You’re offline. This is a read only version of the page.
I'm currently working on a device management tool using Power Apps, and for that I'm using the Microsoft Graph API through a custom connector. For example, when moving group memberships for a device, the operation is almost instant when using delegated API permissions. However, when using application API permissions, something strange happens.In the Intune admin portal, the group membership updates appear almost instantly, just like with delegated permissions. But in Power Apps, the behavior becomes inconsistent:
- it takes noticeable time until the updated values appear correctly, and
- repeated API calls during that period can produce incorrect or outdated results.
I read that delegated permissions use a user token, which benefits from Azure AD caching behavior, while application permissions do not have a user context — the application itself holds the permissions. The Intune admin portal also uses the administrator’s user token, making its behavior delegated as well.
Essentially, my button in Power Apps executes several API calls like this:
GraphAPIConnector_1.PostDeviceMemberGroup(
g.id,
{ '@odata.id': "https://graph.microsoft.com/beta/devices/" & deviceObjectId.id }
)
With delegated permissions this works perfectly. With application permissions, the backend updates in Intune are correct, but the Power Apps UI receives outdated or delayed data, which leads to the inconsistencies.
You can combine both using:
This architecture avoids all consistency issues.
=======================================================================
Best Fix: Add a 5–15 second consistency delay before reads
The most reliable solution is: After writing group membership (Add/Remove), wait 5–10 seconds before doing a read back, e.g.:
Set(varWait, Now());
While(Now() < DateAdd(varWait, 10, Seconds), true);
or just: TImer.start
Share
Report
All responses (
Answers (
64
