# Why do we need permissions in your tenant? For Scappman to create applications in your Microsoft Endpoint Manager/lntune tenant and use all our logic we need some permissions in your tenant. Those permissions and why we need them are described in this table.


Permissions	Type	Why?
Sign in and read user profile	Delegated	We use your existing Azure AD account to authenticate you and identify which tenant you belong to, without this permission you would not be able to sign in. Allows users to sign-in to the app, and allows the app to read the profile of signed-in users.
Maintain access to data you have given it access to	Delegated	The token providing us access to Sign in and read your user profile might expire while your session on our platform hasn't. To seamlessly refresh that token, this permission is required. https://learn.microsoft.com/en-us/azure/active-directory/develop/permissions-consent-overview This does not give the app any additional permissions.
Read and write Microsoft Intune apps	Application	We need this permission to create and update apps in your tenant.
Read & write Microsoft Intune devices	Application	We need this permission for our reports. We use it to identify the device installation status and also to initiate the automatic log file collection in case an installation has failed.
Read & write all groups	Application	We need this permission for the assignments of the applications. The read permission is used to list your Azure AD groups that you can use to assign applications. The write permission is used when you select specific users. lntune doesn't support assigning applications to named users, so we create a group, populate that group with the users you've selected and assign that group to the application. This permissions can be removed but then the user assignment is not possible.
Read all groups	Application	We need this permission for the assignments of the applications. The read permission is used to list your Azure AD groups that you can use to assign applications.
Read organization information	Application	With this permission we can read how many Microsoft licenses you have with an lntune entitlement that are assigned to users/devices. We'll use that number for billing purposes.
Read all users' full profiles	Application	We use this permission to list users in Scappman. This is being used for user based application assignment and admin invite.
Read directory data	Application	We need this permissions to see the available users and groups to assign them to applications. We also need this permission to calculate the number of licenses.

--- # Agent Instructions: Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter: ``` GET https://support.scappman.com/permissions/app-registration/why-do-we-need-permissions-in-your-tenant.md?ask= ``` The question should be specific, self-contained, and written in natural language. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.