Permissions

Overview

This page describes the permissions and access model for this agent. The agent uses read-only access to Microsoft Intune and Microsoft Entra ID data through the Microsoft Graph API. It is designed to help troubleshoot device-related issues such as enrollment failures, app deployment errors, or compliance inconsistencies without modifying any configurations.

How It Works

The agent connects securely to your tenant using Microsoft Graph API endpoints to gather Intune device data, configuration profiles, policy assignments, and diagnostic logs. It analyzes this information to identify potential causes of device management or enrollment issues and provides recommendations for remediation.

All interactions follow these principles:

  • Read-only access: The agent does not modify, create, or delete device configurations or policies.

  • Least privilege: Only the permissions required to read Intune device data are granted.

  • Transparency: All data access occurs through documented Graph API endpoints and can be audited within Microsoft Entra.

Required Entra ID Roles

Assign the following roles to the administrator account that installs and runs the agent:

Role
Description

Intune Reader

Provides read-only access to Intune device information, configurations, and compliance data.

Directory Reader

Grants read-only access to Entra ID user and device relationships.

Security Reader

Enables access to device compliance and security alert data for diagnostic purposes.

These roles are aligned with the principle of least privilege. Adjust role assignments as needed for your organization’s governance requirements.

Data Access Transparency

The following table outlines the data accessed by the agent and its purpose.

Data Type
Access Level
Purpose

Device inventory and status

Read-only

To retrieve hardware, OS, and enrollment information for troubleshooting.

Configuration and compliance policies

Read-only

To analyze applied policies and identify misconfigurations.

App deployment and installation data

Read-only

To review app assignment, delivery status, and failure details.

Diagnostic logs and error codes

Read-only

To correlate error events and identify root causes.

User and group assignments

Read-only

To map device relationships and evaluate policy targeting.

Data handling:

  • The agent does not modify, delete, or export customer data outside the tenant boundary.

  • All access is limited to the Microsoft Graph API using delegated or application permissions.

  • All activity is recorded in Microsoft Entra audit logs for transparency and traceability.

Agent Usage

When running the agent, provide the required input to perform troubleshooting effectively.

Input Type
Description
Example

Required

Device ID or device name

"Troubleshoot device ABC123"

Optional

Issue description

"App won't install"

Optional

Error code or message

"0x87D1041C"

Optional

Time of issue occurrence

"2025-01-15T09:00Z"

Example Queries

  • "Troubleshoot device ABC123"

  • "Why won't device DESKTOP-XYZ enroll?"

  • "Analyze compliance issues for user john.doe's laptop"

  • "Why is app deployment failing on device DEV456?"

Ensure that the administrator account running the agent has all required roles assigned before use.

Security and Compliance Considerations

  • All communication with Microsoft Graph is encrypted using HTTPS and secured by Microsoft identity services.

  • The agent adheres to Microsoft’s zero trust and least privilege principles.

  • Access can be reviewed or revoked at any time through Entra ID role assignments or application consent management.

Next Steps

  • Verify that the administrator account has all required roles assigned.

  • Review Intune device compliance and enrollment data to ensure proper visibility before troubleshooting.

PreviousOverviewNextChangelog

Last updated

Was this helpful?