# Understanding the DeviceManagementManagedApps.ReadWrite Permission ### Introduction When reviewing application permissions in Microsoft Entra ID (Azure AD), administrators may notice that Secure Contacts App (SCA) requests the **`DeviceManagementManagedApps.ReadWrite`** permission. At first glance, this can look concerning β€” it resembles the powerful Microsoft Graph permission **`DeviceManagementApps.ReadWrite`**, which grants tenant-wide access to Intune app configurations. However, these two permissions belong to **entirely different contexts** and have **very different scopes and security implications**. This article explains what each permission does, why SCA needs `DeviceManagementManagedApps.ReadWrite`, and how it remains safely limited to app-specific operations. ### Summary of the Two Permissions | Permission | Context / Source | Scope | Typical Use Case | | ----------------------------------------- | ------------------------------ | ------------------------------------------------------------------------------------------------------------------------------------------- | ------------------------------------------------------------------------------------------------------------------ | | **DeviceManagementApps.ReadWrite** | Microsoft Graph API | Broad, tenant-wide read/write access to all Intune app management data (e.g. add, modify, assign managed apps and app protection policies). | Used by backend or admin apps that manage Intune applications or policies at the organization level. | | **DeviceManagementManagedApps.ReadWrite** | Microsoft Intune SDK (MAM SDK) | Narrow, app-level access for Intune-enlightened (MAM-enabled) apps to manage **their own protected data** for the signed-in user. | Used by mobile apps that integrate the Intune SDK to enforce Mobile Application Management (MAM) policies locally. | ### Key Difference The **DeviceManagementApps.ReadWrite** permission belongs to **Microsoft Graph**, and is intended for **administrative control** of Intune apps across the tenant. It can create, delete, and assign apps and policies β€” making it a **high-privilege permission**. By contrast, **DeviceManagementManagedApps.ReadWrite** belongs to the **Intune Mobile Application Management (MAM) SDK**.\ It allows the managed app itself to read or write its **own app management state** (e.g. applying data protection, responding to wipe requests, or syncing MAM policy data).\ It **does not** provide access to other apps, Intune configurations, or any tenant-wide data. In short: > πŸ”’ `DeviceManagementManagedApps.ReadWrite` = App-local, user-specific\ > βš™οΈ `DeviceManagementApps.ReadWrite` = Tenant-wide, admin-level ### Why SCA Needs `DeviceManagementManagedApps.ReadWrite` SCA integrates the **Microsoft Intune App SDK** to provide secure, policy-driven behavior when used in an Intune-managed environment.\ The SDK requires `DeviceManagementManagedApps.ReadWrite` to: * Retrieve and apply the user’s MAM policy (e.g. data protection, cut/copy/paste settings) * Synchronize compliance state and encryption data * Respond to selective wipe or policy refresh commands from Intune These operations are **restricted to the app itself** and **do not grant visibility or access to other devices, users, or configurations** in the organization. ### Security Note * The `DeviceManagementManagedApps.ReadWrite` permission **does not** enable tenant-wide device or app management. * It is enforced by the Intune MAM service and scoped to **the current user and the app instance**. * Admins can safely approve this permission knowing it only enables secure MAM functionality, not global Intune control. ### References * **Microsoft Graph permissions reference** – [DeviceManagementApps.ReadWrite.All](https://learn.microsoft.com/en-us/graph/permissions-reference) * **Microsoft Intune App SDK documentation** – [Get started with the Microsoft Intune App SDK](https://learn.microsoft.com/en-us/intune/intune-service/developer/app-sdk-get-started#give-your-app-access-to-the-intune-mobile-app-management-service) * **Intune Graph API overview** – [Use the Intune Graph APIs](https://learn.microsoft.com/en-us/intune/intune-service/developer/intune-graph-apis)