Plan for Change: Updates to required permissions for Microsoft Graph Beta API deviceManagement

Starting July 31, 2025, Microsoft Graph Beta API deviceManagement will require either DeviceManagementScripts.Read.All or DeviceManagementScripts.ReadWrite.All permissions. Update any apps, scripts, or tools to include these permissions and remove the old ones. Detailed instructions are available in the provided links.

Starting July 31, 2025, or soon after, the following Graph APIs will require either DeviceManagementScripts.Read.All or DeviceManagementScripts.ReadWrite.All permissions to continue working:

• ~/deviceManagement/deviceShellScripts
• ~/deviceManagement/deviceHealthScripts
• ~/deviceManagement/deviceComplianceScripts
• ~/deviceManagement/deviceCustomAttributeShellScripts
• ~/deviceManagement/deviceManagementScripts

[How this will affect your organization:]

Previously, these Graph APIs required granting either DeviceManagementConfiguration.ReadWrite.All or DeviceManagementConfiguration.Read.All permissions. If you have any enterprise applications, scripts or other tools that have been granted these permissions they will need to be updated in order to continue calling the listed Graph APIs.  

[What you need to do to prepare:]

Ensure any apps, scripts, or tooling that reference the listed Graph APIs include either DeviceManagementScripts.Read.All or DeviceManagementScripts.ReadWrite.All permissions and remove the old permissions: DeviceManagementConfiguration.ReadWrite.All or DeviceManagementConfiguration.Read.All.

For detailed instructions for updating permissions for applications, refer to: Update an app's requested permissions in Microsoft Entra ID

• If you are an independent software vendor or partner with an application deployed in your customer environments that needs updating, review Grant consent for the added permissions for the enterprise application