[ [ 'key' => 'DeviceManagementConfiguration.ReadWrite.All', 'type' => 'application', 'description' => 'Read and write Intune device configuration policies.', 'features' => ['policy-sync', 'backup', 'restore', 'settings-normalization'], ], [ 'key' => 'DeviceManagementConfiguration.Read.All', 'type' => 'application', 'description' => 'Read Intune device configuration policies (least-privilege for inventory).', 'features' => ['policy-sync', 'backup', 'settings-normalization'], ], [ 'key' => 'DeviceManagementApps.ReadWrite.All', 'type' => 'application', 'description' => 'Manage app configuration and assignments for Intune.', 'features' => ['backup', 'restore'], ], [ 'key' => 'DeviceManagementApps.Read.All', 'type' => 'application', 'description' => 'Read app configuration and assignments for Intune.', 'features' => ['policy-sync', 'backup'], ], [ 'key' => 'DeviceManagementServiceConfig.ReadWrite.All', 'type' => 'application', 'description' => 'Manage enrollment restrictions, Autopilot, ESP, and related service configs.', 'features' => ['backup', 'restore', 'policy-sync'], ], [ 'key' => 'DeviceManagementServiceConfig.Read.All', 'type' => 'application', 'description' => 'Read enrollment restrictions, Autopilot, ESP, and related service configs.', 'features' => ['policy-sync', 'backup'], ], [ 'key' => 'Policy.Read.All', 'type' => 'application', 'description' => 'Read Conditional Access policies for preview/backup.', 'features' => ['conditional-access', 'backup', 'versioning'], ], [ 'key' => 'Policy.ReadWrite.ConditionalAccess', 'type' => 'application', 'description' => 'Manage Conditional Access policies (used for preview-only or admin-controlled restores).', 'features' => ['conditional-access', 'restore'], ], [ 'key' => 'Directory.Read.All', 'type' => 'application', 'description' => 'Read directory data needed for tenant health checks.', 'features' => ['tenant-health'], ], [ 'key' => 'DeviceManagementRBAC.Read.All', 'type' => 'application', 'description' => 'Read Intune RBAC settings including scope tags for backup metadata enrichment.', 'features' => ['scope-tags', 'backup-metadata', 'assignments'], ], [ 'key' => 'Group.Read.All', 'type' => 'application', 'description' => 'Read group information for resolving assignment group names and cross-tenant group mapping.', 'features' => ['assignments', 'group-mapping', 'backup-metadata'], ], [ 'key' => 'DeviceManagementScripts.ReadWrite.All', 'type' => 'application', 'description' => 'Read directory data needed for tenant health checks.', 'features' => ['script-management'], ], ], // Stub list of permissions already granted to the service principal (used for display in Tenant verification UI). // Diese Liste sollte mit den tatsächlich in Entra ID granted permissions übereinstimmen. // HINWEIS: In Produktion sollte dies dynamisch von Graph API abgerufen werden (geplant für v1.1+). // // ⚠️ WICHTIG: Nach dem Hinzufügen neuer Berechtigungen in Azure AD: // 1. Berechtigungen in Azure AD hinzufügen und Admin Consent geben // 2. Diese Liste unten aktualisieren (von "Required permissions" nach "Tatsächlich granted" verschieben) // 3. Cache leeren: php artisan cache:clear // 4. Optional: Live-Check auf Tenant-Detailseite ausführen 'granted_stub' => [ // Tatsächlich granted (aus Entra ID Screenshot): 'Device.Read.All', 'DeviceManagementConfiguration.Read.All', 'DeviceManagementConfiguration.ReadWrite.All', 'DeviceManagementManagedDevices.ReadWrite.All', 'DeviceManagementServiceConfig.Read.All', 'Directory.Read.All', 'User.Read', 'DeviceManagementScripts.ReadWrite.All', // Required permissions (müssen in Entra ID granted werden): // Wenn diese fehlen, erscheinen sie als "missing" in der UI 'DeviceManagementApps.ReadWrite.All', 'DeviceManagementApps.Read.All', 'DeviceManagementServiceConfig.ReadWrite.All', 'Policy.Read.All', 'Policy.ReadWrite.ConditionalAccess', // Feature 004 - Assignments & Scope Tags (NEU seit 2025-12-22): // TODO: Nach Azure AD Setup verschieben nach "Tatsächlich granted" 'DeviceManagementRBAC.Read.All', // Scope Tag Namen auflösen 'Group.Read.All', // Group Namen für Assignments auflösen ], ];