Unified Endpoint Management: Intune Integration - Granular Permissions

Unified Endpoint Management: Intune Integration - Granular Permissions

Starting with the Nerdio Managerv 6.0, Unified Endpoint Management (UEM) now supports granular permission assignment for Intune integration. When enabling Intune integration, customers can now assign only the permissions they require to achieve their desired management outcome.

Listed below are the management functions and the associated Azure API permissions that are requested for the Nerdio Manager application.

Note:Group and GroupMember permissions can be scoped to specific Entra ID groups if required, rather than assigning the permission globally. To achieve this, the Nerdio Manager application must be granted ownership on the required groups, and the management function listed below should be set to either READ or DISABLED.

For support in configuring group-specific management scenarios, please contact the Nerdio support team.

Management Functions - Details & Permissions

For each setting, the available configurations are:

  • Manage: Allow current functionality for all RBAC roles that support it (READ/WRITE).

  • Read: Limit all roles to only read this object type (READ).

  • Disabled: Hide the policy tab and all policy details for this object type (NO PERMISSION).

The specific individual functions and associated permissions are listed below.

Intune-Managed Devices

This function is used to list, read, and manage in-scope Intune devices within the console.

READ: Device.Read.All, DeviceManagementManagedDevices.Read.All, DeviceManagementServiceConfig.Read.All

MANAGE: Device.Read.All, DeviceManagementManagedDevices.ReadWrite.All, DeviceManagementServiceConfig.ReadWrite.All

Group Membership

This function is used to list, read, and manage in-scope Entra ID group membership within the console.

READ: GroupMember.Read.All

MANAGE: GroupMember.ReadWrite.All

Privileged Operations

This function is used to list, read, and manage sensitive tasks within the console. This includes the ability to read Bitlocker keys (Intune service account required) and perform privileged operations, including Cloud PCs restart.

READ: BitlockerKey.Read.All

MANAGE: BitlockerKey.Read.All, DeviceManagementManagedDevices.PrivilegedOperations.All


This function is used to read Intune script assignments within the console.

Note: This permission is automatically applied if you enable Cloud PC read or MANAGE functionality.

READ: DeviceManagementConfiguration.Read.All

Cloud PC

This function is used to list, read, and manage in-scope Cloud PC devices within the console.

Note: Ensure that the Privileged Operations permission is also enabled to allow for Cloud PC restart tasks.

READ: CloudPC.Read.All, DeviceManagementConfiguration.Read.All

MANAGE: CloudPC.ReadWrite.All, DeviceManagementConfiguration.ReadWrite.All

Conditional Access Policies

This function is used to list, read, and manage Conditional Access policies within the console.

READ: Policy.Read.All

MANAGE: Policy.Read.All, Policy.ReadWrite.ConditionalAccess, Application.Read.All

Intune Applications and App Policies

This function is used to list, read, and manage Application policies and deployments within the console.

Note: Read permissions allow native Intune applications to be discovered. MANAGE permissions are required to allow for the deployment of UAM applications to Intune devices.

READ: DeviceManagementApps.Read.All

MANAGE: DeviceManagementApps.ReadWrite.All, Group.ReadWrite.All, DeviceManagementConfiguration.ReadWrite.All

Device Policies

This function is used to list, read, and manage all other policy types, including Compliance, Configuration, Security Baselines, and Windows Updates policies.

READ: DeviceManagementConfiguration.Read.All

MANAGE: DeviceManagementConfiguration.ReadWrite.All

Was this article helpful?

0 out of 0 found this helpful
Have more questions? Submit a request

Comments (0 comments)

Please sign in to leave a comment.