Did You Know?

We patch more than 400 applications

Open portal
Updated on 14 October 2025
Intune and Entra Integration

Graph Permissions & Usages – Detailed Overview

Estimated reading: 12 minutes 1075 views

This document contains an overview of the Graph APIs and Permissions used by each Endpoint Admin feature in alphabetical order. 

Some features do not interact with the Graph API directly, or uses existing EA features that already interface with the Graph API to accomplish its goals, these may not be described here.

1. Agent Powered Metering

Use Cases with Requirements 

#UC Use Case with requirements 
Only devices authenticated to the correct tenant may submit and request data. 
All Client Devices must only submit relevant metering data to the backend system based on the group memberships of the device itself and its primary user and how the groups are mapped to metering profiles and metering rules. 
2.a Client Devices must be able to determine which groups they are in. 
2.b Client Devices must be able to determine the primary user and the groups of the primary user. 
EA Portal contributor users and above must be able to add and remove groups to perform metering on. 
3.a A meta-group is created which contains all groups assigned for metering on each metering profile. 
3.b The meta-group is populated with member groups when the groups are added to the metering profile. 
3.c A meta-group membership is removed when a group is removed from the metering profile. 

Microsoft Graph APIs 

#API APIHighest Effective Permission Used by Endpoint Admin Permission Type 
List devices  Directory.ReadWrite.All Application 
List managedDevices DeviceManagementManagedDevices.Read.All Application 
Device: List memberOf Directory.ReadWrite.All Application 
User: List memberOf Directory.ReadWrite.All Application 
Create group Directory.ReadWrite.All Application 
Group: Add members GroupMember.ReadWrite.All  (Implicitly granted by Directory.ReadWrite.All and Group.ReadWrite.All)   Application 
Group: Remove member Directory.ReadWrite.All Application 

Use Cases and APIs Used to Perform Use Case 

#UC APIs used (#API) All Effective Permissions Used 
Directory.ReadWrite.All 
Refer to 2.[a..z] Refer to 2.[a..z] 
2.a 1, 2 Directory.ReadWrite.All 
2.b 3, 4  DeviceManagementManagedDevices
Read.All Directory.ReadWrite.All  
3-3.c 5, 6,7 Directory.ReadWrite.All
GroupMember.ReadWrite.All 

2. Application Shopping

Use Cases with Requirements 

#UC Use Case 
EA Portal users with the proper authorization must be able to define groups that are allowed to requisition an EA application through the EA Shop. For this purpose, an Availability Group is created which will contain those groups that can access the application. 
EA Portal users with proper authorization must be able to set up approval flows for shopping applications. 
When a shop user clicks “install” on an application, their selected device must be added to a group that is on the Required-assignment of the Intune application. If the device is in the shop application Uninstall-group, the device must be removed from it. A Required-assignment group is created by EA for each shoppable app. 
3.a If a license group is associated with the Application, the primary user of the device must be added to the license group.  
When a shop user clicks “Uninstall” on an application, their selected device must be removed from the shop application group for the Required-assignment and added to the shop application group for the Uninstall-assignment. An Uninstall-assignment group is created by EA for each shoppable app. 
4.a If a license group is associated with the Application, the primary user of the device must be removed from the license group. 
It must be checked that the user performing an Install or Uninstall operation is the device owner, and users must be able to select which device they are managing on the Shopping site. 
When a shop user clicks “Request” on an application, the approval flow must be invoked starting at step 1. 
6.a If the current step is a group-approval step, then notify each user in the group that an approval is awaiting their response. 
6.b If the current step is a manager-approval step, then notify the user’s direct manager that an Application Shopping Approval is awaiting their response. 
6.c When a step has passed approval, invoke the next applicable step; this triggers either 5.a or 5.b, or, if it is the final step, case 3 will be triggered automatically. 
An application that is added to the shop may have an EA-managed license group attached to it. This group is created by EA. 
An application that is both assigned to a user or device and available to the same user or using the EA shop should use the assignment given and not be visible in the shop, if this assignment is a Required or Uninstall assignment. 

Microsoft Graph APIs 

#API API Highest Effective Permission Used by Endpoint Admin Permission Type 
List groups Directory.ReadWrite.All Application 
Group: Add members GroupMember.ReadWrite.All(Implicitly granted by Directory.ReadWrite.All and Group.ReadWrite.All) Application 
Create group Directory.ReadWrite.All Application 
Group: Remove member Directory.ReadWrite.All Application 
User:  List ownedDevices Directory.ReadWrite.All Application 
User: List manager Directory.ReadWrite.All Application 
List group members Directory.ReadWrite.All Application 
List group transitive members Directory.ReadWrite.All Application 
directoryObject: checkMemberGroups Directory.ReadWrite.All Application 

Use Cases and APIs Used to Perform Use Case 

#UC APIs used (#API) All Effective Permissions Used 
1,2,3,4 Directory.ReadWrite.All
GroupMember.ReadWrite.All 
Directory.ReadWrite.All
GroupMember.ReadWrite.All 
3, 4 Directory.ReadWrite.All
GroupMember.ReadWrite.All 
3.a 9, 2  
4, 3 Directory.ReadWrite.All
GroupMember.ReadWrite.All 
4.a 9, 4  
Directory.ReadWrite.All 
Refer to 6.[a-z] Refer to 6.[a-z] 
6.a Directory.ReadWrite.All 
6.b Directory.ReadWrite.All 
6.c 6 or 7 or 3 Directory.ReadWrite.All 
3, 2 Directory.ReadWrite.All 
8, 4 Directory.ReadWrite.All 

3. Application Management

Use Cases 

#UC Use Case 
Users must be able to deploy new and update existing Managed Win32 LoB Apps using EA repositories that they are authorized to use or add applications to. 
Users must be able to deploy new and update existing MacOSPkg Apps using EA repositories that they are authorized to use or add applications to. 
Users and above must be able to deploy existing Windows Store Applications to Intune. 
Users must be able to manage application meta-data for subscriptions and apps where they are authorized to do so. 
Users must be able to manage the assignments of deployed applications. 
Users must be able to view the Device Install Status Summary 
Users must be able to view the Device App Install Status Detail for each device 
Users must be able to manage Assignment Filters 

Microsoft Graph APIs 

#API API Highest Effective Permission Used by Endpoint Admin Permission Type 
Get mobileApp DeviceManagementApps.ReadWrite.All Application 
Create win32LobApp DeviceManagementApps.ReadWrite.All Application 
Create macOSPkgApp DeviceManagementApps.ReadWrite.All Application 
Get mobileAppContent DeviceManagementApps.ReadWrite.All Application 
List mobileAppContentFiles DeviceManagementApps.ReadWrite.All Application 
Delete mobileAppContentFile DeviceManagementApps.ReadWrite.All Application 
Create mobileAppContent DeviceManagementApps.ReadWrite.All Application 
Create mobileAppContentFile DeviceManagementApps.ReadWrite.All Application 
Update macOSPkgApp DeviceManagementApps.ReadWrite.All Application 
10 Update win32LobApp DeviceManagementApps.ReadWrite.All Application 
11 Update winGetApp DeviceManagementApps.ReadWrite.All Application 
12 mobileApp: assign action DeviceManagementApps.ReadWrite.All Application 
13 Create winGetApp DeviceManagementApps.ReadWrite.All Application 
14 List groups Directory.ReadWrite.All Application 
15 Get mobileAppInstallSummary DeviceManagementApps.ReadWrite.All Application 
16 List mobileAppInstallStatuses DeviceManagementApps.ReadWrite.All Application 
17 List deviceAndAppManagementAssignmentFilters DeviceManagementConfiguration.ReadWrite.All Application 
18 Get deviceAndAppManagementAssignmentFilter DeviceManagementConfiguration.ReadWrite.All Application 
19 Create deviceAndAppManagementAssignmentFilter DeviceManagementConfiguration.ReadWrite.All Application 
20 Update deviceAndAppManagementAssignmentFilter DeviceManagementConfiguration.ReadWrite.All Application 
21 Delete deviceAndAppManagementAssignmentFilter DeviceManagementConfiguration.ReadWrite.All Application 

Use Cases and APIs Used to Perform Use Case 

#UC APIs used (#API) All Effective Permissions Used 
1,2,3,4,5,6,7,8,10,12 DeviceManagementApps.ReadWrite.All 
1,2,3,4,5,6,7,8,9,12 DeviceManagementApps.ReadWrite.All 
13 DeviceManagementApps.ReadWrite.All 
9,10,11 DeviceManagementApps.ReadWrite.All 
12,14 DeviceManagementApps.ReadWrite.All Directory.ReadWrite.All 
15 DeviceManagementApps.ReadWrite.All 
16 DeviceManagementApps.ReadWrite.All 
17, 18, 19, 20, 21 DeviceManagementConfiguration.ReadWrite.All 

4. Application Reporting

Use Cases 

#UC Use Case 
Users must be able to see an aggregate overview of the install status of all Endpoint Admin managed applications across all devices. 
Users must be able to see an aggregate overview of unmanaged applications across all their devices 
Users must be able to generate a report containing the monthly aggregates of the install status of managed applications 

Microsoft Graph APIs 

#API API / Report Highest Effective Permission Used by Endpoint Admin Permission Type 
Create deviceManagementExportJob DeviceManagementConfiguration.ReadWrite.All Application 
Get deviceManagementExportJob DeviceManagementConfiguration.ReadWrite.All Application 
AppInstallStatusAggregate report DeviceManagementApps.ReadWrite.All Application 
AppInvRawData report DeviceManagementApps.ReadWrite.All Application 

Use Cases and APIs Used to Perform Use Case 

#UC APIs used (#API) All Effective Permissions Used 
1, 2, 3 DeviceManagementConfiguration.ReadWrite.All
DeviceManagementApps.ReadWrite.All 
1,2, 4 DeviceManagementConfiguration.ReadWrite.All
DeviceManagementApps.ReadWrite.All 
1, 2, 3 DeviceManagementConfiguration.ReadWrite.All
DeviceManagementApps.ReadWrite.All 

5. Configuration Sets

Endpoint Admin Configuration Sets currently work by implementing a subset of the Application Management specification, specifically only the parts that relate to Win32 Lob Apps, as a Configuration Set is currently a generated Win32 LoB App. In the future, this may change to involve APIs and Use Cases that cannot be handled via Endpoint Admin Application Management. Currently just refer to section 3. Application Management.

6. Device Reporting

Use Cases 

#UC Use Case 
Users must be able to see an overview of aggregate device compliance 
Users must be able to see an overview of aggregate device OS versions 
Users must be able to see an overview of aggregate management statistics 
Users must be able to generate a report containing various information regarding all their managed devices 
Users must be able to see the number of managed devices in their tenant. 

Microsoft Graph APIs 

#API API / Report Highest Effective Permission Used by Endpoint Admin Permission Type 
Create deviceManagementExportJob DeviceManagementConfiguration.ReadWrite.All Application 
Get deviceManagementExportJob DeviceManagementConfiguration.ReadWrite.All Application 
Devices report DeviceManagementConfiguration.ReadWrite.All Application 
DevicesWithInventory report DeviceManagementConfiguration.ReadWrite.All Application 
List managedDevices DeviceManagementManagedDevices.Read.All Application 

Use Cases and APIs Used to Perform Use Case 

#UC APIs used (#API) All Effective Permissions Used 
1, 2, 4 DeviceManagementConfiguration.ReadWrite.All 
1,2, 3 DeviceManagementConfiguration.ReadWrite.All 
1,2, 3 DeviceManagementConfiguration.ReadWrite.All 
1, 2, 3, 4 DeviceManagementConfiguration.ReadWrite.All 
DeviceManagementManagedDevices.Read.All 

7. Entra ID Group Management

Use Case 

Users need to be able to configure most aspects of Entra ID groups to facilitate their usage in Endpoint Admin, herein creation, updating, deletion, adding members. Creation of groups is limited to Security Groups. Dynamic Device and Dynamic User groups are supported, as well as regular groups with assigned memberships. 

Microsoft Graph APIs 

#API API Highest Effective Permission Used by Endpoint Admin Permission Type 
Get group Directory.ReadWrite.All (Implicitly Group.Read.All) Application 
List groups Directory.ReadWrite.All (Implicitly Group.Read.All) Application 
Create group Directory.ReadWrite.All Application 
Update group Directory.ReadWrite.All Application 
Delete group Directory.ReadWrite.All Application 
Add members Directory.ReadWrite.All Application 
Remove members Directory.ReadWrite.All Application 
List group transitive members Directory.ReadWrite.All Application 
 Used so that users can see which objects they can add as a member:   
List servicePrincipals Directory.ReadWrite.All (Implicitly Application.Read.All) Application 
10 List users Directory.ReadWrite.All (Implicitly User.Read.All) Application 
11 List devices Directory.ReadWrite.All (Implicitly Device.Read.All) Application 

8. Ring Group Automation

Ring group automation is an Endpoint Admin feature that allows you to construct groups that automatically spread users and devices across several rings of groups according to your definitions. From this a Deployment Schedule can be generated which deploys software according to your specifications. 

Currently Ring Group Automation uses a subset of the permissions and APIs as defined in section 7. Entra ID Group Management.

Share this Doc

Graph Permissions & Usages – Detailed Overview

Or copy link

CONTENTS