Heads up, developers and IT administrators! Microsoft has announced an important update regarding permissions for several Microsoft Graph APIs related to device management. To ensure your tools and scripts continue to function correctly, you will need to adopt new, more specific permissions.
This change is part of Microsoft’s ongoing effort to provide more granular control and enhance security within the Graph API ecosystem.
What’s Changing?
Two new DeviceManagement permissions have been introduced to replace older, broader permissions. If your applications or scripts call the affected endpoints, you must update them to use these new permissions.
Here is a summary of the changes:
- For Read-Only Access:
- The old permission
DeviceManagementConfiguration.Read.Allis being replaced by the new permissionDeviceManagementScripts.Read.All.
- The old permission
- For Read-Write Access:
- The old permission
DeviceManagementConfiguration.ReadWrite.Allis being replaced by the new permissionDeviceManagementScripts.ReadWrite.All.
- The old permission
Which API Calls Are Affected?
Access to the following Microsoft Graph API endpoints will require the new permissions:
~/deviceManagement/deviceShellScripts~/deviceManagement/deviceHealthScripts~/deviceManagement/deviceComplianceScripts~/deviceManagement/deviceCustomAttributeShellScripts~/deviceManagement/deviceManagementScripts
Important Deadline: Early September 2025
Currently, both the new DeviceManagementScripts permissions and the older DeviceManagementConfiguration permissions are functional. This provides a transition period for you to update your applications.
However, starting in early September 2025, the older permissions will be deprecated for these specific API calls. Any tools, scripts, or applications that have not been updated will fail to function.
We strongly recommend reviewing your Microsoft Entra ID app registrations and any custom scripts to update the required permissions well before the deadline to avoid any disruption.
For More Information
For detailed guidance on how to implement these changes and manage API access, please refer to the official Microsoft documentation:
- How to use Microsoft Entra ID to access the Intune APIs in Microsoft Graph (Note: A placeholder link to the most relevant documentation has been used here.)
