Appendix B - Microsoft Intune API Permissions

This Appendix lists the API permissions required for the automatic (one-click) integration of Microsoft Intune with Harmony Mobile.

Microsoft Graph

Note - (Optional) After the automatic integration is completed, you can remove the API permissions marked as (Required for One-click integration) in the Usage column.

API / Permission Name	Type	Description	User Consent Description	Usage
`DeviceManagementApps.ReadWrite.All`	Application	Read and write Microsoft Intune apps.	Allows the app to read and write the properties, group assignments and status of apps, app configurations and app protection policies managed by Microsoft Intune, without a signed-in user.	(Required for One-click integration) To protect your devices, deploy the Harmony Mobile Protect App from the App store / Google Play store to your devices. You must add the Harmony Mobile Protect App for both iOS and Android operating systems.
`DeviceManagementConfiguration.ReadWrite.All`	Application	Read and write Microsoft Intune device configuration and policies.	Allows the app to read and write properties of Microsoft Intune-managed device configuration and device compliance policies and their assignment to groups, without a signed-in user.	(Required for One-click integration) Create app config, VPN config, Certificate and assign them to the groups.
`DeviceManagementManagedDevices.Read.All`	Application	Read Microsoft Intune devices.	Allows the app to read the properties of devices managed byMicrosoft Intune, without a signed-in user.	(Microsoft graph) Need it for the device sync.
`Directory.AccessAsUser.All`	Delegated	Access directory as the signed in user.	Allows the app to have the same access to information in the directory as the signed-in user and in your work or school directory as you do.
`Directory.Read.All`	Delegated	Read directory data.	Allows the app to read data in your organization's directory, such as users, groups and apps. Allows the app to read data in your organization's directory.	(Microsoft graph)
`Directory.Read.All`	Application	Read directory data.	Allows the app to read data in your organization's directory, such as users, groups and apps, without a signed-in user.
`Group.Create`	Application	Create groups.	Allows the app to create groups without a signed-in user.	(Required for One-click integration) To create the following groups: sbm_unregistered_ANDROID sbm_registered_ANDROID sbm_unregistered_IOS sbm_registered_IOS
`GroupMember.Read.All`	Delegated	Read group memberships.	Allows the app to list groups, read basic group properties and read membership of all your groups.	Device sync: Get the group members (users + dedicated devices)
`GroupMember.ReadWrite.All`	Delegated	Read and write group memberships.	Allows the app to list groups, read basic properties, read and update the membership of the groups the signed-in user has access to. Group properties and owners cannot be updated and groups cannot be deleted.	Device sync: Get the group members (users + dedicated devices)
`User.Read`	Delegated	Sign in and read user profile.	Allows users to sign-in to the app, and allows the app to read the profile of signed-in users. It also allows the app to read basic company information of signed-in users.	Get the list of users' registered devices.
`DeviceManagementApps.ReadWrite.All`	Application	Read and write Microsoft Intune apps.	Allows the app to read and write the properties, group assignments and status of apps, app configurations and app protection policies managed by Microsoft Intune.	(Required for One-click integration) To create Android and iOS apps and configs.
`DeviceManagementConfiguration.ReadWrite.All`	Application	Read and write Microsoft Intune device configuration and policies.	Allows the app to read and write properties of Microsoft Intune-managed device configuration and device compliance policies and their assignment to groups.	(Required for One-click integration) To create VPN profiles for zero-touch.
`Group.ReadWrite.All`	Application	Read and write all groups.	Allows the app to create groups, read all group properties and memberships, update group properties and memberships, and delete groups. Also allows the app to read and write conversations. All of these operations can be performed by the app without a signed-in user.	(Required for One-click integration) To create and assign profiles for zero-touch groups
`DeviceManagementServiceConfig.ReadWrite.All`	Application	Read and write Microsoft Intune configuration.	Allows the app to read and write Microsoft Intune service properties including device enrollment and third party service connection configuration	(Required for One-click integration) To enable MTD connector.

Microsoft Intune

API / Permission Name	Type	Description	User Consent Description	Usage
`update_device_health`	Application	Send device threat information to Microsoft Intune.	Allow this app to send device risk and threat information to Microsoft Intune to determine the device compliance with corporate security policy Collection of rules that control network traffic and enforce organization guidelines for data protection and access to resources with packet inspection..	tag device