README out of sync: stale auto-update claim and Register-IntuneAssignmentCheckerApp.ps1 permissions/output drift post-v4.0

[ugurkocde]

After the v4.0 module conversion (b2378c5) and the GitHub-release install note (7feb343), a few doc items have fallen out of sync with the code.

1. README.md:107 — "Built-in auto-update functionality" no longer accurate

The Features section still lists:

• 🔄 Built-in auto-update functionality

v4.0 removed the GitHub self-update path. Module/IntuneAssignmentChecker/Public/Connect-IntuneAssignmentChecker.ps1:41-58 now only performs a PSGallery version check and prints:

Run 'Update-Module IntuneAssignmentChecker' to upgrade.

The v4.0 commit message itself states: "PSGallery version check (replaces GitHub self-update)". Suggest either removing the bullet or rewording to "Version check against PowerShell Gallery on connect".

2. Register-IntuneAssignmentCheckerApp.ps1 permissions list disagrees with README's required permissions table

README Required Permissions (lines 138–148) lists 9 permissions. The automated-setup script creates the app registration with only 7, and the two sets don't fully overlap:

Register-IntuneAssignmentCheckerApp.ps1:44-53 grants:

• User.Read.All
• Group.Read.All
• Device.Read.All
• DeviceManagementApps.Read.All
• DeviceManagementConfiguration.Read.All
• DeviceManagementManagedDevices.Read.All
• DeviceManagementServiceConfig.Read.All ← not in README, not checked by Connect-IntuneAssignmentChecker.ps1:68-78

Missing from the script but required by README and verified by Connect-IntuneAssignmentChecker.ps1:68-78:

• DeviceManagementScripts.Read.All (platform/health scripts)
• CloudPC.Read.All (Windows 365)
• DeviceManagementRBAC.Read.All (scope tags)

Consequence: users who follow README.md:277 ("Automated Setup Available → Run the automation script") end up with an app registration that immediately trips the "missing permissions" warning on first connect. Either update the script's $permissions array to match the 9 in Connect-IntuneAssignmentChecker.ps1:68-78, or scope the README table down to what the automated script actually grants and document the extras as opt-in.

3. Register-IntuneAssignmentCheckerApp.ps1:125-128 prints a v3-era command

The "next steps" output still tells the user to run:

.\IntuneAssignmentChecker.ps1 -CertificateThumbprint "..." -TenantId "..." -AppId "..."

There is no such IntuneAssignmentChecker.ps1 at the repo root in v4.0 — the project is a module. The correct equivalent is:

Connect-IntuneAssignmentChecker -AppId "<appId>" -TenantId "<tenantId>" -CertificateThumbprint "<thumbprint>"
IntuneAssignmentChecker   # launches the interactive menu

README examples (lines 197-205, 306-309) already use the new Connect-IntuneAssignmentChecker cmdlet, so the helper script's final hint is the only remaining place still pointing at the v3 entry point.

[ugurkocde]

Great write-up — all three items are confirmed. Here's a concrete fix plan with the exact changes needed.

---

Fix 1: README auto-update bullet (line 106)

Replace the stale claim with what the code actually does.

README.md:106

-- 🔄 Built-in auto-update functionality
+- 🔄 Version check against PowerShell Gallery on connect

The version-check logic lives in Module/IntuneAssignmentChecker/Public/Connect-IntuneAssignmentChecker.ps1:41-58 — it calls Find-Module against PSGallery and prints an Update-Module hint. No self-update path exists since v4.0.

---

Fix 2: Align Register-IntuneAssignmentCheckerApp.ps1 permissions with Connect-IntuneAssignmentChecker.ps1

The source of truth for required permissions is Connect-IntuneAssignmentChecker.ps1:68-78 (9 permissions). The registration script at lines 45-53 currently grants only 7, and includes one (DeviceManagementServiceConfig.Read.All) that isn't validated at connect time.

Register-IntuneAssignmentCheckerApp.ps1:45-53 — replace the $permissions array with:

$permissions = @(
    @{ id = "df021288-bdef-4463-88db-98f22de89214"; displayName = "User.Read.All" },
    @{ id = "5b567255-7703-4780-807c-7be8301ae99b"; displayName = "Group.Read.All" },
    @{ id = "7438b122-aefc-4978-80ed-43db9fcc7715"; displayName = "Device.Read.All" },
    @{ id = "7a6ee1e7-141e-4cec-ae74-d9db155731ff"; displayName = "DeviceManagementApps.Read.All" },
    @{ id = "dc377aa6-52d8-4e23-b271-2a7ae04cedf3"; displayName = "DeviceManagementConfiguration.Read.All" },
    @{ id = "2f51be20-0bb4-4fed-bf7b-db946066c75e"; displayName = "DeviceManagementManagedDevices.Read.All" },
    @{ id = "06a5fe6d-c49d-46a7-b082-56b1b14103c7"; displayName = "DeviceManagementServiceConfig.Read.All" },
    @{ id = "2a0ccd42-f355-4813-b1a0-b15e53f5b02b"; displayName = "DeviceManagementScripts.Read.All" },
    @{ id = "a9e09520-8ed4-4cde-838e-4fdea192c227"; displayName = "CloudPC.Read.All" },
    @{ id = "49f0cc30-024c-4c62-8aa5-1218d6904bc0"; displayName = "DeviceManagementRBAC.Read.All" }
)

This adds the 3 missing permissions (DeviceManagementScripts.Read.All, CloudPC.Read.All, DeviceManagementRBAC.Read.All) and keeps DeviceManagementServiceConfig.Read.All since it's already present and may be useful. The permission GUIDs above are the well-known Microsoft Graph application permission IDs — verify against your tenant if needed.

---

Fix 3: Update the v3-era "next steps" output (lines 125-128)

Register-IntuneAssignmentCheckerApp.ps1:125-128 — replace with:

Write-Host "`n----------------------------" -ForegroundColor Cyan
Write-Host "You can now connect using:" -ForegroundColor Cyan
Write-Host "Connect-IntuneAssignmentChecker -AppId `"$appId`" -TenantId `"$tenantId`" -CertificateThumbprint `"$certificateThumbprint`"" -ForegroundColor Yellow
Write-Host "IntuneAssignmentChecker   # launches the interactive menu" -ForegroundColor Yellow
Write-Host "----------------------------"

This matches the module entry point used everywhere else in the README (lines 197-205, 308-309).

---

Generated by Claude Code