DeviceManagementRBAC.ReadWrite.All
Allows the app to read and write the properties relating to the Microsoft Intune Role-Based Access Control (RBAC) settings.
Using the Microsoft Graph APIs to configure Intune controls and policies still requires that the Intune service is correctly licensed by the customer.
These permissions aren't supported for personal Microsoft accounts.
Merill's Note
For an app to access data in Microsoft Graph, the user or administrator must grant it the permissions it needs. This article lists all the Microsoft Graph APIs and your tenant data that can be accessed by the application (vendor/developer) if you consent to the
DeviceManagementRBAC.ReadWrite.Allpermission.If you need to create an audit report of the permissions granted to all the apps in your tenant, you can run the
Export-MsIdAppConsentGrantReportcommand. See How To: Run a quick OAuth app audit of your tenant
| Category | Application | Delegated |
|---|---|---|
| Identifier | e330c4f0-4170-414e-a55a-2f022ec2b57b | 0c5e8a55-87a6-4556-93ab-adc52c4d862d |
| DisplayText | Read and write Microsoft Intune RBAC settings | Read and write Microsoft Intune RBAC settings |
| Description | Allows the app to read and write the properties relating to the Microsoft Intune Role-Based Access Control (RBAC) settings, without a signed-in user. | Allows the app to read and write the properties relating to the Microsoft Intune Role-Based Access Control (RBAC) settings. |
| AdminConsentRequired | Yes | Yes |
Graph Methods
→ API supports delegated access (access on behalf of a user)
→ API supports app-only access (access without a user)
| Methods | |
|---|---|
→ API supports delegated access (access on behalf of a user)
→ API supports app-only access (access without a user)
| Methods | |
|---|---|
→ Command supports delegated access (access on behalf of a user)
→ Command supports app-only access (access without a user)
| Commands | |
|---|---|
→ Command supports delegated access (access on behalf of a user)
→ Command supports app-only access (access without a user)
| Commands | |
|---|---|
Resources
Granting this permission allows the calling application to access (and/or update) the following information in your tenant.
- tenantAttachRBACState
- deviceAndAppManagementAssignedRoleDetails
- deviceAndAppManagementRoleAssignment
- deviceAndAppManagementRoleDefinition
- identitySet
- operationApprovalPolicy
- intune-rbac-operationapprovalpolicyplatform
- operationApprovalPolicySet
- intune-rbac-operationapprovalpolicytype
- operationApprovalRequest
- intune-rbac-operationapprovalrequeststatus
- rbacApplicationMultiple
- resourceOperation
- roleAssignment
- intune-rbac-roleassignmentscopetype
- roleDefinition
- roleManagement
- rolePermission
- roleScopeTag
- roleScopeTagAutoAssignment
- deviceAndAppManagementAssignmentTarget
- unifiedRoleAssignment
- unifiedRoleAssignmentMultiple
- unifiedRoleDefinition
- unifiedRolePermission
Graph reference: tenantAttachRBACState
| Property | Type | Description |
|---|---|---|
| enabled | Boolean | Indicates whether the tenant is enabled for Tenant Attach with role management. TRUE if enabled, FALSE if the Tenant Attach with rolemanagement is disabled. |
Graph reference: deviceAndAppManagementAssignedRoleDetails
| Property | Type | Description |
|---|---|---|
| roleDefinitionIds | String collection | Role Definition IDs for the specifc Role Definitions assigned to a user. This property is read-only. |
| roleAssignmentIds | String collection | Role Assignment IDs for the specifc Role Assignments assigned to a user. This property is read-only. |
Graph reference: deviceAndAppManagementRoleAssignment
| Property | Type | Description |
|---|---|---|
| id | String | The unique identifier of the request. This ID is assigned at when the entity is created. Read-only. Inherited from roleAssignment |
| displayName | String | Indicates the display name of the role assignment. For example: 'Houston administrators and users'. Max length is 128 characters. Inherited from roleAssignment |
| description | String | Indicates the description of the role assignment. For example: 'All administrators, employees and scope tags associated with the Houston office.' Max length is 1024 characters. Inherited from roleAssignment |
| resourceScopes | String collection | Indicates the list of resource scope security group Entra IDs. For example: {dec942f4-6777-4998-96b4-522e383b08e2}. Inherited from roleAssignment |
| members | String collection | Indicates the list of role member security group Entra IDs. For example: {dec942f4-6777-4998-96b4-522e383b08e2}. |
Graph reference: deviceAndAppManagementRoleDefinition
| Property | Type | Description |
|---|---|---|
| id | String | Key of the entity. This is read-only and automatically generated. Inherited from roleDefinition |
| displayName | String | Display Name of the Role definition. Inherited from roleDefinition |
| description | String | Description of the Role definition. Inherited from roleDefinition |
| rolePermissions | rolePermission collection | List of Role Permissions this role is allowed to perform. These must match the actionName that is defined as part of the rolePermission. Inherited from roleDefinition |
| isBuiltIn | Boolean | Type of Role. Set to True if it is built-in, or set to False if it is a custom role definition. Inherited from roleDefinition |
Graph reference: identitySet
| Property | Type | Description |
|---|---|---|
| application | identity | The Identity of the Application. This property is read-only. |
| device | identity | The Identity of the Device. This property is read-only. |
| user | identity | The Identity of the User. This property is read-only. |
Graph reference: operationApprovalPolicy
| Property | Type | Description |
|---|---|---|
| id | String | The unique identifier of the policy. This ID is assigned at when the policy is created. Read-only. This property is read-only. |
| displayName | String | Indicates the display name of the policy. Maximum length of the display name is 128 characters. This property is required when the policy is created, and is defined by the IT Admins to identify the policy. |
| description | String | Indicates the description of the policy. Maximum length of the description is 1024 characters. This property is not required, but can be used by the IT Admin to describe the policy. |
| lastModifiedDateTime | DateTimeOffset | Indicates the last DateTime that the policy was modified. The value cannot be modified and is automatically populated whenever values in the request are updated. For example, when the 'policyType' property changes from apps to scripts. The Timestamp type represents date and time information using ISO 8601 format and is always in UTC time. For example, midnight UTC on Jan 1, 2014 would look like this: '2014-01-01T00:00:00Z'. Returned by default. Read-only. This property is read-only. |
| policyType | operationApprovalPolicyType | The policy type for the OperationApprovalPolicy. Possible values are: unknown, app, script, operationApprovalPolicy. Possible values are: unknown, deviceAction, deviceWipe, deviceRetire, deviceRetireNonCompliant, deviceDelete, deviceLock, deviceErase, deviceDisableActivationLock, windowsEnrollment, compliancePolicy, configurationPolicy, appProtectionPolicy, policySet, filter, endpointSecurityPolicy, app, script, role, deviceResetPasscode, unknownFutureValue, operationApprovalPolicy, autopilot, windows365, deviceEnrollment, deviceUpdate, enrollmentRestriction, tenantConfiguration, tunnel, endpointPrivilegeManagement, deviceSecurityAction. |
| policyPlatform | operationApprovalPolicyPlatform | Indicates the applicable platform for the policy. Possible values are: notApplicable, androidDeviceAdministrator, androidEnterprise, iOSiPadOS, macOS, windows10AndLater, windows81AndLater, windows10X. Default value is notApplicable. Possible values are: notApplicable, androidDeviceAdministrator, androidEnterprise, iOSiPadOS, macOS, windows10AndLater, windows81AndLater, windows10X, unknownFutureValue. |
| policySet | operationApprovalPolicySet | Indicates areas of the Intune UX that could support MAA UX for the current logged in IT Admin. This property is required, and is defined by the IT Admins in order to correctly show the expected experience. |
| approverGroupIds | String collection | The Microsoft Entra ID (Azure AD) security group IDs for the approvers for the policy. This property is required when the policy is created, and is defined by the IT Admins to define the possible approvers for the policy. |
Graph reference: intune-rbac-operationapprovalpolicyplatform
Graph reference: operationApprovalPolicySet
| Property | Type | Description |
|---|---|---|
| policyType | operationApprovalPolicyType | The policy type for the OperationApprovalPolicy. This property is required when the policy set is created, and uniquely identifies areas of the Intune UX that could support MAA when used in conjection with the policyPlatform property. Possible values are: unknown, app, script, operationApprovalPolicy. Read-only. This property is read-only. Possible values are: unknown, deviceAction, deviceWipe, deviceRetire, deviceRetireNonCompliant, deviceDelete, deviceLock, deviceErase, deviceDisableActivationLock, windowsEnrollment, compliancePolicy, configurationPolicy, appProtectionPolicy, policySet, filter, endpointSecurityPolicy, app, script, role, deviceResetPasscode, unknownFutureValue, operationApprovalPolicy, autopilot, windows365, deviceEnrollment, deviceUpdate, enrollmentRestriction, tenantConfiguration, tunnel, endpointPrivilegeManagement, deviceSecurityAction. |
| policyPlatform | operationApprovalPolicyPlatform | The applicable platform(s) for the OperationApprovalPolicy. This property is required when the policy set is created, and uniquely identifies the platform(s) that could support MAA when used in conjection with the policyType property. Possible values are: notApplicable, androidDeviceAdministrator, androidEnterprise, iOSiPadOS, macOS, windows10AndLater, windows81AndLater, windows10X. Read-only. This property is read-only. Possible values are: notApplicable, androidDeviceAdministrator, androidEnterprise, iOSiPadOS, macOS, windows10AndLater, windows81AndLater, windows10X, unknownFutureValue. |
Graph reference: intune-rbac-operationapprovalpolicytype
Graph reference: operationApprovalRequest
| Property | Type | Description |
|---|---|---|
| id | String | The unique identifier of the request. This ID is assigned at when the request is created. Read-only. |
| requestDateTime | DateTimeOffset | Indicates the DateTime that the request was made. The value cannot be modified and is automatically populated when the request is created. The Timestamp type represents date and time information using ISO 8601 format and is always in UTC time. For example, midnight UTC on Jan 1, 2014 would look like this: '2014-01-01T00:00:00Z'. Returned by default. Read-only. This property is read-only. |
| expirationDateTime | DateTimeOffset | Indicates the DateTime when any action on the approval request is no longer permitted. The value cannot be modified and is automatically populated when the request is created using expiration offset values defined in the service controllers. The Timestamp type represents date and time information using ISO 8601 format and is always in UTC time. For example, midnight UTC on Jan 1, 2014 would look like this: '2014-01-01T00:00:00Z'. Returned by default. Read-only. This property is read-only. |
| lastModifiedDateTime | DateTimeOffset | Indicates the last DateTime that the request was modified. The value cannot be modified and is automatically populated whenever values in the request are updated. For example, when the 'status' property changes from needsApproval to approved. The Timestamp type represents date and time information using ISO 8601 format and is always in UTC time. For example, midnight UTC on Jan 1, 2014 would look like this: '2014-01-01T00:00:00Z'. Returned by default. Read-only. This property is read-only. |
| requestor | identitySet | The identity of the requestor as an Identity Set. Optionally contains the application ID, the device ID and the User ID. See information about this type here: https://learn.microsoft.com/graph/api/resources/identityset?view=graph-rest-1.0. Read-only. This property is read-only. |
| approver | identitySet | The identity of the approver as an Identity Set. Optionally contains the application ID, the device ID and the User ID. See information about this type here: https://learn.microsoft.com/graph/api/resources/identityset?view=graph-rest-1.0. Read-only. This property is read-only. |
| status | operationApprovalRequestStatus | The current approval status of the request. Possible values are: unknown, needsApproval, approved, rejected, cancelled, completed, expired. Default value is unknown. Read-only. This property is read-only. Possible values are: unknown, needsApproval, approved, rejected, cancelled, completed, expired, unknownFutureValue. |
| requestJustification | String | Indicates the justification for creating the request. Maximum length of justification is 1024 characters. For example: 'Needed for Feb 2023 application baseline updates.' Read-only. This property is read-only. |
| approvalJustification | String | Indicates the justification for approving or rejecting the request. Maximum length of justification is 1024 characters. For example: 'Approved per Change 23423 - needed for Feb 2023 application baseline updates.' Read-only. This property is read-only. |
| requiredOperationApprovalPolicyTypes | operationApprovalPolicyType collection | Indicates the approval policy types required by the request in order for the request to be approved or rejected. Read-only. This property is read-only. |
Graph reference: intune-rbac-operationapprovalrequeststatus
Graph reference: rbacApplicationMultiple
| Property | Type | Description |
|---|
Graph reference: resourceOperation
| Property | Type | Description |
|---|---|---|
| id | String | Key of the Resource Operation. Read-only, automatically generated. |
| resourceName | String | Name of the Resource this operation is performed on. |
| actionName | String | Type of action this operation is going to perform. The actionName should be concise and limited to as few words as possible. |
| description | String | Description of the resource operation. The description is used in mouse-over text for the operation when shown in the Azure Portal. |
Graph reference: roleAssignment
| Property | Type | Description |
|---|---|---|
| id | String | The unique identifier of the request. This ID is assigned at when the entity is created. Read-only. |
| displayName | String | Indicates the display name of the role assignment. For example: 'Houston administrators and users'. Max length is 128 characters. |
| description | String | Indicates the description of the role assignment. For example: 'All administrators, employees and scope tags associated with the Houston office.' Max length is 1024 characters. |
| resourceScopes | String collection | Indicates the list of resource scope security group Entra IDs. For example: {dec942f4-6777-4998-96b4-522e383b08e2}. |
Graph reference: intune-rbac-roleassignmentscopetype
Graph reference: roleDefinition
| Property | Type | Description |
|---|---|---|
| id | String | Key of the entity. This is read-only and automatically generated. |
| displayName | String | Display Name of the Role definition. |
| description | String | Description of the Role definition. |
| rolePermissions | rolePermission collection | List of Role Permissions this role is allowed to perform. These must match the actionName that is defined as part of the rolePermission. |
| isBuiltIn | Boolean | Type of Role. Set to True if it is built-in, or set to False if it is a custom role definition. |
Graph reference: roleManagement
| Property | Type | Description |
|---|---|---|
| id | String |
Graph reference: rolePermission
| Property | Type | Description |
|---|---|---|
| resourceActions | resourceAction collection | Resource Actions each containing a set of allowed and not allowed permissions. |
Graph reference: roleScopeTag
| Property | Type | Description |
|---|---|---|
| id | String | Key of the entity. This is read-only and automatically generated. This property is read-only. |
| displayName | String | The display or friendly name of the Role Scope Tag. |
| description | String | Description of the Role Scope Tag. |
| isBuiltIn | Boolean | Description of the Role Scope Tag. This property is read-only. |
Graph reference: roleScopeTagAutoAssignment
| Property | Type | Description |
|---|---|---|
| id | String | Key of the entity. This property is read-only. |
| target | deviceAndAppManagementAssignmentTarget | The auto-assignment target for the specific Role Scope Tag. |
Graph reference: deviceAndAppManagementAssignmentTarget
Graph reference: unifiedRoleAssignment
| Property | Type | Description |
|---|---|---|
| appScopeId | String | Identifier of the app specific scope when the assignment scope is app specific. The scope of an assignment determines the set of resources for which the principal has been granted access. App scopes are scopes that are defined and understood by a resource application only. For the entitlement management provider, use this property to specify a catalog. For example, /AccessPackageCatalog/beedadfe-01d5-4025-910b-84abb9369997. Supports $filter (eq, in). For example, /roleManagement/entitlementManagement/roleAssignments?$filter=appScopeId eq '/AccessPackageCatalog/{catalog id}'. |
| directoryScopeId | String | Identifier of the directory object representing the scope of the assignment. The scope of an assignment determines the set of resources for which the principal has been granted access. Directory scopes are shared scopes stored in the directory that are understood by multiple applications, unlike app scopes that are defined and understood by a resource application only. Supports $filter (eq, in). |
| id | String | The unique identifier for the unifiedRoleAssignment. Key, not nullable, Read-only. |
| principalId | String | Identifier of the principal to which the assignment is granted. Supported principals are users, role-assignable groups, and service principals. Supports $filter (eq, in). |
| roleDefinitionId | String | Identifier of the unifiedRoleDefinition the assignment is for. Read-only. Supports $filter (eq, in). |
Graph reference: unifiedRoleAssignmentMultiple
| Property | Type | Description |
|---|---|---|
| appScopeIds | String collection | Ids of the app specific scopes when the assignment scopes are app specific. The scopes of an assignment determine the set of resources for which the principal has access. Directory scopes are shared scopes stored in the directory that are understood by multiple applications. Use / for tenant-wide scope. App scopes are scopes that are defined and understood by this application only. |
| description | String | Description of the role assignment. |
| directoryScopeIds | String collection | Ids of the directory objects that represent the scopes of the assignment. The scopes of an assignment determine the set of resources for which the principals have been granted access. Directory scopes are shared scopes stored in the directory that are understood by multiple applications. App scopes are scopes that are defined and understood by this application only. |
| displayName | String | Name of the role assignment. Required. |
| id | String | The unique identifier for the unifiedRoleAssignmentMultiple object. Key, not nullable, Read-only. |
| principalIds | String collection | Identifiers of the principals to which the assignment is granted. Supports $filter (any operator only). |
| roleDefinitionId | String | Identifier of the unifiedRoleDefinition the assignment is for. |
Graph reference: unifiedRoleDefinition
| Property | Type | Description |
|---|---|---|
| description | String | The description for the unifiedRoleDefinition. Read-only when isBuiltIn is true. |
| displayName | String | The display name for the unifiedRoleDefinition. Read-only when isBuiltIn is true. Required. Supports $filter (eq, in). |
| id | String | The unique identifier for the role definition. Key, not nullable, Read-only. Inherited from entity. Supports $filter (eq, in). |
| isBuiltIn | Boolean | Flag indicating whether the role definition is part of the default set included in Microsoft Entra or a custom definition. Read-only. Supports $filter (eq, in). |
| isEnabled | Boolean | Flag indicating whether the role is enabled for assignment. If false the role is not available for assignment. Read-only when isBuiltIn is true. |
| resourceScopes | String collection | List of the scopes or permissions the role definition applies to. Currently only / is supported. Read-only when isBuiltIn is true. DO NOT USE. This will be deprecated soon. Attach scope to role assignment. |
| rolePermissions | unifiedRolePermission collection | List of permissions included in the role. Read-only when isBuiltIn is true. Required. |
| templateId | String | Custom template identifier that can be set when isBuiltIn is false but is read-only when isBuiltIn is true. This identifier is typically used if one needs an identifier to be the same across different directories. |
| version | String | Indicates version of the role definition. Read-only when **i |
Graph reference: unifiedRolePermission
| Property | Type | Description |
|---|---|---|
| allowedResourceActions | String collection | Set of tasks that can be performed on a resource. Required. |
| condition | String | Optional constraints that must be met for the permission to be effective. Not supported for custom roles. |
| excludedResourceActions | String collection | Set of tasks that may not be performed on a resource. Not yet supported. |