Permissions

CSM for Intune requires two individual registered Azure AD enterprise applications to be consented with specific permissions to Intune tenant.

Centero Azure AD Connector:

  • Reads Azure AD users, devices and groups in the customers tenant.
  • Requires customers Azure AD administrator (Global Administrator) to consent the application permissions.
  • Is used by Centero Portal to  verify that Customer's User is allowed to link the tenant to CSM for Intune.
    • The Customer's user signed in the Centero Portal must be either Global Administrator or added as a member to Centero Azure AD Connector Enterprise application.
  • Requires the following permissions to Customers tenant:

API name

Permissons

Description

Type

Granted trough

Microsoft Graph

Read directory data

Allows the app to read data in your organization's directory, such as users, groups and apps, without a signed-in user.


Application

Admin consent

Windows Azure Active Directory

Sign in and read user profile

Allows users to sign in to the app, and allows the app to read the profile of signed-in users. It also allow the app to read basic company information of signed-in users.

Delegated

Admin consent or User consent


CSM for Intune

  • Manages Intune apps and deployments.
  • Requires customers Azure AD administrator (Global Administrator) to consent the application permissions.
  • Requires the following permissions to Customers tenant:

API name

Permissons

Description

Type

Granted trough

Microsoft Graph

Read and write Microsoft Intune apps

Allows the app to read and write the properties, group assignments and status of apps, app configurations and app protection policies managed by Microsoft Intune.

Application

Admin consent

Microsoft Graph

Read Microsoft Intune devices

Allows the app to read the properties of devices managed by Microsoft Intune.


Application

Admin consent

Microsoft Graph

Read organization information

Allows the app to read the organization and related resources, without a signed-in user. Related resources include things like subscribed skus and tenant branding information.

Application

Admin consent

Windows Azure Active Directory

Sign in and read user profile

Allows users to sign in to the app, and allows the app to read the profile of signed-in users. It also allow the app to read basic company information of signed-in users.


Delegated

Admin consent or User consent

 CSM For Intune Application Groups

  • Manages memberships of devices to specified groups
API namePermissionsDescriptionTypeGranted Through
Microsoft GraphSign in and read user profile

Allows users to sign-in to the app, and allows the app to read the profile of signed-in users. It also allows the app to read basic company information of signed-in users.


DelegatedAdmin consent
Microsoft GraphRead Microsoft Intune devices

Allows the app to read the properties of devices managed by Microsoft Intune, without a signed-in user.


ApplicationAdmin consent
Microsoft GraphRead all devices

Allows the app to read your organization's devices' configuration information without a signed-in user.


ApplicationAdmin consent
Microsoft GraphRead and write all groups

Allows the app to create groups, read all group properties and memberships, update group properties and memberships, and delete groups. Also allows the app to read and write group calendar and conversations. All of these operations can be performed by the app without a signed-in user.


ApplicationAdmin consent
Microsoft GraphRead Microsoft Intune apps

Allows the app to read the properties, group assignments and status of apps, app configurations and app protection policies managed by Microsoft Intune, without a signed-in user.


ApplicationAdmin consent