New Microsoft Graph permissions for API calls to device management endpoints
Week of July 28, 2025
Device management
New Microsoft Graph permissions for API calls to device management endpoints
Calls to several Microsoft Graph APIs now require one of two newer DeviceManagement permissions that replace the use of previously supported permissions. The following are the two new permissions and the original permissions that the new permissions replace:
- DeviceManagementScripts.Read.All - This new permission replaces use of DeviceManagementConfiguration.Read.All
- DeviceManagementScripts.ReadWrite.All - This new permission replaces use of the DeviceManagementConfiguration.ReadWrite.All
Access to the following Microsoft Graph API calls now require use the new permissions: - ~/deviceManagement/deviceShellScripts
- ~/deviceManagement/deviceHealthScripts
- ~/deviceManagement/deviceComplianceScripts
- ~/deviceManagement/deviceCustomAttributeShellScripts
- ~/deviceManagement/deviceManagementScripts
Currently both the DeviceManagementScripts and the older DeviceManagementConfiguration permissions remain functional. However, in early September 2025, tools and scripts that rely on the older permissions to access the listed APIs will fail to function.