Microsoft Endpoint Manager roles and permissions

Role	Permission	Description
Microsoft Endpoint Manager Apps Reader Can read all Microsoft Endpoint Manager Command Blocks.	command.category.read	Can read all corresponding Command Block categories
	command.cmdendpointmanager.apps.read	Can read all Microsoft Endpoint Manager Apps Command Blocks and jobs
	command.jobs.read	Can read related Command Block jobs
	command.read	Can read all related Command Blocks
	organization.readbasic	Can read all basic organization properties (list)
	report.accesstoken.read	Can read Power BI report access token (list)
	report.read	Can read Power BI reports (list)
	user.read	Can read all properties of a user (details)
	user.readbasic	Can read all basic user properties (list)
Microsoft Endpoint Manager Apps Writer Can read and execute all Microsoft Endpoint Manager Command Blocks.	command.category.read	Can read all corresponding Command Block categories
	command.cmdendpointmanager.apps.read	Can read all Microsoft Endpoint Manager Apps Command Blocks and jobs
	command.cmdendpointmanager.apps.write	Can write all Microsoft Endpoint Manager Apps Command Blocks and jobs
	command.jobs.read	Can read related Command Block jobs
	command.read	Can read all related Command Blocks
	organization.readbasic	Can read all basic organization properties (list)
	report.accesstoken.read	Can read Power BI report access token (list)
	report.read	Can read Power BI reports (list)
	user.read	Can read all properties of a user (details)
	user.readbasic	Can read all basic user properties (list)
Microsoft Endpoint Manager Device Configuration And Policies Reader Can read all Microsoft Endpoint Manager Command Blocks.	command.category.read	Can read all corresponding Command Block categories
	command.cmdendpointmanager.configpolicies.read	Can read all Microsoft Endpoint Manager Config Policies Command Blocks and jobs
	command.jobs.read	Can read related Command Block jobs
	command.read	Can read all related Command Blocks
	organization.readbasic	Can read all basic organization properties (list)
	report.accesstoken.read	Can read Power BI report access token (list)
	report.read	Can read Power BI reports (list)
	user.read	Can read all properties of a user (details)
	user.readbasic	Can read all basic user properties (list)
Microsoft Endpoint Manager Device Configuration And Policies Writer Can read and execute all Microsoft Endpoint Manager Command Blocks.	command.category.read	Can read all corresponding Command Block categories
	command.cmdendpointmanager.configpolicies.read	Can read all Microsoft Endpoint Manager Config Policies Command Blocks and jobs
	command.cmdendpointmanager.configpolicies.write	Can write all Microsoft Endpoint Manager Config Policies Command Blocks and jobs
	command.jobs.read	Can read related Command Block jobs
	command.read	Can read all related Command Blocks
	organization.readbasic	Can read all basic organization properties (list)
	report.accesstoken.read	Can read Power BI report access token (list)
	report.read	Can read Power BI reports (list)
	user.read	Can read all properties of a user (details)
	user.readbasic	Can read all basic user properties (list)
Microsoft Endpoint Manager Device Reader Can read all Microsoft Endpoint Manager Command Blocks.	command.category.read	Can read all corresponding Command Block categories
	command.cmdendpointmanager.device.read	Can read all Microsoft Endpoint Manager Device Command Blocks and jobs
	command.jobs.read	Can read related Command Block jobs
	command.read	Can read all related Command Blocks
	organization.readbasic	Can read all basic organization properties (list)
	report.accesstoken.read	Can read Power BI report access token (list)
	report.read	Can read Power BI reports (list)
	user.read	Can read all properties of a user (details)
	user.readbasic	Can read all basic user properties (list)
Microsoft Endpoint Manager Device Writer Can read and execute all Microsoft Endpoint Manager Command Blocks.	command.category.read	Can read all corresponding Command Block categories
	command.cmdendpointmanager.device.read	Can read all Microsoft Endpoint Manager Device Command Blocks and jobs
	command.cmdendpointmanager.device.write	Can write all Microsoft Endpoint Manager Device Command Blocks and jobs
	command.jobs.read	Can read related Command Block jobs
	command.read	Can read all related Command Blocks
	organization.readbasic	Can read all basic organization properties (list)
	report.accesstoken.read	Can read Power BI report access token (list)
	report.read	Can read Power BI reports (list)
	user.read	Can read all properties of a user (details)
	user.readbasic	Can read all basic user properties (list)
Microsoft Endpoint Manager RBAC Settings Reader Can read all Microsoft Endpoint Manager Command Blocks.	command.category.read	Can read all corresponding Command Block categories
	command.cmdendpointmanager.rbacsettings.read	Can read all Microsoft Endpoint Manager RBAC Settings Command Blocks and jobs
	command.jobs.read	Can read related Command Block jobs
	command.read	Can read all related Command Blocks
	organization.readbasic	Can read all basic organization properties (list)
	report.accesstoken.read	Can read Power BI report access token (list)
	report.read	Can read Power BI reports (list)
	user.read	Can read all properties of a user (details)
	user.readbasic	Can read all basic user properties (list)
Microsoft Endpoint Manager RBAC Settings Writer Can read and execute all Microsoft Endpoint Manager Command Blocks.	command.category.read	Can read all corresponding Command Block categories
	command.cmdendpointmanager.rbacsettings.read	Can read all Microsoft Endpoint Manager RBAC Settings Command Blocks and jobs
	command.cmdendpointmanager.rbacsettings.write	Can write all Microsoft Endpoint Manager RBAC Settings Command Blocks and jobs
	command.jobs.read	Can read related Command Block jobs
	command.read	Can read all related Command Blocks
	organization.readbasic	Can read all basic organization properties (list)
	report.accesstoken.read	Can read Power BI report access token (list)
	report.read	Can read Power BI reports (list)
	user.read	Can read all properties of a user (details)
	user.readbasic	Can read all basic user properties (list)

Platform roles dictionary

Updated: Feb 29, 2024

Microsoft Endpoint Manager roles and permissions

Related articles