Application Permission vs. Azure AD Roles

Engineering Admin 1 Reputation point
2021-12-02T10:51:55.433+00:00

Hello Everyone,

I was stumbling upon https://github.com/microsoftgraph/msgraph-sdk-powershell/issues/952 and wanted to ask for a confirmation?

So my app is basically a clean-up app. I tried to achieve everything with Application Permissions but encountered a "Forbidden" with Deleting an Azure Device.
It seems that Application-based permissions are not supported here.

Would this be a scenario to add the "Cloud Device Administrator"-Role additionally?

Thanks in advance,
Axel

Microsoft Graph
Microsoft Graph
A Microsoft programmability model that exposes REST APIs and client libraries to access data on Microsoft 365 services.
10,569 questions
0 comments

1 answer

Sort by: Most helpful
Most helpful Newest Oldest
  1. CarlZhao-MSFT 36,891 Reputation points
    2021-12-03T05:52:51.967+00:00

    Hi @Engineering Admin

    Yes, as you think, deleting the device requires the Cloud Device Administrator role, so you must log in the user who is granted this role, so application permissions are not supported.

    Deleting a managed device does not require the Cloud Device Administrator role, so application permissions without user participation are supported.

    If the answer is helpful, please click "Accept Answer" and kindly upvote it. If you have extra questions about this answer, please click "Comment".
    Note: Please follow the steps in our documentation to enable e-mail notifications if you want to receive the related email notification for this thread.