Grant API permissions

EndpointOps requires several API permissions to become operational. Failure to provide the necessary permissions will cause noticeable issues and limitations for EndpointOps.

Navigate to API permissions
Click on Add a permission
Add all permissions with the correct type (Application vs. Delegated) listed below
Click on Grand admin consent

Some permission assignments can be omitted if the usage of the feature is not required.

API / Permissions name	Type	Feature
Device.ReadWrite.All	Application	Required, Helpdesk lookups and deletion of Azure Device registrations after retirement of Intune managed devices
DeviceLocalCredential.Read.All	Application	Only required for the LAPS feature
DeviceManagementApps.ReadWrite.All	Application	ReadWrite for Managed Apps Sign-out, ReadOnly for Helpdesk lookups
DeviceManagementConfiguration.Read.All	Application	Required, Helpdesk lookups
DeviceManagementManagedDevices.PrivilegedOperations.All	Application	Required, Wipe, Retire, ResetPasscode, RemoteLock, ...
DeviceManagementManagedDevices.ReadWrite.All	Application	Required, Delete managed device records
DeviceManagementServiceConfig.ReadWrite.All	Application	Required, Sync Device action, manage corporate device identifier
Directory.Read.All	Application	Required, User Scope assignment
Group.Read.All	Application	Required, User Scope assignment
offline_access	Delegated	Required, login
openid	Delegated	Required, login
Presence.Read.All	Delegated	Only required for Teams-State lookups in the Helpdesk role
profile	Delegated	Required, login
User.Read	Delegated	Required, login
User.ReadWrite.All	Application	ReadWrite for PasswordReset, ReadOnly for Helpdesk lookups
UserAuthenticationMethod.ReadWrite.All	Application	ReadWrite for MFA creation/update, ReadOnly for Helpdesk lookups

Create a new Azure app registration

Collect app registration information

Finalize authentication settings

Upload a certificate or create a client secret

Grant API permissions

Initial access configuration

Grant API permissions