> For the complete documentation index, see [llms.txt](https://docs.secure-contacts.com/llms.txt). Markdown versions of documentation pages are available by appending `.md` to page URLs; this page is available as [Markdown](https://docs.secure-contacts.com/documentation/authentication/enterprise-application/understanding-the-devicemanagementmanagedapps.readwrite-permission.md). # Understanding the DeviceManagementManagedApps.ReadWrite Permission ### Introduction When reviewing application permissions in Microsoft Entra ID (Azure AD), administrators may notice that Secure Contacts App (SCA) requests the **`DeviceManagementManagedApps.ReadWrite`** permission. At first glance, this can look concerning β€” it resembles the powerful Microsoft Graph permission **`DeviceManagementApps.ReadWrite`**, which grants tenant-wide access to Intune app configurations. However, these two permissions belong to **entirely different contexts** and have **very different scopes and security implications**. This article explains what each permission does, why SCA needs `DeviceManagementManagedApps.ReadWrite`, and how it remains safely limited to app-specific operations. ### Summary of the Two Permissions | Permission | Context / Source | Scope | Typical Use Case | | ----------------------------------------- | ------------------------------ | ------------------------------------------------------------------------------------------------------------------------------------------- | ------------------------------------------------------------------------------------------------------------------ | | **DeviceManagementApps.ReadWrite** | Microsoft Graph API | Broad, tenant-wide read/write access to all Intune app management data (e.g. add, modify, assign managed apps and app protection policies). | Used by backend or admin apps that manage Intune applications or policies at the organization level. | | **DeviceManagementManagedApps.ReadWrite** | Microsoft Intune SDK (MAM SDK) | Narrow, app-level access for Intune-enlightened (MAM-enabled) apps to manage **their own protected data** for the signed-in user. | Used by mobile apps that integrate the Intune SDK to enforce Mobile Application Management (MAM) policies locally. | ### Key Difference The **DeviceManagementApps.ReadWrite** permission belongs to **Microsoft Graph**, and is intended for **administrative control** of Intune apps across the tenant. It can create, delete, and assign apps and policies β€” making it a **high-privilege permission**. By contrast, **DeviceManagementManagedApps.ReadWrite** belongs to the **Intune Mobile Application Management (MAM) SDK**.\ It allows the managed app itself to read or write its **own app management state** (e.g. applying data protection, responding to wipe requests, or syncing MAM policy data).\ It **does not** provide access to other apps, Intune configurations, or any tenant-wide data. In short: > πŸ”’ `DeviceManagementManagedApps.ReadWrite` = App-local, user-specific\ > βš™οΈ `DeviceManagementApps.ReadWrite` = Tenant-wide, admin-level ### Why SCA Needs `DeviceManagementManagedApps.ReadWrite` SCA integrates the **Microsoft Intune App SDK** to provide secure, policy-driven behavior when used in an Intune-managed environment.\ The SDK requires `DeviceManagementManagedApps.ReadWrite` to: * Retrieve and apply the user’s MAM policy (e.g. data protection, cut/copy/paste settings) * Synchronize compliance state and encryption data * Respond to selective wipe or policy refresh commands from Intune These operations are **restricted to the app itself** and **do not grant visibility or access to other devices, users, or configurations** in the organization. ### Security Note * The `DeviceManagementManagedApps.ReadWrite` permission **does not** enable tenant-wide device or app management. * It is enforced by the Intune MAM service and scoped to **the current user and the app instance**. * Admins can safely approve this permission knowing it only enables secure MAM functionality, not global Intune control. ### References * **Microsoft Graph permissions reference** – [DeviceManagementApps.ReadWrite.All](https://learn.microsoft.com/en-us/graph/permissions-reference) * **Microsoft Intune App SDK documentation** – [Get started with the Microsoft Intune App SDK](https://learn.microsoft.com/en-us/intune/intune-service/developer/app-sdk-get-started#give-your-app-access-to-the-intune-mobile-app-management-service) * **Intune Graph API overview** – [Use the Intune Graph APIs](https://learn.microsoft.com/en-us/intune/intune-service/developer/intune-graph-apis) --- # Agent Instructions This documentation is published with GitBook. GitBook is the documentation platform designed so that both humans and AI agents can read, navigate, and reason over technical content effectively. Learn more at gitbook.com. ## Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter, and the optional `goal` query parameter: ``` GET https://docs.secure-contacts.com/documentation/authentication/enterprise-application/understanding-the-devicemanagementmanagedapps.readwrite-permission.md?ask=&goal= ``` `ask` is the immediate question: it should be specific, self-contained, and written in natural language. `goal` is optional and describes the broader end goal you are ultimately trying to accomplish on behalf of the user. GitBook uses it to tailor the answer towards what is most useful for that goal. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.