Required permissions and devops authentication

[Flory321]

Hey guys,
we tried the intune package factory in our test tenant and in fact it's really an awesome tool ! It's definitely helpful for apps where versions changes a lot and which are not available in intune's ms store integration (new).

But there are following 2 things which currently blocks us from using it in production:

1. We do not understand why the service principal needs the right "DeviceManagementRBAC.ReadWrite.All". This permission should as per my opinion only granted if it's really required.
2. The azure devops uses a client secret as "Service Principal". Here we would need it to support "workload identity federation".

Don't get me wrong - we do honor what's there right now, but our internal guidelines block us from using it as it is now.
Are there any changes planned to address above topics?

Thanks
Florian

[aaronparker]

Authentication to Entra ID is managed with the IntuneWin32App module (I have not plans to write my own authentication methods). See: https://github.com/MSEndpointMgr/IntuneWin32App

[Flory321]

thanks so much for response. Do you know why the permission "DeviceManagementRBAC.ReadWrite.All" is required?