DeviceManagementManagedDevices.PrivilegedOperations.All
Allows the app to perform remote high impact actions such as wiping the device or resetting the passcode on devices managed by Microsoft Intune.
Using the Microsoft Graph APIs to configure Intune controls and policies still requires that the Intune service is correctly licensed by the customer.
These permissions aren't supported for personal Microsoft accounts.
Merill's Note
For an app to access data in Microsoft Graph, the user or administrator must grant it the permissions it needs. This article lists all the Microsoft Graph APIs and your tenant data that can be accessed by the application (vendor/developer) if you consent to the
DeviceManagementManagedDevices.PrivilegedOperations.Allpermission.If you need to create an audit report of the permissions granted to all the apps in your tenant, you can run the
Export-MsIdAppConsentGrantReportcommand. See How To: Run a quick OAuth app audit of your tenant
| Category | Application | Delegated |
|---|---|---|
| Identifier | 5b07b0dd-2377-4e44-a38d-703f09a0dc3c | 3404d2bf-2b13-457e-a330-c24615765193 |
| DisplayText | Perform user-impacting remote actions on Microsoft Intune devices | Perform user-impacting remote actions on Microsoft Intune devices |
| Description | Allows the app to perform remote high impact actions such as wiping the device or resetting the passcode on devices managed by Microsoft Intune, without a signed-in user. | Allows the app to perform remote high impact actions such as wiping the device or resetting the passcode on devices managed by Microsoft Intune. |
| AdminConsentRequired | Yes | Yes |
Graph Methods
→ API supports delegated access (access on behalf of a user)
→ API supports app-only access (access without a user)
| Methods | |
|---|---|
Resources
Granting this permission allows the calling application to access (and/or update) the following information in your tenant.
- hardwarePasswordDetail
- bulkManagedDeviceActionResult
- configurationManagerAction
- intune-devices-manageddeviceremoteaction
- intune-devices-obliterationbehavior
- updateWindowsDeviceAccountActionParameter
Graph reference: hardwarePasswordDetail
| Property | Type | Description |
|---|---|---|
| id | String | The unique identifier for the managed device. This ID is assigned at enrollment time. This is different than the Entra device ID, this one is for the managedDevice object itself. Supports: $filter, $select, $top, $OrderBy, $skip. This property is read-only. |
| serialNumber | String | The device serial number as defined by the device manufacturer. Supports: $filter, $select, $top, $OrderBy, $skip. This property is read-only. |
| currentPassword | String | The current device's BIOS password. Supports: $filter, $select, $top, $OrderBy, $skip. This property is read-only. |
| previousPasswords | String collection | The list of all the previous device BIOS passwords. Supports: $filter, $select, $top, $skip. This property is read-only. |