DeviceManagementScripts.ReadWrite.All

Allows the app to read and write Microsoft Intune device compliance scripts, device management scripts, device shell scripts, device custom attribute shell scripts and device health scripts on behalf of the signed in user.

Merill's Note

For an app to access data in Microsoft Graph, the user or administrator must grant it the permissions it needs. This article lists all the Microsoft Graph APIs and your tenant data that can be accessed by the application (vendor/developer) if you consent to the DeviceManagementScripts.ReadWrite.All permission.

If you need to create an audit report of the permissions granted to all the apps in your tenant, you can run the Export-MsIdAppConsentGrantReport command. See How To: Run a quick OAuth app audit of your tenant

Category	Application	Delegated
Identifier	9255e99d-faf5-445e-bbf7-cb71482737c4	8b9d79d0-ad75-4566-8619-f7500ecfcebe
DisplayText	Read and write Microsoft Intune Scripts	Read and write Microsoft Intune Scripts
Description	Allows the app to read and write Microsoft Intune device compliance scripts, device management scripts, device shell scripts, device custom attribute shell scripts and device health scripts, without a signed-in user.	Allows the app to read and write Microsoft Intune device compliance scripts, device management scripts, device shell scripts, device custom attribute shell scripts and device health scripts on behalf of the signed in user.
AdminConsentRequired	Yes	Yes

Graph Methods

→ API supports delegated access (access on behalf of a user)
→ API supports app-only access (access without a user)

	Methods

→ API supports delegated access (access on behalf of a user)
→ API supports app-only access (access without a user)

	Methods
	DELETE /deviceManagement/deviceComplianceScripts/{deviceComplianceScriptId}
	DELETE /deviceManagement/deviceCustomAttributeShellScripts/{deviceCustomAttributeShellScriptId}
	DELETE /deviceManagement/deviceHealthScripts/{deviceHealthScriptId}
	DELETE /deviceManagement/deviceManagementScripts/{deviceManagementScriptId}
	DELETE /deviceManagement/deviceShellScripts/{deviceShellScriptId}
	GET /deviceManagement/deviceComplianceScripts
	GET /deviceManagement/deviceComplianceScripts/{deviceComplianceScriptId}
	GET /deviceManagement/deviceComplianceScripts/{deviceComplianceScriptId}/assignments
	GET /deviceManagement/deviceCustomAttributeShellScripts
	GET /deviceManagement/deviceCustomAttributeShellScripts/{deviceCustomAttributeShellScriptId}
	GET /deviceManagement/deviceCustomAttributeShellScripts/{deviceCustomAttributeShellScriptId}/deviceRunStates
	GET /deviceManagement/deviceCustomAttributeShellScripts/{deviceCustomAttributeShellScriptId}/groupAssignments
	GET /deviceManagement/deviceCustomAttributeShellScripts/{deviceCustomAttributeShellScriptId}/runSummary
	GET /deviceManagement/deviceCustomAttributeShellScripts/{deviceCustomAttributeShellScriptId}/userRunStates
	GET /deviceManagement/deviceHealthScripts
	GET /deviceManagement/deviceHealthScripts/{deviceHealthScriptId}
	GET /deviceManagement/deviceHealthScripts/{deviceHealthScriptId}/assignments
	GET /deviceManagement/deviceHealthScripts/{deviceHealthScriptId}/deviceRunStates
	GET /deviceManagement/deviceHealthScripts/{deviceHealthScriptId}/getRemediationHistory
	GET /deviceManagement/deviceHealthScripts/{deviceHealthScriptId}/runSummary
	GET /deviceManagement/deviceHealthScripts/areGlobalScriptsAvailable
	GET /deviceManagement/deviceHealthScripts/getRemediationSummary
	GET /deviceManagement/deviceManagementScripts
	GET /deviceManagement/deviceManagementScripts/{deviceManagementScriptId}
	GET /deviceManagement/deviceManagementScripts/{deviceManagementScriptId}/deviceRunStates
	GET /deviceManagement/deviceManagementScripts/{deviceManagementScriptId}/groupAssignments
	GET /deviceManagement/deviceManagementScripts/{deviceManagementScriptId}/runSummary
	GET /deviceManagement/deviceManagementScripts/{deviceManagementScriptId}/userRunStates
	GET /deviceManagement/deviceManagementScripts/{deviceManagementScriptId}/userRunStates/{deviceManagementScriptUserStateId}/deviceRunStates
	GET /deviceManagement/deviceShellScripts
	GET /deviceManagement/deviceShellScripts/{deviceShellScriptId}
	GET /deviceManagement/deviceShellScripts/{deviceShellScriptId}/deviceRunStates
	GET /deviceManagement/deviceShellScripts/{deviceShellScriptId}/groupAssignments
	GET /deviceManagement/deviceShellScripts/{deviceShellScriptId}/runSummary
	GET /deviceManagement/deviceShellScripts/{deviceShellScriptId}/userRunStates
	PATCH /deviceManagement/deviceComplianceScripts/{deviceComplianceScriptId}
	PATCH /deviceManagement/deviceCustomAttributeShellScripts/{deviceCustomAttributeShellScriptId}
	PATCH /deviceManagement/deviceHealthScripts/{deviceHealthScriptId}
	PATCH /deviceManagement/deviceManagementScripts/{deviceManagementScriptId}
	PATCH /deviceManagement/deviceShellScripts/{deviceShellScriptId}
	POST /deviceManagement/deviceComplianceScripts
	POST /deviceManagement/deviceComplianceScripts/{deviceComplianceScriptId}/assign
	POST /deviceManagement/deviceCustomAttributeShellScripts
	POST /deviceManagement/deviceCustomAttributeShellScripts/{deviceCustomAttributeShellScriptId}/assign
	POST /deviceManagement/deviceHealthScripts
	POST /deviceManagement/deviceHealthScripts/{deviceHealthScriptId}/assign
	POST /deviceManagement/deviceHealthScripts/{deviceHealthScriptId}/getGlobalScriptHighestAvailableVersion
	POST /deviceManagement/deviceHealthScripts/{deviceHealthScriptId}/updateGlobalScript
	POST /deviceManagement/deviceHealthScripts/enableGlobalScripts
	POST /deviceManagement/deviceManagementScripts
	POST /deviceManagement/deviceManagementScripts/{deviceManagementScriptId}/assign
	POST /deviceManagement/deviceShellScripts
	POST /deviceManagement/deviceShellScripts/{deviceShellScriptId}/assign

→ Command supports delegated access (access on behalf of a user)
→ Command supports app-only access (access without a user)

	Commands
	Enable-MgBetaDeviceManagementDeviceHealthScriptGlobalScript
	Get-MgBetaDeviceManagementDeviceHealthScript
	Get-MgBetaDeviceManagementDeviceHealthScriptAssignment
	Get-MgBetaDeviceManagementDeviceHealthScriptDeviceRunState
	Get-MgBetaDeviceManagementDeviceHealthScriptGlobalScriptHighestAvailableVersion
	Get-MgBetaDeviceManagementDeviceHealthScriptRemediationHistory
	Get-MgBetaDeviceManagementDeviceHealthScriptRemediationSummary
	Get-MgBetaDeviceManagementDeviceHealthScriptRunSummary
	Get-MgBetaDeviceManagementDeviceShellScript
	Get-MgBetaDeviceManagementDeviceShellScriptDeviceRunState
	Get-MgBetaDeviceManagementDeviceShellScriptGroupAssignment
	Get-MgBetaDeviceManagementDeviceShellScriptRunSummary
	Get-MgBetaDeviceManagementDeviceShellScriptUserRunState
	Get-MgBetaDeviceManagementScript
	Get-MgBetaDeviceManagementScriptDeviceRunState
	Get-MgBetaDeviceManagementScriptGroupAssignment
	Get-MgBetaDeviceManagementScriptRunSummary
	Get-MgBetaDeviceManagementScriptUserRunState
	Get-MgBetaDeviceManagementScriptUserRunStateDeviceRunState
	Invoke-MgBetaIsDeviceManagementDeviceHealthScriptGlobalScriptAvailable
	New-MgBetaDeviceManagementDeviceHealthScript
	New-MgBetaDeviceManagementDeviceShellScript
	New-MgBetaDeviceManagementScript
	Remove-MgBetaDeviceManagementDeviceHealthScript
	Remove-MgBetaDeviceManagementDeviceShellScript
	Remove-MgBetaDeviceManagementScript
	Set-MgBetaDeviceManagementDeviceHealthScript
	Set-MgBetaDeviceManagementDeviceShellScript
	Set-MgBetaDeviceManagementScript
	Update-MgBetaDeviceManagementDeviceHealthScript
	Update-MgBetaDeviceManagementDeviceHealthScriptGlobalScript
	Update-MgBetaDeviceManagementDeviceShellScript
	Update-MgBetaDeviceManagementScript

Resources

Granting this permission allows the calling application to access (and/or update) the following information in your tenant.

Graph reference: deviceComplianceScript

Property	Type	Description
id	String	Unique Identifier for the device compliance script
publisher	String	Name of the device compliance script publisher
version	String	Version of the device compliance script
displayName	String	Name of the device compliance script
description	String	Description of the device compliance script
detectionScriptContent	Binary	The entire content of the detection powershell script
createdDateTime	DateTimeOffset	The timestamp of when the device compliance script was created. This property is read-only.
lastModifiedDateTime	DateTimeOffset	The timestamp of when the device compliance script was modified. This property is read-only.
runAsAccount	runAsAccountType	Indicates the type of execution context. Possible values are: `system`, `user`.
enforceSignatureCheck	Boolean	Indicate whether the script signature needs be checked
runAs32Bit	Boolean	Indicate whether PowerShell script(s) should run as 32-bit
roleScopeTagIds	String collection	List of Scope Tag IDs for the device compliance script

Graph reference: deviceCustomAttributeShellScript

Property	Type	Description
id	String	Unique Identifier for the custom attribute entity.
customAttributeName	String	The name of the custom attribute.
customAttributeType	deviceCustomAttributeValueType	The expected type of the custom attribute's value. Possible values are: `integer`, `string`, `dateTime`.
displayName	String	Name of the device management script.
description	String	Optional description for the device management script.
scriptContent	Binary	The script content.
createdDateTime	DateTimeOffset	The date and time the device management script was created. This property is read-only.
lastModifiedDateTime	DateTimeOffset	The date and time the device management script was last modified. This property is read-only.
runAsAccount	runAsAccountType	Indicates the type of execution context. Possible values are: `system`, `user`.
fileName	String	Script file name.
roleScopeTagIds	String collection	List of Scope Tag IDs for this PowerShellScript instance.

Graph reference: deviceHealthScript

Property	Type	Description
id	String	Unique Identifier for the device health script
publisher	String	Name of the device health script publisher
version	String	Version of the device health script
displayName	String	Name of the device health script
description	String	Description of the device health script
detectionScriptContent	Binary	The entire content of the detection powershell script
remediationScriptContent	Binary	The entire content of the remediation powershell script
createdDateTime	DateTimeOffset	The timestamp of when the device health script was created. This property is read-only.
lastModifiedDateTime	DateTimeOffset	The timestamp of when the device health script was modified. This property is read-only.
runAsAccount	runAsAccountType	Indicates the type of execution context. Possible values are: `system`, `user`.
enforceSignatureCheck	Boolean	Indicate whether the script signature needs be checked
runAs32Bit	Boolean	Indicate whether PowerShell script(s) should run as 32-bit
roleScopeTagIds	String collection	List of Scope Tag IDs for the device health script
isGlobalScript	Boolean	Determines if this is Microsoft Proprietary Script. Proprietary scripts are read-only
highestAvailableVersion	String	Highest available version for a Microsoft Proprietary script
deviceHealthScriptType	deviceHealthScriptType	DeviceHealthScriptType for the script policy. Possible values are: `deviceHealthScript`, `managedInstallerScript`.
detectionScriptParameters	deviceHealthScriptParameter collection	List of ComplexType DetectionScriptParameters objects.
remediationScriptParameters	deviceHealthScriptParameter collection	List of ComplexType RemediationScriptParameters objects.

Graph reference: deviceHealthScriptAssignment

Property	Type	Description
id	String	Key of the device health script assignment entity. This property is read-only.
target	deviceAndAppManagementAssignmentTarget	The Azure Active Directory group we are targeting the script to
runRemediationScript	Boolean	Determine whether we want to run detection script only or run both detection script and remediation script
runSchedule	deviceHealthScriptRunSchedule	Script run schedule for the target group

Graph reference: deviceHealthScriptDeviceState

Property	Type	Description
id	String	Key of the device health script device state entity. This property is read-only.
detectionState	runState	Detection state from the lastest device health script execution. The possible values are: `unknown`, `success`, `fail`, `scriptError`, `pending`, `notApplicable`.
lastStateUpdateDateTime	DateTimeOffset	The last timestamp of when the device health script executed
expectedStateUpdateDateTime	DateTimeOffset	The next timestamp of when the device health script is expected to execute
lastSyncDateTime	DateTimeOffset	The last time that Intune Managment Extension synced with Intune
preRemediationDetectionScriptOutput	String	Output of the detection script before remediation
preRemediationDetectionScriptError	String	Error from the detection script before remediation
remediationScriptError	String	Error output of the remediation script
postRemediationDetectionScriptOutput	String	Detection script output after remediation
postRemediationDetectionScriptError	String	Error from the detection script after remediation
remediationState	remediationState	Remediation state from the lastest device health script execution. The possible values are: `unknown`, `skipped`, `success`, `remediationFailed`, `scriptError`, `unknownFutureValue`.
assignmentFilterIds	String collection	A list of the assignment filter ids used for health script applicability evaluation

Graph reference: deviceHealthScriptParameter

Property	Type	Description
name	String	The name of the param
description	String	The description of the param
isRequired	Boolean	Whether the param is required
applyDefaultValueWhenNotAssigned	Boolean	Whether Apply DefaultValue When Not Assigned

Graph reference: deviceHealthScriptRemediationHistory

Property	Type	Description
lastModifiedDateTime	DateTimeOffset	The date on which the results history is calculated for the healthscript.
historyData	deviceHealthScriptRemediationHistoryData collection	The number of devices remediated by the device health script on the given date.

Graph reference: deviceHealthScriptRemediationSummary

Property	Type	Description
scriptCount	Int32	The number of device health scripts deployed.
remediatedDeviceCount	Int32	The number of devices remediated by device health scripts.

Graph reference: deviceHealthScriptRunSummary

Property	Type	Description
id	String	Key of the device health script run summary entity. This property is read-only.
noIssueDetectedDeviceCount	Int32	Number of devices for which the detection script did not find an issue and the device is healthy
issueDetectedDeviceCount	Int32	Number of devices for which the detection script found an issue
detectionScriptErrorDeviceCount	Int32	Number of devices on which the detection script execution encountered an error and did not complete
detectionScriptPendingDeviceCount	Int32	Number of devices which have not yet run the latest version of the device health script
detectionScriptNotApplicableDeviceCount	Int32	Number of devices for which the detection script was not applicable
issueRemediatedDeviceCount	Int32	Number of devices for which the remediation script was able to resolve the detected issue
remediationSkippedDeviceCount	Int32	Number of devices for which remediation was skipped
issueReoccurredDeviceCount	Int32	Number of devices for which the remediation script executed successfully but failed to resolve the detected issue
remediationScriptErrorDeviceCount	Int32	Number of devices for which the remediation script execution encountered an error and did not complete
lastScriptRunDateTime	DateTimeOffset	Last run time for the script across all devices
issueRemediatedCumulativeDeviceCount	Int32	Number of devices that were remediated over the last 30 days

Graph reference: deviceManagementScript

Property	Type	Description
enforceSignatureCheck	Boolean	Indicate whether the script signature needs be checked.
runAs32Bit	Boolean	A value indicating whether the PowerShell script should run as 32-bit
id	String	Unique Identifier for the device management script.
displayName	String	Name of the device management script.
description	String	Optional description for the device management script.
scriptContent	Binary	The script content.
createdDateTime	DateTimeOffset	The date and time the device management script was created. This property is read-only.
lastModifiedDateTime	DateTimeOffset	The date and time the device management script was last modified. This property is read-only.
runAsAccount	runAsAccountType	Indicates the type of execution context. Possible values are: `system`, `user`.
fileName	String	Script file name.
roleScopeTagIds	String collection	List of Scope Tag IDs for this PowerShellScript instance.

Graph reference: deviceManagementScriptAssignment

Property	Type	Description
id	String	Key of the device management script group assignment entity. This property is read-only.
target	deviceAndAppManagementAssignmentTarget	The Id of the Azure Active Directory group we are targeting the script to.

Graph reference: deviceManagementScriptDeviceState

Property	Type	Description
id	String	Key of the device management script device state entity. This property is read-only.
runState	runState	State of latest run of the device management script. Possible values are: `unknown`, `success`, `fail`, `scriptError`, `pending`, `notApplicable`.
resultMessage	String	Details of execution output.
lastStateUpdateDateTime	DateTimeOffset	Latest time the device management script executes.
errorCode	Int32	Error code corresponding to erroneous execution of the device management script.
errorDescription	String	Error description corresponding to erroneous execution of the device management script.

Graph reference: deviceManagementScriptGroupAssignment

Property	Type	Description
id	String	Key of the device management script group assignment entity. This property is read-only.
targetGroupId	String	The Id of the Azure Active Directory group we are targeting the script to.

Graph reference: deviceManagementScriptRunSummary

Property	Type	Description
id	String	Key of the device management script run summary entity. This property is read-only.
successDeviceCount	Int32	Success device count.
errorDeviceCount	Int32	Error device count.
successUserCount	Int32	Success user count.
errorUserCount	Int32	Error user count.

Graph reference: deviceManagementScriptUserState

Property	Type	Description
id	String	Key of the device management script user state entity. This property is read-only.
successDeviceCount	Int32	Success device count for specific user.
errorDeviceCount	Int32	Error device count for specific user.
userPrincipalName	String	User principle name of specific user.

Graph reference: deviceShellScript

Property	Type	Description
executionFrequency	Duration	The interval for script to run. If not defined the script will run once
retryCount	Int32	Number of times for the script to be retried if it fails
blockExecutionNotifications	Boolean	Does not notify the user a script is being executed
id	String	Unique Identifier for the device management script.
displayName	String	Name of the device management script.
description	String	Optional description for the device management script.
scriptContent	Binary	The script content.
createdDateTime	DateTimeOffset	The date and time the device management script was created. This property is read-only.
lastModifiedDateTime	DateTimeOffset	The date and time the device management script was last modified. This property is read-only.
runAsAccount	runAsAccountType	Indicates the type of execution context. Possible values are: `system`, `user`.
fileName	String	Script file name.
roleScopeTagIds	String collection	List of Scope Tag IDs for this PowerShellScript instance.

Graph reference: deviceManagementScript

Property	Type	Description
id	String	Unique Identifier for the device management script.
displayName	String	Name of the device management script.
description	String	Optional description for the device management script.
scriptContent	Binary	The script content.
createdDateTime	DateTimeOffset	The date and time the device management script was created. This property is read-only.
lastModifiedDateTime	DateTimeOffset	The date and time the device management script was last modified. This property is read-only.
runAsAccount	runAsAccountType	Indicates the type of execution context. The possible values are: `system`, `user`.
enforceSignatureCheck	Boolean	Indicate whether the script signature needs be checked.
fileName	String	Script file name.
roleScopeTagIds	String collection	List of Scope Tag IDs for this PowerShellScript instance.
runAs32Bit	Boolean	A value indicating whether the PowerShell script should run as 32-bit

Table of Contents

DeviceManagementScripts.ReadWrite.All

Graph Methods

Resources