Table of Contents

DeviceManagementManagedDevices.PrivilegedOperations.All

Allows the app to perform remote high impact actions such as wiping the device or resetting the passcode on devices managed by Microsoft Intune.

Using the Microsoft Graph APIs to configure Intune controls and policies still requires that the Intune service is correctly licensed by the customer.

These permissions aren't supported for personal Microsoft accounts.

Merill's Note

For an app to access data in Microsoft Graph, the user or administrator must grant it the permissions it needs. This article lists all the Microsoft Graph APIs and your tenant data that can be accessed by the application (vendor/developer) if you consent to the DeviceManagementManagedDevices.PrivilegedOperations.All permission.

If you need to create an audit report of the permissions granted to all the apps in your tenant, you can run the Export-MsIdAppConsentGrantReport command. See How To: Run a quick OAuth app audit of your tenant

Category Application Delegated
Identifier 5b07b0dd-2377-4e44-a38d-703f09a0dc3c 3404d2bf-2b13-457e-a330-c24615765193
DisplayText Perform user-impacting remote actions on Microsoft Intune devices Perform user-impacting remote actions on Microsoft Intune devices
Description Allows the app to perform remote high impact actions such as wiping the device or resetting the passcode on devices managed by Microsoft Intune, without a signed-in user. Allows the app to perform remote high impact actions such as wiping the device or resetting the passcode on devices managed by Microsoft Intune.
AdminConsentRequired Yes Yes

Graph Methods

API supports delegated access (access on behalf of a user)
API supports app-only access (access without a user)

Methods

Resources

Granting this permission allows the calling application to access (and/or update) the following information in your tenant.

Graph reference: hardwarePasswordDetail

Property Type Description
id String The unique identifier for the managed device. This ID is assigned at enrollment time. This is different than the Entra device ID, this one is for the managedDevice object itself. Supports: $filter, $select, $top, $OrderBy, $skip. This property is read-only.
serialNumber String The device serial number as defined by the device manufacturer. Supports: $filter, $select, $top, $OrderBy, $skip. This property is read-only.
currentPassword String The current device's BIOS password. Supports: $filter, $select, $top, $OrderBy, $skip. This property is read-only.
previousPasswords String collection The list of all the previous device BIOS passwords. Supports: $filter, $select, $top, $skip. This property is read-only.