r_4fc0AikgJS%2Fuploads%2FUj9dAlxu1FqVA4G7BGBN%2Fimage.png?alt=media&#x26;token=6e12718e-b825-4bf6-b1f0-8b30bb861582" alt="Add an API Permission" width="563"><figcaption></figcaption></figure>

5. In the **Request API permissions** pane, choose **Microsoft Graph**.
6. Select **Application permissions** (not Delegated permissions).
7. Use the search box or expand the relevant categories and add the permissions listed in the table above, including:
   * Required
     * DeviceManagementApps.ReadWrite.All
     * DeviceManagementConfiguration.Read.All
     * DeviceManagementManagedDevices.Read.All
     * DeviceManagementRBAC.Read.All
     * DeviceManagementServiceConfig.ReadWrite.All
     * GroupMember.Read.All
   * Optional
     * User.ReadBasic.All
     * Device.Read.All
8. Select **Add permissions** to apply the selected permissions.
9. Select **Grant admin consent** and confirm the prompt to approve the permissions.<br>

   <figure><img src="https://3773699522-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2F-MX7dvS0r_4fc0AikgJS%2Fuploads%2FYYqTp2k3e0BL75WojxQl%2Fimage.png?alt=media&#x26;token=602dc05f-d22e-4544-b429-824161889170" alt="Grant admin consent" width="563"><figcaption></figcaption></figure>

The image below reflects the required, granted, permissions.

<figure><img src="https://3773699522-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2F-MX7dvS0r_4fc0AikgJS%2Fuploads%2FM784AStK8j4gwXrQWI3s%2Fimage.png?alt=media&#x26;token=ae2ae98f-e32c-426e-98ac-cb6f872e21b4" alt="Granted API Permissions" width="563"><figcaption></figcaption></figure>

{% hint style="info" %}
**Note**

Granting admin consent requires an account with sufficient privileges, such as **Global Administrator** or **Privileged Role Administrator**. Until admin consent is granted, the Publisher will not be able to authenticate successfully or perform Intune operations.
{% endhint %}


---

# Agent Instructions: Querying This Documentation

If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter:

```
GET https://docs.patchmypc.com/patch-my-pc-publisher/publisher-requirements/intune-requirements/entra-id-app-registration/api-permissions.md?ask=<question>
```

The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.