Microsoft Endpoint Manager roles and permissions
Cloud Commander end of life (EOL)
Cloud Commander will be decommissioned and stop functioning on May 13, 2026. You can use the product until that date.
Review and update workflows to remove any dependencies before the product is decommissioned.
Support, bug fixes, and security patches will be available until April 13, 2026.
| Role | Permission | Description |
|---|---|---|
| Microsoft Endpoint Manager Apps Reader
Can read all Microsoft Endpoint Manager Command Blocks. |
command.category.read | Can read all corresponding Command Block categories |
| command.cmdendpointmanager.apps.read | Can read all Microsoft Endpoint Manager Apps Command Blocks and jobs | |
| command.jobs.read | Can read related Command Block jobs | |
| command.read | Can read all related Command Blocks | |
| organization.readbasic | Can read all basic organization properties (list) | |
| report.accesstoken.read | Can read Power BI report access token (list) | |
| report.read | Can read Power BI reports (list) | |
| user.read | Can read all properties of a user (details) | |
| user.readbasic | Can read all basic user properties (list) | |
| Microsoft Endpoint Manager Apps Writer
Can read and execute all Microsoft Endpoint Manager Command Blocks. |
command.category.read | Can read all corresponding Command Block categories |
| command.cmdendpointmanager.apps.read | Can read all Microsoft Endpoint Manager Apps Command Blocks and jobs | |
| command.cmdendpointmanager.apps.write | Can write all Microsoft Endpoint Manager Apps Command Blocks and jobs | |
| command.jobs.read | Can read related Command Block jobs | |
| command.read | Can read all related Command Blocks | |
| organization.readbasic | Can read all basic organization properties (list) | |
| report.accesstoken.read | Can read Power BI report access token (list) | |
| report.read | Can read Power BI reports (list) | |
| user.read | Can read all properties of a user (details) | |
| user.readbasic | Can read all basic user properties (list) | |
| Microsoft Endpoint Manager Device Configuration And Policies Reader
Can read all Microsoft Endpoint Manager Command Blocks. |
command.category.read | Can read all corresponding Command Block categories |
| command.cmdendpointmanager.configpolicies.read | Can read all Microsoft Endpoint Manager Config Policies Command Blocks and jobs | |
| command.jobs.read | Can read related Command Block jobs | |
| command.read | Can read all related Command Blocks | |
| organization.readbasic | Can read all basic organization properties (list) | |
| report.accesstoken.read | Can read Power BI report access token (list) | |
| report.read | Can read Power BI reports (list) | |
| user.read | Can read all properties of a user (details) | |
| user.readbasic | Can read all basic user properties (list) | |
| Microsoft Endpoint Manager Device Configuration And Policies Writer
Can read and execute all Microsoft Endpoint Manager Command Blocks. |
command.category.read | Can read all corresponding Command Block categories |
| command.cmdendpointmanager.configpolicies.read | Can read all Microsoft Endpoint Manager Config Policies Command Blocks and jobs | |
| command.cmdendpointmanager.configpolicies.write | Can write all Microsoft Endpoint Manager Config Policies Command Blocks and jobs | |
| command.jobs.read | Can read related Command Block jobs | |
| command.read | Can read all related Command Blocks | |
| organization.readbasic | Can read all basic organization properties (list) | |
| report.accesstoken.read | Can read Power BI report access token (list) | |
| report.read | Can read Power BI reports (list) | |
| user.read | Can read all properties of a user (details) | |
| user.readbasic | Can read all basic user properties (list) | |
| Microsoft Endpoint Manager Device Reader
Can read all Microsoft Endpoint Manager Command Blocks. |
command.category.read | Can read all corresponding Command Block categories |
| command.cmdendpointmanager.device.read | Can read all Microsoft Endpoint Manager Device Command Blocks and jobs | |
| command.jobs.read | Can read related Command Block jobs | |
| command.read | Can read all related Command Blocks | |
| organization.readbasic | Can read all basic organization properties (list) | |
| report.accesstoken.read | Can read Power BI report access token (list) | |
| report.read | Can read Power BI reports (list) | |
| user.read | Can read all properties of a user (details) | |
| user.readbasic | Can read all basic user properties (list) | |
| Microsoft Endpoint Manager Device Writer
Can read and execute all Microsoft Endpoint Manager Command Blocks. |
command.category.read | Can read all corresponding Command Block categories |
| command.cmdendpointmanager.device.read | Can read all Microsoft Endpoint Manager Device Command Blocks and jobs | |
| command.cmdendpointmanager.device.write | Can write all Microsoft Endpoint Manager Device Command Blocks and jobs | |
| command.jobs.read | Can read related Command Block jobs | |
| command.read | Can read all related Command Blocks | |
| organization.readbasic | Can read all basic organization properties (list) | |
| report.accesstoken.read | Can read Power BI report access token (list) | |
| report.read | Can read Power BI reports (list) | |
| user.read | Can read all properties of a user (details) | |
| user.readbasic | Can read all basic user properties (list) | |
| Microsoft
Endpoint Manager RBAC Settings Reader
Can read all Microsoft Endpoint Manager Command Blocks. |
command.category.read | Can read all corresponding Command Block categories |
| command.cmdendpointmanager.rbacsettings.read | Can read all Microsoft Endpoint Manager RBAC Settings Command Blocks and jobs | |
| command.jobs.read | Can read related Command Block jobs | |
| command.read | Can read all related Command Blocks | |
| organization.readbasic | Can read all basic organization properties (list) | |
| report.accesstoken.read | Can read Power BI report access token (list) | |
| report.read | Can read Power BI reports (list) | |
| user.read | Can read all properties of a user (details) | |
| user.readbasic | Can read all basic user properties (list) | |
| Microsoft
Endpoint Manager RBAC Settings Writer
Can read and execute all Microsoft Endpoint Manager Command Blocks. |
command.category.read | Can read all corresponding Command Block categories |
| command.cmdendpointmanager.rbacsettings.read | Can read all Microsoft Endpoint Manager RBAC Settings Command Blocks and jobs | |
| command.cmdendpointmanager.rbacsettings.write | Can write all Microsoft Endpoint Manager RBAC Settings Command Blocks and jobs | |
| command.jobs.read | Can read related Command Block jobs | |
| command.read | Can read all related Command Blocks | |
| organization.readbasic | Can read all basic organization properties (list) | |
| report.accesstoken.read | Can read Power BI report access token (list) | |
| report.read | Can read Power BI reports (list) | |
| user.read | Can read all properties of a user (details) | |
| user.readbasic | Can read all basic user properties (list) |
Related articles
Updated: Jan 09, 2026