DeviceManagementManagedDevices.PrivilegedOperations.All
Allows the app to perform remote high impact actions such as wiping the device or resetting the passcode on devices managed by Microsoft Intune.
Using the Microsoft Graph APIs to configure Intune controls and policies still requires that the Intune service is correctly licensed by the customer.
These permissions aren't supported for personal Microsoft accounts.
Merill's Note
For an app to access data in Microsoft Graph, the user or administrator must grant it the permissions it needs. This article lists all the Microsoft Graph APIs and your tenant data that can be accessed by the application (vendor/developer) if you consent to the
DeviceManagementManagedDevices.PrivilegedOperations.Allpermission.If you need to create an audit report of the permissions granted to all the apps in your tenant, you can run the
Export-MsIdAppConsentGrantReportcommand. See How To: Run a quick OAuth app audit of your tenant
| Category | Application | Delegated |
|---|---|---|
| Identifier | 5b07b0dd-2377-4e44-a38d-703f09a0dc3c | 3404d2bf-2b13-457e-a330-c24615765193 |
| DisplayText | Perform user-impacting remote actions on Microsoft Intune devices | Perform user-impacting remote actions on Microsoft Intune devices |
| Description | Allows the app to perform remote high impact actions such as wiping the device or resetting the passcode on devices managed by Microsoft Intune, without a signed-in user. | Allows the app to perform remote high impact actions such as wiping the device or resetting the passcode on devices managed by Microsoft Intune. |
| AdminConsentRequired | Yes | Yes |
Graph Methods
→ API supports delegated access (access on behalf of a user)
→ API supports app-only access (access without a user)
| Methods | |
|---|---|
→ API supports delegated access (access on behalf of a user)
→ API supports app-only access (access without a user)
| Methods | |
|---|---|
→ Command supports delegated access (access on behalf of a user)
→ Command supports app-only access (access without a user)
| Commands | |
|---|---|
→ Command supports delegated access (access on behalf of a user)
→ Command supports app-only access (access without a user)
| Commands | |
|---|---|
Resources
Granting this permission allows the calling application to access (and/or update) the following information in your tenant.
- hardwarePasswordDetail
- bulkManagedDeviceActionResult
- configurationManagerAction
- deviceAssignmentItem
- macOSManagedDeviceLocalAdminAccountDetail
- intune-devices-manageddeviceremoteaction
- intune-devices-obliterationbehavior
- updateWindowsDeviceAccountActionParameter
Graph reference: hardwarePasswordDetail
| Property | Type | Description |
|---|---|---|
| id | String | The unique identifier for the managed device. This ID is assigned at enrollment time. This is different than the Entra device ID, this one is for the managedDevice object itself. Supports: $filter, $select, $top, $OrderBy, $skip. This property is read-only. |
| serialNumber | String | The device serial number as defined by the device manufacturer. Supports: $filter, $select, $top, $OrderBy, $skip. This property is read-only. |
| currentPassword | String | The current device's BIOS password. Supports: $filter, $select, $top, $OrderBy, $skip. This property is read-only. |
| previousPasswords | String collection | The list of all the previous device BIOS passwords. Supports: $filter, $select, $top, $skip. This property is read-only. |
Graph reference: bulkManagedDeviceActionResult
| Property | Type | Description |
|---|---|---|
| successfulDeviceIds | String collection | Successful devices |
| failedDeviceIds | String collection | Failed devices |
| notFoundDeviceIds | String collection | Not found devices |
| notSupportedDeviceIds | String collection | Not supported devices |
Graph reference: configurationManagerAction
| Property | Type | Description |
|---|---|---|
| action | configurationManagerActionType | The action type to trigger on Configuration Manager client. Possible values are: refreshMachinePolicy, refreshUserPolicy, wakeUpClient, appEvaluation, quickScan, fullScan, windowsDefenderUpdateSignatures. |
Graph reference: deviceAssignmentItem
| Property | Type | Description |
|---|---|---|
| itemId | String | The unique identifier for the application or configuration. ItemId is required property which needs to be set in the action POST request parameter for the DeviceAssignmentItem intended to remove. Max length is 40 |
| itemType | deviceAssignmentItemType | Indicates the application or configuration type. ItemType is required property which needs to be set in the action POST request parameter for the DeviceAssignmentItem intended to remove. Possible values are: application, deviceConfiguration, deviceManagementConfigurationPolicy, mobileAppConfiguration. application itemType is default value. Possible values are: application, deviceConfiguration, deviceManagementConfigurationPolicy, mobileAppConfiguration, unknownFutureValue. |
| itemSubTypeDisplayName | String | Indicates the specific type for the application or configuration. For example, unknown, application, appConfiguration, exploitProtection, bitLocker, deviceControl, microsoftEdgeBaseline, attackSurfaceReductionRulesConfigMgr, endpointDetectionandResponse, windowsUpdateforBusiness, microsoftDefenderFirewallRules, applicationControl, microsoftDefenderAntivirusexclusions, microsoftDefenderAntivirus, wiredNetwork, derivedPersonalIdentityVerificationCredential, windowsHealthMonitoring, extensions, mxProfileZebraOnly, deviceFirmwareConfigurationInterface, deliveryOptimization, identityProtection, kiosk, overrideGroupPolicy, domainJoinPreview, pkcsImportedCertificate, networkBoundary, endpointProtection, microsoftDefenderAtpWindows10Desktop, sharedMultiUserDevice, deviceFeatures, secureAssessmentEducation, wiFiImport, editionUpgradeAndModeSwitch, vpn, custom, softwareUpdates, deviceRestrictionsWindows10Team, email, trustedCertificate, scepCertificate, emailSamsungKnoxOnly, pkcsCertificate, deviceRestrictions, wiFi, settingsCatalog. Read-Only. Returned in the action result. Default value is null. The property value cannot be modified and is automatically populated with the action result. Max length is 200. This property is read-only. |
| itemDisplayName | String | The item displayName name for the application or configuration. Read-Only. Returned in the action result. Default value is null. The property value cannot be modified and is automatically populated with the action result. Max length is 200. This property is read-only. |
| assignmentItemActionIntent | deviceAssignmentItemIntent | Indicates the IT Admin's intent on the application or configuration when executing this action on the managed device. Intent needs to be set as default value remove in the action POST request parameter. For the application or configuration intended to remove through previous actions but not included in current action, its intent will be reported as restore in the action result. Possible values are: remove, restore. remove intent is default value. This property is read-only. Possible values are: remove, restore, unknownFutureValue. |
| assignmentItemActionStatus | deviceAssignmentItemStatus | Indicates the live status for the application or configuration regarding the executed action on the managed device. Read-Only. Returned in the action result. Possible values are: initiated, inProgress, removed, error, succeeded. initiated status is default value. This property is read-only. Possible values are: initiated, inProgress, removed, error, succeeded, unknownFutureValue. |
| intentActionMessage | String | The intent action message for the application or configuration regarding the executed action on the managed device. When the action is on error, this property provides message on the reason of failure. When the action is in progress, this property provides message on what's being processed on the device. Read-Only. Returned in the action result. Can be null. Max length is 1500. This property is read-only. |
| errorCode | Int64 | The error code for the application or configuration regarding the failed executed action on the managed device. Read-Only. Returned in the action result. 0 is default value and indicates no failure. Valid values -9.22337203685478E+18 to 9.22337203685478E+18. This property is read-only. |
| lastActionDateTime | DateTimeOffset | The date and time when the application or configuration was initiated an action execution. Read-Only. Returned in the action result. The property value cannot be modified and is automatically populated when the action is initiated. The Timestamp type represents date and time information using ISO 8601 format and is always in UTC time. For example, midnight UTC on Jan 1, 2025 would look like this: '2025-01-01T00:00:00Z'. This property is read-only. |
| lastModifiedDateTime | DateTimeOffset | The date and time when the application or configuration was last modified because of either action execution or status change. Read-Only. Returned in the action result. The property value cannot be modified and is automatically populated when the action is initiated or the device has a status change. The Timestamp type represents date and time information using ISO 8601 format and is always in UTC time. For example, midnight UTC on Jan 1, 2025 would look like this: '2025-01-01T00:00:00Z'. This property is read-only. |
Graph reference: macOSManagedDeviceLocalAdminAccountDetail
| Property | Type | Description |
|---|---|---|
| adminAccountPassword | String | The local administrator account password for the macOS device. This password is auto generated, 15 characters by default, and unique for each device. The autogenerated password is created when the device is enrolled by Automated Device Enrollment process. Read-only. |
| passwordLastRotatedDateTime | DateTimeOffset | The timestamp when the admin account password was last rotated. The timestamp type represents data and time information using ISO 8601 format and is always in UTC time. For example, midnight UTC on Jan 1, 2014 would look like '2014-01-01T00:00:00Z'. Read-only. |
Graph reference: intune-devices-manageddeviceremoteaction
Graph reference: intune-devices-obliterationbehavior
Graph reference: updateWindowsDeviceAccountActionParameter
| Property | Type | Description |
|---|---|---|
| deviceAccount | windowsDeviceAccount | |
| passwordRotationEnabled | Boolean | |
| calendarSyncEnabled | Boolean | |
| deviceAccountEmail | String | |
| exchangeServer | String | |
| sessionInitiationProtocalAddress | String |