home

Mobile Endpoint Security

Mobile Endpoint SecuritySecurity Service Edge
Mobile Endpoint SecuritySecurity Service Edge

Lookout Product Documentation

Find answers about using and optimizing Lookout products.

Show Contents

Show Page Sections

Mobile Endpoint Security

Deploying Lookout with Microsoft Entra ID and Intune

Microsoft Permissions used by MES Console Intune Integration

This topic explains why permissions are required for the Microsoft Graph and Microsoft Intune APIs.

Microsoft Graph API Required Permissions

User.Read

Type: Delegate

Description: Sign in and read user profile.

API: GET /me

Purpose: MES Console single sign-on: retrieve user's group memberships for role-based access control via Azure (only allows Lookout to read the profile of the specific user initiating the single sign-on).

Device.Read.All

Type: Application Description: Read all devices. API: GET /devices

Purpose: Enrollment polling: retrieve lists of devices to be enrolled.

API: GET /devices/{id}

Purpose: Enrollment polling: retrieve individual devices to be enrolled or deactivated.

API: GET /devices/delta

Purpose: Enrollment polling: find enrollment group IDs based on user-configured names.

GroupMember.Read.All

Type: Application

Description: Read all group memberships.

API: GET /groups

Purpose: Enrollment polling: find enrollment group IDs based on user-configured names.

API: GET /groups/delta

Purpose: Enrollment polling: find groups with membership changes since last poll.

API: GET /groups/{id}/members

Purpose: Enrollment polling: retrieve group members to find users to enroll and identify subgroups.

User.Read.All

Type: Application

Description: Read all users' full profiles.

API: GET /users 1

Purpose: Enrollment polling: retrieve a list of users to obtain their owned devices.

API: GET /users/{id | UPN}/ownedDevices2

Purpose: Enrollment polling: retrieve a single user to obtain their owned devices.

Application.Read.All

Type: Application

Description: Read all applications.

API: GET /servicePrincipals

1 May be deprecated in favor of retrieving devices filtered by owner ID in our Q1 2024 poller update

2 May be deprecated in favor of retrieving devices filtered by owner ID in our Q1 2024 poller update

Purpose: Intune discovery: find servicePrincipal for Intune (a servicePrincipal can be thought of as the specific instance of a service being used within a tenant).

API: GET /servicePrincipals/{servicePrincipalId}/endpoints

Purpose: Intune discovery: find the URL to use for Intune API calls.

Microsoft Intune API Required Permission

update_device_health

Type: Application

Description: Get or Send device threat information to Intune.

API: GET /StatelessPartnerDeviceDataSyncService/DataUploadMessages

Purpose: App inventory: retrieve list of installed apps on device.

API: PUT /StatelessPartnerDeviceDataSyncService/DataUploadMessages

Purpose: App inventory: initiate request for list of installed apps on device

API: PUT /StatelessPartnerTenantDataSyncService/PartnerTenantHeartbeat

Purpose: Tenant heartbeat: indicate to Intune that the connector is healthy.

API: PUT /StatelessPartnerTenantDataSyncService/PartnerTenants

Purpose: Tenant provisioning: provision the tenant to use Stateless Partner Device Data Sync Service.

Last updated: September 30, 2024

lookout-footer

Legal Privacy Policy Cookie Policy Transparency Report Compliance Info Compliance Info (Gov)

© 2024 Lookout, Inc. LOOKOUT®, the Lookout Shield Design®, LOOKOUT with Shield Design® and the Lookout multi-color/multi-shaded Wingspan Design® are registered trademarks of Lookout, Inc. in the United States and other countries. DAY OF SHECURITY®, LOOKOUT MOBILE SECURITY®, and POWERED BY LOOKOUT® are registered trademarks of Lookout, Inc. in the United States. Lookout, Inc. maintains common law trademark rights in EVERYTHING IS OK, PROTECTED BY LOOKOUT, CIPHERCLOUD, and the 4 Bar Shield Design.