Hi all, Just wondering if any one can explain exactly why 'User Impersonation' is configured in the API Permissions for the CMG Native/Client App. Its detailed here how to enable it, but cannot find a statement indicting WHY it is needed. Look at ( 6 c) https://docs.microsoft.com/en-us/mem/configmgr/core/clients/manage/cmg/manually-register-azure-ad-apps#register-the-native-client-app ![49177-image.png][1] [1]: /answers/storage/attachments/49177-image.png Note: user.imperosanation is enabled when these apps are created automatically as part of the CMG setup process