Provectus Software GmbH

Understanding the DeviceManagementManagedApps.ReadWrite Permission

Introduction

When reviewing application permissions in Microsoft Entra ID (Azure AD), administrators may notice that Secure Contacts App (SCA) requests the DeviceManagementManagedApps.ReadWrite permission. At first glance, this can look concerning — it resembles the powerful Microsoft Graph permission DeviceManagementApps.ReadWrite, which grants tenant-wide access to Intune app configurations.

However, these two permissions belong to entirely different contexts and have very different scopes and security implications. This article explains what each permission does, why SCA needs DeviceManagementManagedApps.ReadWrite, and how it remains safely limited to app-specific operations.

Summary of the Two Permissions

Permission
Context / Source
Scope
Typical Use Case

DeviceManagementApps.ReadWrite

Microsoft Graph API

Broad, tenant-wide read/write access to all Intune app management data (e.g. add, modify, assign managed apps and app protection policies).

Used by backend or admin apps that manage Intune applications or policies at the organization level.

DeviceManagementManagedApps.ReadWrite

Microsoft Intune SDK (MAM SDK)

Narrow, app-level access for Intune-enlightened (MAM-enabled) apps to manage their own protected data for the signed-in user.

Used by mobile apps that integrate the Intune SDK to enforce Mobile Application Management (MAM) policies locally.

Key Difference

The DeviceManagementApps.ReadWrite permission belongs to Microsoft Graph, and is intended for administrative control of Intune apps across the tenant. It can create, delete, and assign apps and policies — making it a high-privilege permission.

By contrast, DeviceManagementManagedApps.ReadWrite belongs to the Intune Mobile Application Management (MAM) SDK. It allows the managed app itself to read or write its own app management state (e.g. applying data protection, responding to wipe requests, or syncing MAM policy data). It does not provide access to other apps, Intune configurations, or any tenant-wide data.

In short:

🔒 DeviceManagementManagedApps.ReadWrite = App-local, user-specific ⚙️ DeviceManagementApps.ReadWrite = Tenant-wide, admin-level

Why SCA Needs DeviceManagementManagedApps.ReadWrite

SCA integrates the Microsoft Intune App SDK to provide secure, policy-driven behavior when used in an Intune-managed environment. The SDK requires DeviceManagementManagedApps.ReadWrite to:

  • Retrieve and apply the user’s MAM policy (e.g. data protection, cut/copy/paste settings)

  • Synchronize compliance state and encryption data

  • Respond to selective wipe or policy refresh commands from Intune

These operations are restricted to the app itself and do not grant visibility or access to other devices, users, or configurations in the organization.

Security Note

  • The DeviceManagementManagedApps.ReadWrite permission does not enable tenant-wide device or app management.

  • It is enforced by the Intune MAM service and scoped to the current user and the app instance.

  • Admins can safely approve this permission knowing it only enables secure MAM functionality, not global Intune control.

References

PreviousEnterprise ApplicationNextConditional Access

Last updated

Was this helpful?