What permissions does Robopack require to work with Intune?

What permissions does Robopack require to work with Intune?


 Permissions needed for the Robopack Intune integration, Connect Tenant (Admin Consent) 


  

Permission 

Required 

Purpose 



Graph
Organization.Read.All
Yes
Connect Azure tenants (required for all 
Intune operations in Robopack) 
Graph
DeviceManagementApps.ReadWrite.All
Yes
Import packages to Intune
Graph
DeviceManagementConfiguration.Read.All
Yes
Read deployment status for apps, reports
Graph
Device.Read.All
No
Improve lookup for Radar Tracking
Graph
Group.ReadWrite.All
No
Create security groups on package import 
and assign devices in Radar Tracking
Graph
DeviceManagementServiceConfig.ReadWrite.All
No
Migrate Autopilot configuration for upgraded packages
Graph
DeviceManagementManagedDevices.Read.All 
No
Radar, Device debugging and licensing

Organization.Read.All
Used for reading information on connected tenants including name, domain name and branding information such as the Tenant logo.

DeviceManagementApps.ReadWrite.All
Used for creating new applications in Intune, either as manual imports or as new versions uploaded from a patch flow.

DeviceManagementConfiguration.Read.All
Used for reading the deployment status of applications in order for Robopack to monitor the progress of deployments and raise errors or move to the next deployment wave.

DeviceManagementServiceConfig.ReadWrite.All
When an application created by Robopack is added to an Enrollment Status Page as an required app for an Autopilot deployment, granting this permissions lets Robopack automatically replace older versions with newer ones when they are uploaded by Robopack as part of a patch flow.

Group.ReadWrite.All
The read permission for groups is used by Robopack when creating deployment flows, allowing you to search through and pick out groups to be used for assignment of software. The write permission is used when instructing Robopack, in a deployment flow, to create a new assignment group for a deployment - as well as being used by Radar Tracking to create the groups it uses.

DeviceManagementManagedDevices.Read.All
Device.Read.All
These permissions are needed by Robopack for the Radar Tracking feature, which finds devices with apps that are not up-to-date and updates them. The Device.Read.All permission isn't strictly necessary for this feature to work, but errors are often experienced patching some devices if it is not granted.

    • Related Articles

    • Robopack Trial Guide

      Robopack Trial Guide Welcome to the Robopack Trial! This form is designed to ensure you get the most out of your Robopack trial. By filling out this form and testing features listed in this guide, we can ensure that you experience the full range of ...

    • Rolebased Access Control and Permissions

      Robopack permissions and roles Overview Robopack supports limiting access to areas of the product and to Intune tenants. This document describes the ways in which users can sign in to Robopack and how their access can be managed. User account types ...

    • How to get started with Robopack

      1. Create a Robopack account You can request a trial at www.robopack.com or go directly to the signup page at https://app.robopack.com/trial You can use your Microsoft Entra ID to sign in or choose an email/password account. If you use the ...

    • Completely Automated App Updates for Microsoft Intune!

      Keep your Microsoft Intune apps up to date effortlessly with Robopack and its powerful RoboPatch feature! In this video, we walk you through how to completely automate application updates using Robopack. Learn how to streamline your Intune software ...

    • You can deploy Microsoft Intune apps with just a few clicks - here's how

      Streamline your app deployment process with Robopack's Instant Apps. With just a few clicks, you can effortlessly deploy applications to Microsoft Intune, saving time and reducing complexity for IT admins and organizations. Key features: Simplify app ...