Share via

Intune App Deployment via API - Restricting scope of access

Amal Syed 60 Reputation points
2025-10-24T18:33:59.9466667+00:00

I am trying to automate deployments Android / iOS applications to Intune via CI/CD. For this, I am creating a Service Principal which needs to have access for below permissions in Graph API
DeviceManagementConfiguration.ReadWrite.All
DeviceManagementApps.ReadWrite.All

as documented in https://v4.hkg1.meaqua.org/en-us/graph/api/intune-apps-managedandroidlobapp-update?view=graph-rest-1.0

My question is, is there a way to scope or limit these permissions to specific existing applications, instead of granting full access across all apps?

Essentially, I’d like to avoid using a single highly privileged account and instead create separate Service Principals with restricted access for each application.

Is this possible?

Microsoft Security | Intune | Other
0 comments

1 answer

Sort by: Most helpful
Most helpful Newest Oldest
  1. Prathista Ilango 745 Reputation points Microsoft Employee
    2025-11-21T14:30:26.67+00:00

    Hello Amal Syed,

    Unfortunately, there isn't a way to manage Graph permissions at a per-app level as of today.

    The closest workaround I can think of is to use separate service principals for each CI/CD to isolate.

    Hope that helps!

    If you found the information above helpful, please Click Yes. This will assist others in the community who encounter a similar issue, enabling them to quickly find the solution and benefit from the guidance provided.

    0 comments

Your answer

Answers can be marked as 'Accepted' by the question author and 'Recommended' by moderators, which helps users know the answer solved the author's problem.