Microsoft Intune · Application Management
Application Manager
Manages mobile and managed applications, can read device information and view device configuration profiles.
Scope: Application lifecycle management
Permissions
- Mobile apps - Full CRUD + Assign + Relate
- Managed apps - Full CRUD + Assign + Wipe
- Policy Sets - Full CRUD + Assign
- Filters - Full CRUD
- Cloud attached devices - View apps, Take app actions, View client details
- Managed devices - Read only
- Device configurations - Read only
- Microsoft Store for Business - Read
- Microsoft Defender ATP - Read
Common use cases
- Deploying line-of-business applications
- Managing app protection policies (MAM)
- Configuring app configuration policies
- Managing VPP/Apple Business Manager apps
Best practices
- Use for dedicated app deployment teams
- Combine with Policy and Profile Manager for full MAM/MDM
- Test app deployments to pilot groups first
- Use app categories and filters for organization
Security considerations
- Can wipe managed app data from devices
- Can deploy apps to all devices in scope
- Has read access to device information
Common questions
When should I assign the Application Manager role?
Assign Application Manager when you need to: Deploying line-of-business applications; Managing app protection policies (MAM); Configuring app configuration policies; and Managing VPP/Apple Business Manager apps. It is part of Microsoft Intune and should be granted as a least-privilege alternative to broader roles like Global Administrator.
What can someone with the Application Manager role do?
The Application Manager role grants permissions including: Mobile apps - Full CRUD + Assign + Relate; Managed apps - Full CRUD + Assign + Wipe; Policy Sets - Full CRUD + Assign; Filters - Full CRUD; Cloud attached devices - View apps, Take app actions, View client details; and Managed devices - Read only. See the Permissions section above for the full list.
What are the security risks of the Application Manager role?
Key considerations when assigning Application Manager: Can wipe managed app data from devices; Can deploy apps to all devices in scope; and Has read access to device information. Review the Security considerations section before assignment, and pair with Privileged Identity Management (PIM) for just-in-time access where possible.