Let’s discuss on Intune Read-Only Admin and Scoped Admin Console Experience. This post is the continuation of my previous post – Intune Admin RBAC Implementation Guide with Scope tags and Scope groups.
In this post, you will learn what is the Intune read-only admin experience after implementing the Role-Based Access Control(RBAC) solution with scope tags and scope groups.
Read More on -> Duplicate Intune RBAC Roles | Endpoint Manager Roles.
Intune RBAC Strategic options – Video
In this video, we will explain Intune RBAC Strategic options | Role-Based Access Controls | Scope Groups | Intune Objects | Roles.
Scenarios – Intune Read-Only Admin and Scoped Admin
I have explained both the following scenarios in the video tutorial below. This video will also be published on the video blog https://howtomanagedevices.com/. You can see two Intune admin scenarios explained in this post. The following are the scenarios:
#1 – The first scenario is of an Intune Admin called Santy, and she is a Read-Only admin. She can view all the intune objects for a particular tenant. She can consider all the scoped things in Intune, given those permissions.
#2 – The second scenario is of an Intune scoped admin console access experience. Rateesh is an Intune admin for one of the office locations in Mumbai. He has full access to the devices and profiles (+ policies) for the Mumbai location. But he can’t view any other scoped objects in Intune.
Scope Tag Filtering Effect – Intune Portal
You can see the experience of scope tag filtering for Intune scoped admin in the following screenshot. Intune read-only admin (in the above scenario) has access to all the objects in Intune.
As you can see, Intune Read-Only admin can view Four(4) Profiles in Intune console, but Intune scoped admin can view only three(3) profiles.
However, scoped admin can deploy or assign these three policies to his scope group (Mumbai Devices and Users). Also, he can change the settings of all three(3) device configuration profiles.
This difference is because of scoped objects. Scoped Admin can only view:
- #1 – Objects scoped to Mumbai
- #2 – Non-Scoped Objects
This Intune scope filtering will work for Devices and all the other supported objects I mentioned in the previous post. Scoped admin can view and administrate only one device scoped for his location, and Intune Read-only admin can view two devices.
Video Experience – Intune Read-Only Admin and Scope admin
This video tutorial will give you an experience of two different Intune Admin roles.
- Intune Read-Only Admin
- Intune Scoped Admin
Where can I check the permissions of an Intune Admin?
Intune troubleshooting is always a bit different than SCCM troubleshooting. SCCM RBAC troubleshooting can be done using the RBA tool. But in Intune RBAC, troubleshooting and permission issues can be reviewed using the following method.
- Login to Azure Portal with Intune Admin ID which you want to review the permissions
- Click on Roles options from Intune blade.
- Click on the My Permissions from the Monitor section
- Check out the permissions – Resource & Permission table on the right side of the blade
- Click on the EXPORT button to export all the permissions to a CSV format
Resource
- Intune Role-Based Administration RBAC
- Intune Read-Only Experience to Create Read Only Operators
- Role-based administration control (RBAC) with Microsoft Intune
- Using the New Role Based Access Controls in Intune
Hi, please let me know if it is possible to show only the devices that a delegated admin can manage using Scope tags, please refer to this article https://www.petervanderwoude.nl/post/intune-role-based-administration-control-and-devices/
I tested it but it doesn’t work for me.
Have you checked my post here https://www.anoopcnair.com/intune-scope-tags-guide/ ? Are you looking for automatic device scope possibilities?
I checked your post, for now, I want to see this feature working for managed devices. I configured all you mentioned in the post but it still doesn’t work. A restricted admin can see all my devices. I manually assigned a Tag for some devices and configured that tag for a restricted group of admins, but these restricted admins can still see all the devices I have in Intune (but not manage all of them). I just want to show the tagged manage devices to them. As you mentioned in the post, could it be that this feature is not working for managed devices for now?
It didn’t work for me as I mentioned in the post. But I don’t know whether this is FIXED or not. But I know there are some work is going on within Intune RBAC.
Ok, thanks for your post!
Thank you for the support!