From a6fab102a5b3d9525c94ef255ebbf22b412436dd Mon Sep 17 00:00:00 2001
From: Fabien Tschanz <fabien.tschanz@bluewin.ch>
Date: Tue, 22 Oct 2024 23:17:02 +0200
Subject: [PATCH] Add Intune Group.Read.All permissions to generated
 permissions

---
 ResourceGenerator/M365DSCResourceGenerator.psm1 | 10 +++++++++-
 1 file changed, 9 insertions(+), 1 deletion(-)

diff --git a/ResourceGenerator/M365DSCResourceGenerator.psm1 b/ResourceGenerator/M365DSCResourceGenerator.psm1
index 932f7012a2..9cd5544639 100644
--- a/ResourceGenerator/M365DSCResourceGenerator.psm1
+++ b/ResourceGenerator/M365DSCResourceGenerator.psm1
@@ -967,7 +967,15 @@ class MSFT_DeviceManagementConfigurationPolicyAssignments
             -Workload $Workload `
             -CmdLetNoun $CmdLetNoun `
             -ApiVersion $ApiVersion `
-            -UpdateVerb $updateVerb).permissions | ConvertTo-Json -Depth 20
+            -UpdateVerb $updateVerb).permissions
+        if ($ResourceName -like "Intune*")
+        {
+            $resourcePermissions.application.read += @{ name = 'Group.Read.All' }
+            $resourcePermissions.application.update += @{ name = 'Group.Read.All' }
+            $resourcePermissions.delegated.read += @{ name = 'Group.Read.All' }
+            $resourcePermissions.delegated.update += @{ name = 'Group.Read.All' }
+        }
+        $resourcePermissions = $resourcePermissions | ConvertTo-Json -Depth 20
         $resourcePermissions = '    ' + $resourcePermissions
         Write-TokenReplacement -Token '<ResourceFriendlyName>' -Value $ResourceName -FilePath $settingsFilePath
         Write-TokenReplacement -Token '<ResourceDescription>' -Value $resourceDescription -FilePath $settingsFilePath