complete list of API permissions needed to document Microsoft Intune

gokulan-ey commented 4 months ago

Can you please clarify on the minimum & complete list of permissions needed to collect/document Microsoft Intune tenant? For example, with the below Graph API permissions, I still get Forbidden message

User.Read User.Read.All Group.Read.All Directory.Read.All DeviceManagementRBAC.Read.All DeviceManagementManagedDevices.ReadWrite.All DeviceManagementManagedDevices.PrivilegedOperations.All DeviceManagementConfiguration.ReadWrite.All DeviceManagementApps.ReadWrite.Al DeviceManagementServiceConfig.Read.All

ThomasKur commented 1 month ago

This is the complete list for all components: AccessReview.Read.All
Agreement.Read.All
AppCatalog.Read.All
Application.Read.All CloudPC.Read.All ConsentRequest.Read.All Device.Read.All DeviceManagementApps.Read.All DeviceManagementConfiguration.Read.All DeviceManagementManagedDevices.Read.All DeviceManagementRBAC.Read.All DeviceManagementServiceConfig.Read.All Directory.Read.All Domain.Read.All Organization.Read.All Policy.Read.All Policy.ReadWrite.AuthenticationMethod Policy.ReadWrite.FeatureRollout PrintConnector.Read.All Printer.Read.All PrinterShare.Read.All PrintSettings.Read.All PrivilegedAccess.Read.AzureAD PrivilegedAccess.Read.AzureADGroup PrivilegedAccess.Read.AzureResources User.Read

When I check your list I see especially the following missing which is in all cases required: Organization.Read.All Device.Read.All

gokulan-ey commented 1 week ago

I'm trying the below $clientID = "xxxxxx" $clientSecret = "yyyyyy" $secureClientSecret = ConvertTo-SecureString $clientSecret -AsPlainText -Force $tenantID = "aaaaaaaaaaaaaa" $token = Connect-M365Doc -ClientId $clientID -ClientSecret $secureClientSecret -TenantId $tenantID $doc = Get-M365Doc -Components Intune -ExcludeSections "MobileAppDetailed"

the app used here has the following delegated permission scopes Device.Read.All DeviceManagementApps.Read.All DeviceManagementConfiguration.Read.All DeviceManagementManagedDevices.PrivilegedOperations.All DeviceManagementManagedDevices.Read.All DeviceManagementRBAC.Read.All DeviceManagementServiceConfig.Read.All Directory.Read.All Group.Read.All Organization.Read.All User.Read User.Read.All

however I get an error message as below "Used application does not have sufficiant permission to access: https://graph.microsoft.com/v1.0/organization At C:\Program Files\WindowsPowerShell\Modules\M365Documentation\3.3.0\Internal\Helper\Invoke-DocGraph.ps1:62 char:13

throw "Used application does not have sufficiant permissi ...


+ CategoryInfo          : OperationStopped: (Used applicatio....0/organization:String) [], RuntimeException
+ FullyQualifiedErrorId : Used application does not have sufficiant permission to access: https://graph.microsoft.
com/v1.0/organization"

any guidance to resolve this would be of real help please

ThomasKur / M365Documentation

complete list of API permissions needed to document Microsoft Intune #51