Permissions required for CSM for Intune to function

CSM for Intune requires two individual registered Azure AD enterprise applications to be consented with specific permissions to Intune tenant.

Centero Azure AD Connector:

  • Reads Azure AD users, devices and groups in the customers tenant.
  • Requires customers Azure AD administrator (Global Administrator) to consent the application permissions.
  • Is used by Centero Portal to  verify that Customer's User is allowed to link the tenant to CSM for Intune.
    • The Customer's user signed in the Centero Portal must be either Global Administartor or added as a member to Centero Azure AD Connector Enterprise application.
  • Requires the following permissions to Customers tenant:

API name

Permissons

Type

Granted trough

Microsoft Graph

Read directory data

Application

Admin consent

Windows Azure Active Directory

Sign in and read user profile

Delegated

Admin consent or User consent

CSM for Intune

  • Manages Intune apps and deployments.
  • Requires customers Azure AD administrator (Global Administrator) to consent the application permissions.
  • Requires the following permissions to Customers tenant:

API name

Permissons

Type

Granted trough

Microsoft Graph

Read and write Microsoft Intune apps

Application

Admin consent

Microsoft Graph

Read Microsoft Intune devices

Application

Admin consent

Microsoft Graph

Read organization information

Application

Admin consent

Windows Azure Active Directory

Sign in and read user profile

Delegated

Admin consent or User consent