Permission Guide
Understand the permissions needed for IntuneOffboarding.
Device.Read.All
Purpose: This permission allows the app to read device configuration information within your organization as authorized by the signed-in user.
Use Case: It's essential for retrieving device details in EntraID, aiding in device management and tracking.
DeviceManagementManagedDevices.PrivilegedOperations.All
Purpose: Enables the app to execute high-impact operations such as remote device wipe or passcode reset on devices managed through Microsoft Intune.
Use Case: Crucial for allowing the app to perform sensitive operations like device wiping or deletion.
DeviceManagementManagedDevices.ReadWrite.All
Purpose: Grants the app authority to access and modify device properties managed by Microsoft Intune, apart from executing high-impact operations.
Use Case: Vital for updating or managing device settings within Intune and executing various lower-impact device management tasks.
DeviceManagementServiceConfig.Read.All
Purpose: Permits the app to access Microsoft Intune service configurations, including details about device enrollment and connections with third-party services.
Use Case: Necessary for identifying devices managed by Autopilot, facilitating seamless device integration and management.
Directory.AccessAsUser.All
Purpose: Provides the app with the same level of directory access as the user, depending on the user's own permissions.
Use Case: Essential for operations that involve modifying or deleting device entries in EntraID, aligning app capabilities with user permissions.
BitLockerKey.ReadBasic.All
Purpose: Enables the app to access basic information about BitLocker recovery keys.
Use Case: Allows the app to retrieve identifiers for BitLocker recovery keys, necessary for subsequent operations involving these keys.
BitLockerKey.Read.All
Purpose: Allows the app to read detailed information about BitLocker recovery keys.
Use Case: Required to fetch the actual BitLocker recovery keys using their identifiers, facilitating device security management.
DeviceManagementApps.Read.All
Purpose: Authorizes the app to read Intune app management and audit logs.
Use Case: Enables monitoring and auditing of app management operations, supporting security and compliance efforts.
OIDC Scopes (OpenID, profile, email)
Purpose: These are standard scopes included in most authentication requests via MSAL to verify user identity and provide essential user profile information.
Use Case: Ensures robust identity verification and enhances user profile management during the sign-in process.
offline_access
Purpose: This scope is used to obtain refresh tokens, which are vital for maintaining the authentication state and session continuity.
Use Case: Especially important in single-page applications (SPAs) to enable users to remain signed in and maintain their session without needing to repeatedly authenticate.