API Permissions
Applies to: Patch My PC Publisher
Overview
To permit the Publisher to automatically create, update, and assign Win32 applications in Microsoft Intune, the Entra ID app registration must be granted a specific set of Microsoft Graph application permissions.
The table below lists the required and optional permissions, along with an explanation of how each permission is used by the Publisher.
DeviceManagementApps.ReadWrite.All
Read and write Intune applications
Create, update, and manage Win32 applications
DeviceManagementConfiguration.Read.All
Read Intune configuration data
Read assignment filter properties
DeviceManagementManagedDevices.Read.All
Read managed device information
Device inventory used by auto-publishing logic
DeviceManagementRBAC.Read.All
Read role-based access control information
Read scope tags and RBAC assignments
DeviceManagementServiceConfig.ReadWrite.All
Read and write Intune service configuration
Manage Enrollment Status Page (ESP) settings
GroupMember.Read.All
Read group memberships
Assign applications to Entra ID groups
Important
DeviceManagementServiceConfig.ReadWrite.All
The Read and write Microsoft Intune configuration permission is required to manage blocking apps in the Enrollment Status Page (ESP). This is the only feature in the Publisher that relies on this permission.
We understand this permission may appear broad, however, Microsoft does not currently provide a more granular Graph permission for updating the blocking apps configuration within ESP profiles.
If you choose to revoke this permission from the app registration application, the Publisher will no longer be able to manage or keep ESP blocking apps up to date in Intune.
These permissions are not strictly required for publishing, but improve the user experience within the Publisher UI.
User.ReadBasic.All
Read basic user profile information
Display user names when resolving group members
Device.Read.All
Read device properties
Display device names when resolving group members
Note
Without the optional permissions above, the Publisher can detect that groups contain members, but it cannot resolve those members into readable user or device names in any group picker interface.
How to add an API Permission
Follow the steps below to add the required Microsoft Graph Application permissions to the Entra ID app registration used by the Publisher.
Sign in to the Microsoft Entra admin center.
Navigate to Entra ID > App registrations.
Select the app registration created for Patch My PC Publisher (for example, Patch My PC Publisher – Intune Connector).
In the left-hand menu, select API permissions.
Select Add a permission.
In the Request API permissions pane, choose Microsoft Graph.
Select Application permissions (not Delegated permissions).
Use the search box or expand the relevant categories and add the permissions listed in the table above, including:
Required
DeviceManagementApps.ReadWrite.All
DeviceManagementConfiguration.Read.All
DeviceManagementManagedDevices.Read.All
DeviceManagementRBAC.Read.All
DeviceManagementServiceConfig.ReadWrite.All
GroupMember.Read.All
Optional
User.ReadBasic.All
Device.Read.All
Select Add permissions to apply the selected permissions.
Select Grant admin consent and confirm the prompt to approve the permissions.
The image below reflects the required, granted, permissions.
Note
Granting admin consent requires an account with sufficient privileges, such as Global Administrator or Privileged Role Administrator. Until admin consent is granted, the Publisher will not be able to authenticate successfully or perform Intune operations.
Last updated
Was this helpful?