For Scappman to function, create applications in your Microsoft Endpoint Manager/Intune tenant and use all our logic we need some permissions in your tenant. Those permissions and why we need them are described in this table.
API name | Permission | Type | Why? |
Microsoft Graph | Sign in and read user profile | Delegated | We use your existing Azure AD Microsoft account to authenticate you and identify to which tenant you belong. without this permission you would not be able to sign in. |
Microsoft Graph | Maintain access to data you have given it access to | Delegated |
The token providing us access to Sign in and read your user profile might expire while your session on our platform hasn't. To seamlessly refresh that token, this permission is required. |
Microsoft Graph | Read and write Microsoft Intune apps | Application | We need this permission to create and update apps in your tenant. |
Microsoft Graph | Read & write Microsoft Intune devices | Application | We need this permission for our reports. We use it to identify the devices for which we have a status, but also to initiate the automatic log file collection in case an installation has failed. |
Microsoft Graph | Read and write all groups | Application | We need this permission for the assignments of the applications. The read permission is used to list your Azure AD groups that you can use to assign applications. The write permission is used when you select specific users. As Intune/Microsoft Endpoint Manager doesn't support assigning applications to named users we create a group, populate that group with the users you've selected and assign that group to the application. This permissions can be removed but then the user assignment is not possible. |
Microsoft Graph | Read all groups | Application | We need this permission for the assignments of the applications. The read permission is used to list your Azure AD groups that you can use to assign applications. |
Microsoft Graph | Read organization information | Application | With this permission we can read how many Microsoft licenses you have with an Intune entitlement that are assigned to users/devices. We'll use that number for billing purposes. |
Microsoft Graph | Read all users' full profiles | Application | We use this permission to list users in Scappman. This is being used for user based application assignment and admin invite. |
Microsoft Graph | Read directory data | Application | We need this permissions to see the available users and groups to assign them to applications. We also need this permission to calculate the number of licenses. |
Allows users to sign-in to the app, and allows the app to read the profile of signed-in users. It also allows the app to read basic company information of signed-in users.
Maintain access to data you have given it access to
Allows the app to see and update the data you gave it access to, even when users are not currently using the app. This does not give the app any additional permissions.
Allows the app to read and write the properties, group assignments and status of apps, app configurations and app protection policies managed by Microsoft Intune, without a signed-in user.
Read and write Microsoft Intune devices
Allows the app to read and write the properties of devices managed by Microsoft Intune, without a signed-in user. Does not allow high impact operations such as remote wipe and password reset on the device’s owner
Allows the app to create groups, read all group properties and memberships, update group properties and memberships, and delete groups. Also allows the app to read and write group calendar and conversations. All of these operations can be performed by the app without a signed-in user.
Allows the app to read data in your organization's directory, such as users, groups and apps, without a signed-in user.
Allows the app to read the organization and related resources, without a signed-in user. Related resources include things like subscribed skus and tenant branding information.
Comments
0 comments
Please sign in to leave a comment.