Permission Guide

Understand the permissions needed for IntuneOffboarding.

Device.Read.All

Purpose: This permission allows the app to read device configuration information within your organization as authorized by the signed-in user.

Use Case: It's essential for retrieving device details in EntraID, aiding in device management and tracking.

DeviceManagementManagedDevices.PrivilegedOperations.All

Purpose: Enables the app to execute high-impact operations such as remote device wipe or passcode reset on devices managed through Microsoft Intune.

Use Case: Crucial for allowing the app to perform sensitive operations like device wiping or deletion.

DeviceManagementManagedDevices.ReadWrite.All

Purpose: Grants the app authority to access and modify device properties managed by Microsoft Intune, apart from executing high-impact operations.

Use Case: Vital for updating or managing device settings within Intune and executing various lower-impact device management tasks.

DeviceManagementServiceConfig.Read.All

Purpose: Permits the app to access Microsoft Intune service configurations, including details about device enrollment and connections with third-party services.

Use Case: Necessary for identifying devices managed by Autopilot, facilitating seamless device integration and management.

Directory.AccessAsUser.All

Purpose: Provides the app with the same level of directory access as the user, depending on the user's own permissions.

Use Case: Essential for operations that involve modifying or deleting device entries in EntraID, aligning app capabilities with user permissions.

BitLockerKey.ReadBasic.All

Purpose: Enables the app to access basic information about BitLocker recovery keys.

Use Case: Allows the app to retrieve identifiers for BitLocker recovery keys, necessary for subsequent operations involving these keys.

BitLockerKey.Read.All

Purpose: Allows the app to read detailed information about BitLocker recovery keys.

Use Case: Required to fetch the actual BitLocker recovery keys using their identifiers, facilitating device security management.

DeviceManagementApps.Read.All

Purpose: Authorizes the app to read Intune app management and audit logs.

Use Case: Enables monitoring and auditing of app management operations, supporting security and compliance efforts.

OIDC Scopes (OpenID, profile, email)

Purpose: These are standard scopes included in most authentication requests via MSAL to verify user identity and provide essential user profile information.

Use Case: Ensures robust identity verification and enhances user profile management during the sign-in process.

offline_access

Purpose: This scope is used to obtain refresh tokens, which are vital for maintaining the authentication state and session continuity.

Use Case: Especially important in single-page applications (SPAs) to enable users to remain signed in and maintain their session without needing to repeatedly authenticate.