Hello everyone, I’m back with another exciting topic for today. Let’s learn how to Create Custom Roles (Role Base Access Control) in Intune. In this post, we’ll explore the RBAC roles available in Intune and the steps to create custom roles in Microsoft Intune.
A couple of weeks back, I met a friend whose organization (which is relatively small) is evaluating Intune for their device management. We were conversing on it, and he asked me how granular controls Intune can provide for any organization. Then I realized we should have a post on custom roles that can be referenced to create in your organizations.
Intune has some built-in roles and allows organizations to create custom roles per the requirements. The built-in roles cannot be edited, but we can assign them to the admins to perform their admin tasks. With custom roles, Intune provides granular controls, and we can create a role per our requirements.
You may ask why we need role-based access control in Intune, and the answer is simple: we cannot provide an Intune Service Admin role to everyone. A helpdesk person doesn’t need edit access to compliance policies or configuration profiles. They require just read access to view the policies or devices enrolled in Intune. If we provide full access to a helpdesk, there is a high chance of editing policies without their knowledge.
- Intune Application Deployment using MSI EXE IntuneWin Formats
- Protect Corporate Data using Data Loss Protection Policies with the Microsoft Purview Portal
Built-in Roles in Intune
Before jumping into creating, let’s discuss the Built-in roles that Intune provides by default. Intune provides 10 built-in roles. We can assign the roles to a group of users, but we cannot edit the names, permissions, or descriptions of these roles. Let’s see below the built-in roles available in Intune in the table.
| Role | Description |
|---|---|
| Application Manager | This role provides access to manage policies in Intune. |
| Endpoint Security Manager | The Endpoint Security Manager can manage the security baselines, device compliance, conditional access, and Microsoft Defender ATP. |
| Endpoint Privilege Manager | This role enables admins to Manage Endpoint Privilege Management policies in the Intune console. |
| Read Only Operator | The read-only operators can view all configurations, policies, devices, and enrollment information but cannot make changes |
| Intune Role Administrator | This Intune role provides access to manage and assign the Intune built-in roles to others. |
| Help Desk Operator | Admins with this role can do remote tasks on users and devices. Also, they can assign applications or policies to users or devices. |
| Endpoint Privilege Reader | These admins can manage all the policies and profiles like compliance policy, configuration profiles, Apple enrollment, Android Enterprise enrollment profiles and corporate device identifiers |
| Organizational Messages Manager | Organizational Messages Managers are who can manage the organizational messages. |
| School Administrator | These admins can manage apps and settings for their groups. They can perform remote actions on devices, including remotely locking them, restarting them, and retiring them from management |
| Policy and Profile Manager | These admins can manage all the policies and profiles like compliance policy, configuration profiles, Apple enrollment, Android Enterprise enrollment profiles and corporate device identifiers |
You can check the custom roles available in Intune by logging in to Microsoft Intune admin centre > Tenant administration >> Roles. This will list all the built-in roles available in Intune. You can refer to the screenshot below.
The above mentioned Built-In roles are available for all tenants. Microsoft keeps updating and adding new roles. We can utilize these roles and restrict access to Intune as per the roles in your organization.
If you want a role where an admin can perform application management as well as policies and profiles, we can create a custom role and assign it to the custom role-based access control of the group.
Create Custom Roles in Intune
I hope you understand built-in roles and where they are being used. Now, let’s discuss custom roles in Intune. As mentioned above, the name suggests we can have a custom role per organizational requirements.
Before creating any role, please have a discussion with your security team or your operational team and define an RBAC model. Let’s see how we can make a custom role.
- Sign in to the Microsoft Intune admin centre.
- Select Tenant Administration > Roles.
- Click on Create >> Intune Role.
Provide the name and description for the custom role on the Basics page. In this example, I’m creating a custom role with L2-level access. After providing the Name and Description, click Next to proceed to the Permissions page.
The Permissions page is where we define the permissions for the role. All permissions are segregated into various categories. Under the categories, we have options to create, delete, read, update and Assign based on the permission category.
For our testing, I will edit permission for a few categories, like Device Configurations and Device Compliance. Under the Device configuration category, I’m providing permission to Create, Assign and Read the policies. So any admin with this role cannot delete or update the device configuration policies.
Under the Device Compliance policy permission category, I’m enabling Read, Update and Delete compliance policies. Also, I’m enabling a few other Read Only permissions under the Managed Apps and Mobile Apps categories.
At an L2 level, admins will have read-only access to most of the categories in Intune. So, for our testing, I have chosen a few categories. You can configure the categories as per your organizational requirements. Now click on Next and navigate to the Scope tags page.
Assign the Scope tags if you have any. Click Next to review your configured permissions and create the Custom Role. Once the custom role is created, you can view the custom role created under the roles section, and you can click on it and assign the roles to user groups.
If you observe the Roles page for the built-in roles under the type column, they are mentioned as built-in roles, but for the custom role, you can view the Custom Intune Role. Intune provides this to differentiate between custom and built-in roles.
Assign Custom Role to User Groups
We have successfully created the custom roles. Now, we need to assign the roles to user groups. Let’s see how we can assign the custom role to the user group. To assign the custom role, follow the steps below.
- Sign in to the Microsoft Intune admin centre.
- Select Tenant Administration > Roles. Select Custom Role for assignments.
Assigning custom roles to the admins is a bit different than regular assignments of apps or policies. Now click on Assignments. We need to create various types of assignments with scoping. Provide name and description for the assignment
Click Next to Admin Groups page. Now click on Add Groups. Search for groups, we have created an L2 Admin_testing group, adding the group under the admin groups. Users under this group will have access to Intune. Now click on Next to the Scope Groups page.
Under Scope groups, we need to add scope groups or all devices or all users. If you add a few groups, the admin group users will have access to this specific group of users or devices. If you want to control the access to specific departments, we can define the departments under the scope groups, else you can assign it to all users or devices.
I’m choosing all users for testing. Now click Next to the Scope tags page. Scope tags determine which objects admins can see. When you add scope tags, the admins who are in scope for this custom role can view/edit policies and profiles(based on the custom role) which has the same scope tags.
Let’s say, in our example, we can view compliance and configuration policies. If I add a scope tag to the custom role, I can view all the configuration or compliance policies that have the same scope tag tagged. Otherwise, I cannot view them even if I have read or edited access to compliance policies or configuration policies.
I do not have any scope tags, so proceed to the next screen to the Review + Create page, review all the settings, and if you need to make any changes, you can edit them before creating. Once you finalised the settings, Now click on Create.
This will create the L2 custom role. You can observe the assignment we created. Similarly, we can have multiple assignments for a single Intune custom role. This way, Intune provides organizations with very granular control over access.
So far, we have seen the step-by-step process to create a custom role and how to create a Assignment and assign it to specific user groups. Now let’s see how our assignment takes place when an admin with an L2 custom role is in the User Experience section.
User Experience
Now let’s see how it looks when an admin who is part of the custom role logs into the Intune console. I have a test account to which I have provided the above created custom role, signing to Intune using the test account credentials
Once I logged in, I clicked on compliance policies and selected create a new compliance policy, I was able to proceed till the end of the creation page, but when I clicked on create compliance policy, I got the above attached error stating I couldn’t create a compliance policy “You don’t have enough permissions to update this configuration to one or more of your selected groups, contact your administrator”.
The error message is due to the fact that I didn’t give permission to create a compliance policy for the HTMD Custom role_L2. Similarly, I can create a configuration policy as I have provided access to create it. This way, we can provide required admin access to Intune instead of full Intune access. Similarly, I can view the apps but not add any apps to Intune.
Conclusion
Intune is definitely great in providing organizations with the advantage of flexibility with custom roles. By creating custom roles that are tailored to their specific needs, admins can ensure that their organization’s data and devices are secure while also empowering their team members with the necessary permissions to perform their tasks efficiently.
This step-by-step guide and the best practices outlined above can help administrators design custom roles that balance granting sufficient permissions and maintaining tight security controls. Regularly reviewing and refining custom roles will contribute to more secure and efficiently managed endpoint solutions.
We are on WhatsApp. To get the latest step-by-step guides and news updates, Join our Channel. Click here –HTMD WhatsApp.
Author
About Author – Narendra Kumar Malepati (Naren) has 11+ years of experience in IT, working on different MDM tools. Over the last seven years, Naren has been working on various features of Intune, including migration from different MDMs to Intune. Naren mainly focuses on Android, iOS, and MacOS.