Did You Know?

We patch more than 400 applications

Open portal
Updated on 1 June 2025
Documentation

Intune and Entra Integration

Estimated reading: 2 minutes 89 views

There are two ways to create the integration with Intune. One option is to create an App Registration in your tenant manually and configure the required permissions yourself. Alternatively, you can use the guided integration, which will create the App Registration for you. If desired, you can use the guided integration and then manually remove any unnecessary permissions afterwards.

Below, you’ll find a list of the mandatory and optional permissions used in the integration.

Azure Active Directory Graph

Permission NameTypeDescription
Application.Read.AllApplicationRead all applications. This permission is only used during the guided integration.
Directory.AccessAsUser.AllDelegatedAccess your organization’s directory. This permission is only used during the guided integration.
Directory.ReadWrite.AllApplicationRead and write directory data. This permission is only used during the guided integration.

Microsoft Graph

Permission NameTypeDescription
Application.Read.AllApplicationRead all applications. This permission is only used during the guided integration.
Device.Read.AllApplicationRead all devices (Optional)
DeviceManagementApps.Read.AllApplicationRead Microsoft Intune apps (Optional)
DeviceManagementApps.ReadWrite.AllApplicationRead and write Microsoft Intune apps (Mandatory)
DeviceManagementConfiguration.ReadWrite.AllApplicationRead and write Microsoft Intune device configuration and policies (Optional)
DeviceManagementManagedDevices.Read.AllApplicationRead Microsoft Intune devices (Optional)
DeviceManagementServiceConfig.Read.AllApplicationRead Microsoft Intune configuration (Optional)
Directory.ReadWrite.AllApplicationRead and write directory data (Optional)
Group.CreateApplicationCreate groups (Optional)
Group.Read.AllApplicationRead all groups (Mandatory)
Group.ReadWrite.AllApplicationRead and write all groups (Optional)
User.Read.AllApplicationRead all users’ full profiles (Optional)

The optional permissions are used in the following Endpoint Admin features and can therefore be excluded if not in use:

  • Application Shop
  • Microsoft Store Apps
  • Device Primary User alignment
  • Resource Management
    • Ring Group Automation
    • Entra ID Groups

Share this Doc

Intune and Entra Integration

Or copy link

CONTENTS