Inventory Installed Software (Detected Apps) on a User's Intune-Managed Devices

Why this recipe exists

When supporting an end user — during a help desk ticket, license reconciliation, software audit, or security incident — administrators frequently need to know exactly what software is installed on that person's managed devices. Intune collects this data automatically from enrolled Windows, macOS, iOS, and Android devices and exposes it as the detectedApps collection on each managedDevice.

When to run it

• A user reports a problem with a specific application and you need to confirm the version installed.
• You are investigating whether a vulnerable or unauthorized piece of software is present on a user's endpoints.
• You are preparing for a hardware refresh, role change, or offboarding and want a full software footprint.
• You are validating that required line-of-business apps were successfully installed by Intune.

Important prerequisite

Reading Intune managed device data requires an account with an Intune-aware admin role (Intune Administrator, Global Reader, Helpdesk Operator, or equivalent). Simply granting the Graph scope DeviceManagementManagedDevices.Read.All is not sufficient — the signed-in principal must also hold a role that grants read access in the Intune RBAC model. If both the scope and the role are not present, the /deviceManagement/managedDevices endpoints return 401/403 Forbidden.

What you will have when you finish

• A confirmed list of the user's Intune-managed devices, including device ID, name, OS, model, last check-in, and compliance state.
• For each device, the full detected apps inventory — display name, version, publisher, size, and device count.
• A consolidated, deduplicated software list suitable for pasting into a ticket, CSV export, or audit report.
• A reusable PowerShell script that can be re-run on any user by changing a single parameter.

Things to watch out for

• Registered ≠ Managed. /users/{id}/registeredDevices returns Entra ID device objects, which include BYOD and Workplace-Joined devices that may not be Intune-enrolled. Only devices that appear under /deviceManagement/managedDevices will have a detectedApps inventory.
• Detected apps is not real-time. Intune refreshes the inventory approximately every 7 days on Windows and at each check-in on mobile platforms. Recent installs or uninstalls may not appear immediately.
• Win32 vs. MSI scope. On Windows, detected apps reports Win32 apps registered under Add/Remove Programs. Per-user MSIX/AppX packages and portable executables are not included.
• Permission escalation. DeviceManagementApps.Read.All and DeviceManagementManagedDevices.Read.All expose tenant-wide software and hardware data. Grant only to principals that already have a matching Intune role; do not grant broadly to service principals without justification.
• Privacy. In some jurisdictions, personal device software inventory may be regulated. Confirm your organization's BYOD and privacy policies before sharing the output with non-IT stakeholders.