MC1107490: Reminder: Updates to required permissions for Microsoft Graph Beta API deviceManagement
Starting July 31, 2025, certain Microsoft Graph Beta APIs will require either DeviceManagementScripts.Read.All or DeviceManagementScripts.ReadWrite.All permissions. Previously, they required DeviceManagementConfiguration.ReadWrite.All or DeviceManagementConfiguration.Read.All. Update any apps, sc...
As mentioned in MC1066336, starting July 31, 2025, or soon after, the following Graph APIs will require either DeviceManagementScripts.Read.All or DeviceManagementScripts.ReadWrite.All permissions to continue working:
- ~/deviceManagement/deviceShellScripts
- ~/deviceManagement/deviceHealthScripts
- ~/deviceManagement/deviceComplianceScripts
- ~/deviceManagement/deviceCustomAttributeShellScripts
- ~/deviceManagement/deviceManagementScripts
How this will affect your organization:
Previously, these Graph APIs required granting either DeviceManagementConfiguration.ReadWrite.All or DeviceManagementConfiguration.Read.All permissions. If you have any enterprise applications, scripts or other tools that have been granted these permissions they will need to be updated in order to continue calling the listed Graph APIs.
What you need to do to prepare:
Ensure any apps, scripts, or tooling that reference the listed Graph APIs include either DeviceManagementScripts.Read.All or DeviceManagementScripts.ReadWrite.All permissions and remove the old permissions: DeviceManagementConfiguration.ReadWrite.All or DeviceManagementConfiguration.Read.All.
For detailed instructions for updating permissions for applications, refer to: Update an app's requested permissions in Microsoft Entra ID
- If you are an independent software vendor or partner with an application deployed in your customer environments that needs updating, review Grant consent for the added permissions for the enterprise application