We are releasing an update to the default Configuration Manager service principal in your Microsoft 365 tenant. This update introduces new app permissions (scopes) required to enable additional features and support changes from Microsoft. As part of this update, a Global Administrator must review and provide admin consent for the new permissions. For information regarding Service Account authentication in Configuration Manager, please review our documentation on Service Principal authentication.
Failure to provide consent may prevent Configuration Manager from managing some configurations in your tenant impacted by the change in permissions. Please review the information below carefully to understand what you need to do.
What is changing?
Microsoft has added two new application permissions related to Intune Device Management:
DeviceManagementScripts.ReadWrite.All and
DeviceManagementScripts.Read.All. In order to continue exporting and managing Intune Device Scripts and policies, these application permissions must be added to the Configuration Manager service principal. For information about this change, please refer to the article "In development for Microsoft Intune" in Microsoft documentation.
The following app permissions are new and must be deployed to our default service principals:
Simeon Cloud Sync / CoreView Configuration Manager:
(Application)
DeviceManagementScripts.ReadWrite.All(Delegated)
DeviceManagementScripts.ReadWrite.AllSimeon Cloud Sync (read only):
(Application)
DeviceManagementScripts.Read.All(Delegated)
DeviceManagementScripts.Read.AllAs part of the Sync process, the new permissions will be automatically added to the default Configuration Manager service principal. After applying new permissions, an administrator must grant consent for these permissions to be used.
Which App Permissions are required to use Configuration Manager?
Configuration Manager requires permissions related only to the areas of your tenant that you would like to manage. By default, we provide an application that covers the permissions in GitHub's repository (docs /application-scopes.md). We also provide self-hosted customers a read-only service principal that has limited permissions for reading and backing up configurations. These permissions are in GitHub's repository (docs/application-scopes-readonly.md).
Self-hosted on Azure DevOps customers can also choose to provide a custom application with the permissions of your choosing.
As part of this update, you will be required to consent to all application permissions, including the two new permissions.
Who is impacted?
All Configuration Manager customers should be aware of this change, but not all users will need to take immediate action. Tenants installed with one of the default service principals will need to take immediate action. Customers using a custom service principal do not need to take action, but should review the permissions of your application to determine if an update is necessary.
Tenants Using the Default Service Principal
If your tenant is configured to use the default service principal provided by our platform, you are impacted and must take action. This is relevant for self-hosted Simeon customers using the Simeon Cloud Sync service principal as well as any CoreView customers using Configuration Manager SaaS. These tenants will display the “Pending Admin Consent” status on the Sync page, informing you that this tenant requires an update.
Tenants Using the Read-Only Service Principal Option
If your tenant is using the read-only service principal, you are also impacted. However, because your tenant is currently in a read-only state, we are unable to automatically update permissions. Your tenant will not prompt you for admin consent! Instead, to resolve this, you must reinstall the tenant and provide admin consent during the reinstallation process.
Tenants Using a Custom Service Principal
If your organization has set up and is using a custom service principal (not the default or read-only option), you are not impacted by this update and your tenants should be Syncing as expected. Customers using a custom service principal are expected to maintain their own application scopes and permissions according to your organization's needs. It is recommended to manually update your service principal to include the new scopes outlined above.
What do I need to do?
To ensure uninterrupted service, a Global Administrator must provide admin consent for the new application permissions. Please follow these steps:
- Review permissions: carefully review the updated application permissions outlined above to gain an understanding of what permissions are required and will be used by Configuration Manager.
- Provide consent: navigate to the Configuration Manager app > Sync page and click the “Provide Admin Consent” button displayed in the Sync status.
- Click the “Provide Admin Consent” button in the modal and sign in to the impacted tenant as a Global Administrator.
- Confirm consent: review the consent prompt and confirm approval. Please verify that all application permissions are listed to receive admin consent! See the FAQ section for examples of the admin consent prompt.
- Completion: once consent is granted, Configuration Manager will automatically resume, utilizing the new permissions.
How to manually provide Admin Consent in Azure
If you are unable to use the “Provide Admin Consent” option in the product, you can grant admin consent directly within your Azure tenant. Follow these steps:
- Sign in to the Azure Portal with a Global Administrator account.
- In the left-hand menu, click “Azure Active Directory” under “Manage”, select “App registrations”.
- Locate and select the application registered for Configuration Manager.
- The application name is Simeon Cloud Sync for self-hosted customers or CoreView Configuration Manager for CoreView customers.
- In the application blade, click on API permissions in the left menu.
- Review the permissions that have been requested.
- Click the “Grant admin consent” for [Your Organization] button at the top.
- Confirm the prompt when asked.
- Once admin consent is granted, the new permissions take effect immediately. Return to Configuration Manager and run a manual Sync to confirm.
Tip: if you do not see the application listed, check that you are viewing “All applications” (not just “Owned applications”) in the App Registrations filter.
Need further assistance? Refer to Microsoft’s guide on granting admin consent manually or contact the CoreView support team for help.
Frequently asked questions
Q: What happens if I do not provide consent?
A: Each time your tenant Syncs, a check will be performed to determine if all app permissions are present and have received admin consent. If the new permissions have not yet received admin consent, the tenant will show the “Pending Admin consent” status after each Sync until consent is provided. Some supported Intune Device Management configurations will not be backed up or managed until consent is provided.
Q: What if I do not want to add these specific permissions to the service principal?
A: If you are using Configuration Manager SaaS, this change is required and you cannot opt out. If you are using Configuration Manager self-hosted on Azure DevOps, and have installed your tenant with one of the default service principals, this change is required. If you do not wish to add this permission, you must reinstall your tenant using a custom service principal where you can apply the desired permissions.
Q: Why are new permissions needed?
A: New permissions are required to support new configuration providers or Microsoft-mandated changes. In this case, Microsoft has released new app permissions for managing Intune Device Management scripts. These new permissions are required to continue to backup and manage these settings.
Q: What if I am not a Global Administrator?
A: This change is required for all impacted Configuration Manager tenants. If you do not a have Global Administrator role or do not have access to a Global Administrator account in the impacted tenant, you must identify a way to provide admin consent. Typically, this will require a request to a Global Admin to sign in to the Configuration Manager app to perform the action; a request to your Microsoft 365 Global Admin team to manually perform consent in the Azure portal; or through securing temporary Global Admin rights via Privileged Identity Management.To understand more, refer to Microsoft documentation on Privileged Identity Management.
Q: Can I reinstall my tenant instead of providing admin consent?
A: Yes. If you are already planning to reinstall a tenant, or need to reinstall a tenant as part of other changes, the new service principal will be installed by default and admin consent will be provided during install time.
Q: Will I need to perform this consent for each Sync?
A: No, this is a one-time action. Once admin consent has been successfully granted, you should no longer be prompted to provide consent and your Sync should export all expected configurations.
Q: The list of permissions requiring admin consent is very long, is this expected?
A: Yes. To ensure the service principal is working as expected, all permissions will receive admin consent as part of this change. The following is an example of the permissions you should expect to consent to as part of this update: 
Need help?
If you require more information or run into issues, please contact our support team or refer to the links provided in the product notification.