Skip to content

Security & Permissions

Last updated: July 10, 2026

IntuneGet asks for access to your Intune tenant, and you deserve to know exactly what that means before you grant it. This page lists every Microsoft Graph permission the app requests, what each one is used for, how consent works, and where your data does - and does not - go.

How Access Works

IntuneGet uses two kinds of Microsoft Entra ID access, and it is important to keep them apart:

  • Delegated sign-in scopes. When you sign in, the app requests only sign-in and basic profile scopes (User.Read, openid, profile). These identify who you are; they do not grant any access to Intune.
  • Application permissions. The Intune operations run under application permissions that an administrator grants once per tenant via admin consent. They are scoped to the specific Graph APIs listed below and can be revoked from your tenant at any time.

Permissions Requested

This is the complete list of Microsoft Graph permissions on the IntuneGet app registration. Nothing else is requested.

PermissionTypeAccessWhat it is used for
User.ReadDelegatedRead-onlySign you in and read your basic profile
DeviceManagementApps.ReadWrite.AllApplicationRead and writeCreate and update the Win32 apps IntuneGet uploads to your Intune tenant
DeviceManagementConfiguration.Read.AllApplicationRead-onlyRead device configuration for deployment context
DeviceManagementManagedDevices.Read.AllApplicationRead-onlyRead managed device information for reporting
DeviceManagementServiceConfig.ReadWrite.AllApplicationRead and writeRead and update Intune service configuration used during app setup (e.g. enrollment status page references)
GroupMember.Read.AllApplicationRead-onlyRead group membership so you can pick assignment groups

Consent and Roles

Setting up IntuneGet is a two-step model:

  • Step 1: one-time admin consent. A Global Administrator grants tenant-wide admin consent to the application permissions listed above. This happens once per tenant.
  • Step 2: day-to-day use. After consent, team members sign in with their normal Microsoft work account. We recommend an Intune Administrator or an equivalently permissioned account for managing deployments, but a Global Administrator is not needed for everyday work.

How Your Data Flows

  • Access tokens stay in your browser session; we do not persist them server-side.
  • Packaging runs on temporary, ephemeral GitHub-hosted runners that are destroyed after each job.
  • Packaged apps are uploaded directly to your own Intune tenant.
  • Application installers are never stored by IntuneGet - not on our servers, and not in our database.

Data Residency

  • On the hosted version (intuneget.com), data is stored in the European Union, in Supabase's Frankfurt, Germany region (eu-central-1).
  • We only keep the operational metadata needed to run the service, such as your account email, deployment history, app catalog, and team settings.
  • We never store your app installers or your Intune credentials: authentication uses Microsoft Entra ID, and access tokens stay in your browser.
  • The web app is served over an encrypted (TLS) connection via Vercel's global edge network.
  • If you need data to stay entirely on your own infrastructure or in a specific region, IntuneGet can be self-hosted with an embedded SQLite database.

Open Source and No Lock-In

IntuneGet is open source under the AGPL-3.0 license. The full source code is available on GitHub, so you can audit exactly what the app does with the permissions it holds. If you ever want to leave the hosted version, self-hosting with Docker and an embedded SQLite database is the built-in escape hatch - your deployments live in your own Intune tenant either way.

To be transparent: IntuneGet is not SOC 2 certified. Instead, the architecture is designed so that the most sensitive assets never reach IntuneGet infrastructure in the first place - your Intune credentials stay with Microsoft, access tokens stay in your browser, and installers flow from ephemeral runners straight into your tenant.

Related Resources