# Permissions

### Overview

This page describes the permissions and access model for this agent.\
The agent uses **read-only access** to Microsoft Intune and Microsoft Entra ID data through the **Microsoft Graph API**.\
It is designed to help troubleshoot device-related issues such as enrollment failures, app deployment errors, or compliance inconsistencies without modifying any configurations.

***

### How It Works

The agent connects securely to your tenant using Microsoft Graph API endpoints to gather Intune device data, configuration profiles, policy assignments, and diagnostic logs.\
It analyzes this information to identify potential causes of device management or enrollment issues and provides recommendations for remediation.

All interactions follow these principles:

* **Read-only access:** The agent does not modify, create, or delete device configurations or policies.
* **Least privilege:** Only the permissions required to read Intune device data are granted.
* **Transparency:** All data access occurs through documented Graph API endpoints and can be audited within Microsoft Entra.

***

### Required Entra ID Roles

Assign the following roles to the administrator account that installs and runs the agent:

| Role                 | Description                                                                                  |
| -------------------- | -------------------------------------------------------------------------------------------- |
| **Intune Reader**    | Provides read-only access to Intune device information, configurations, and compliance data. |
| **Directory Reader** | Grants read-only access to Entra ID user and device relationships.                           |
| **Security Reader**  | Enables access to device compliance and security alert data for diagnostic purposes.         |

{% hint style="info" %}
These roles are aligned with the principle of least privilege. Adjust role assignments as needed for your organization’s governance requirements.
{% endhint %}

***

### Data Access Transparency

The following table outlines the data accessed by the agent and its purpose.

| Data Type                                 | Access Level | Purpose                                                                   |
| ----------------------------------------- | ------------ | ------------------------------------------------------------------------- |
| **Device inventory and status**           | Read-only    | To retrieve hardware, OS, and enrollment information for troubleshooting. |
| **Configuration and compliance policies** | Read-only    | To analyze applied policies and identify misconfigurations.               |
| **App deployment and installation data**  | Read-only    | To review app assignment, delivery status, and failure details.           |
| **Diagnostic logs and error codes**       | Read-only    | To correlate error events and identify root causes.                       |
| **User and group assignments**            | Read-only    | To map device relationships and evaluate policy targeting.                |

**Data handling:**

* The agent does **not** modify, delete, or export customer data outside the tenant boundary.
* All access is limited to the **Microsoft Graph API** using delegated or application permissions.
* All activity is recorded in **Microsoft Entra audit logs** for transparency and traceability.

***

### Agent Usage

When running the agent, provide the required input to perform troubleshooting effectively.

| Input Type   | Description              | Example                        |
| ------------ | ------------------------ | ------------------------------ |
| **Required** | Device ID or device name | `"Troubleshoot device ABC123"` |
| **Optional** | Issue description        | `"App won't install"`          |
| **Optional** | Error code or message    | `"0x87D1041C"`                 |
| **Optional** | Time of issue occurrence | `"2025-01-15T09:00Z"`          |

#### Example Queries

* `"Troubleshoot device ABC123"`
* `"Why won't device DESKTOP-XYZ enroll?"`
* `"Analyze compliance issues for user john.doe's laptop"`
* `"Why is app deployment failing on device DEV456?"`

{% hint style="info" %}
Ensure that the administrator account running the agent has all required roles assigned before use.
{% endhint %}

***

### Security and Compliance Considerations

* All communication with Microsoft Graph is encrypted using HTTPS and secured by Microsoft identity services.
* The agent adheres to Microsoft’s **zero trust** and **least privilege** principles.
* Access can be reviewed or revoked at any time through **Entra ID role assignments** or **application consent management**.

***

### Next Steps

* Verify that the administrator account has all required roles assigned.
* Review Intune device compliance and enrollment data to ensure proper visibility before troubleshooting.


---

# Agent Instructions: Querying This Documentation

If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter:

```
GET https://agents.glueckkanja.com/agents/device-troubleshooter/permissions.md?ask=<question>
```

The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.