# New features

### Upcoming features in near future:

* ~~Devices from Entra ID~~ (Launched)
* Extended device information for Intune managed devices, requires [DeviceManagementManagedDevices.Read.All](https://learn.microsoft.com/en-us/graph/api/intune-devices-manageddevice-get?view=graph-rest-beta#permissions) permissions
* All applications with certificate/secret expiry.
* Eligible Entra ID role assignments will need [RoleManagement.Read.All](https://learn.microsoft.com/en-us/graph/permissions-reference#rolemanagementreadall) permissions

### Bsure Insights will need more permissions to provide this information.

To prepare your environment you can give Bsure Insights managed identity all permissions now to support upcoming features.

### How to add permissions

Start cloud shell with a user having Global administrator privileges - <https://portal.azure.com/#cloudshell/>

Copy script below and paste as plain text to run it in cloud shell.

*There is no need to edit script. Script will search for all installations (managed identities) used by Bsure Insights and add this new permission*

```powershell
$BSureSpnName = 'Bsure-Umi-'

$BsurePermissions = @(
  "Directory.Read.All"
  "AuditLog.Read.All"
  "Domain.Read.All"
  "Reports.Read.All"
  "Policy.Read.All"
  "MailboxSettings.Read"
  "DeviceManagementManagedDevices.Read.All"
  "RoleManagement.Read.All"
)

$GraphAppId = "00000003-0000-0000-c000-000000000000"

$msGraphSpn = Get-AzADServicePrincipal -Filter "appId eq '$GraphAppId'"

$RolesToAdd = $msGraphSpn.AppRole | Where-Object {($_.Value -in $BsurePermissions) -and ($_.AllowedMemberType -contains "Application")}

(Get-AzADServicePrincipal -DisplayNameBeginsWith $BSureSpnName) | ForEach-Object{

    $script:graphAPIReqHeader = @{
        Authorization = "Bearer $($(Get-AzAccessToken -ResourceTypeName MSGraph).token | ConvertFrom-SecureString -AsPlainText)"
        Host = "graph.microsoft.com"
    }

    $currentSPN = $_
    $currentSPN
    $assignedPermissionsUri = "https://graph.microsoft.com/v1.0/servicePrincipals/$($currentSPN.Id)/appRoleAssignments"

    $currentAssignments = Invoke-RestMethod -Method Get -Uri $assignedPermissionsUri -Headers $script:graphAPIReqHeader | Select-Object -ExpandProperty value
    
    $RolesToAddClean = $RolesToAdd | Where-Object {($_.id -notin $($currentAssignments.appRoleId))}
    
    foreach($AppRole in $RolesToAddClean)
    {
        $body = @{
            principalId = $currentSPN.Id
            resourceId = $msGraphSpn.id
            appRoleId = $AppRole.id
        } | ConvertTo-Json -Depth 99 -Compress -EscapeHandling EscapeNonAscii
    
        Invoke-RestMethod -Method Post -Uri $assignedPermissionsUri -Headers $script:graphAPIReqHeader -Body $body -ContentType "application/json"
    }
    
    $RolesToRemoveClean = $currentAssignments.appRoleId | Where-Object {($_ -notin $($RolesToAdd.id))}
    
    foreach($AppRole in $RolesToRemoveClean)
    {
        $toRemoveId = $currentAssignments | Where-Object -Property appRoleId -eq $AppRole | Select-Object -ExpandProperty id
        Invoke-RestMethod -Method Delete -Uri "$assignedPermissionsUri/$toRemoveId" -Headers $script:graphAPIReqHeader
    }
}

Write-Host "Done setting permissions for $($spnBsure.DisplayName) ($($spnBsure.Id))"


```