Microsoft Intune · Application Management

Application Manager

Manages mobile and managed applications, can read device information and view device configuration profiles.

Scope: Application lifecycle management

Permissions

  • Mobile apps - Full CRUD + Assign + Relate
  • Managed apps - Full CRUD + Assign + Wipe
  • Policy Sets - Full CRUD + Assign
  • Filters - Full CRUD
  • Cloud attached devices - View apps, Take app actions, View client details
  • Managed devices - Read only
  • Device configurations - Read only
  • Microsoft Store for Business - Read
  • Microsoft Defender ATP - Read

Common use cases

  • Deploying line-of-business applications
  • Managing app protection policies (MAM)
  • Configuring app configuration policies
  • Managing VPP/Apple Business Manager apps

Best practices

  • Use for dedicated app deployment teams
  • Combine with Policy and Profile Manager for full MAM/MDM
  • Test app deployments to pilot groups first
  • Use app categories and filters for organization

Security considerations

  • Can wipe managed app data from devices
  • Can deploy apps to all devices in scope
  • Has read access to device information

Common questions

When should I assign the Application Manager role?

Assign Application Manager when you need to: Deploying line-of-business applications; Managing app protection policies (MAM); Configuring app configuration policies; and Managing VPP/Apple Business Manager apps. It is part of Microsoft Intune and should be granted as a least-privilege alternative to broader roles like Global Administrator.

What can someone with the Application Manager role do?

The Application Manager role grants permissions including: Mobile apps - Full CRUD + Assign + Relate; Managed apps - Full CRUD + Assign + Wipe; Policy Sets - Full CRUD + Assign; Filters - Full CRUD; Cloud attached devices - View apps, Take app actions, View client details; and Managed devices - Read only. See the Permissions section above for the full list.

What are the security risks of the Application Manager role?

Key considerations when assigning Application Manager: Can wipe managed app data from devices; Can deploy apps to all devices in scope; and Has read access to device information. Review the Security considerations section before assignment, and pair with Privileged Identity Management (PIM) for just-in-time access where possible.

Official Microsoft Learn documentation →

Open the interactive RBACMap →