Duplicate Intune RBAC Roles | Endpoint Manager Roles

In the post, You will see the details about the option that allows you to duplicate Intune RBAC roles. You can easily copy an existing role that will be helpful for MEM admin to create a custom Intune role that includes any permissions required for a specific job function.

Role-based access control (RBAC) helps Intune Admins to control who can perform various Intune tasks within your enterprise. There are seven (7) built-in Intune roles (RBAC roles). You can create custom Intune roles if none of the provided roles supports your scenario.

By assigning roles to your Intune users, you can limit what they can see and change. Each role has a set of permissions that determine what users with that role can access and change within your organization.

Patch My PC

You can assign built-in roles to groups without further configuration. You can’t delete or edit the name, description, type, or permissions of a built-in role.

  1. Application Manager: Manages mobile and managed applications, can read device information, and view device configuration profiles.
  2. Endpoint Security Manager: Manages security and compliance features, such as security baselines, device compliance, conditional access, and Microsoft Defender for Endpoint.
  3. Help Desk Operator: Performs remote tasks on users and devices and can assign applications or policies to users or devices.
  4. Intune Role Administrator: Manages custom Intune roles and adds assignments for built-in Intune roles. It’s the only Intune role that can assign permissions to Administrators.
  5. Policy and Profile Manager: Manages compliance policy, configuration profiles, Apple enrollment, corporate device identifiers, and security baselines.
  6. Read Only Operator: Views user, device, enrollment, configuration, and application information. Can’t make changes to Intune.
  7. School Administrator: Manages Windows 10 devices in Intune for Education.

The addition of a duplicate profile feature for the settings catalog will also be helpful for MEM admin in terms of time savior and effort to create a profile from scratch.

Duplicate Intune RBAC Roles

You can duplicate both custom and built-in roles. Your account must have Global Administrator or Intune Service Administrator permissions in Azure AD to create, edit, or assign Intune roles. Here’s how you can duplicate Intune RBAC Roles –

  • Login to the Endpoint Manager Admin Center https://endpoint.microsoft.com/
  • Navigate to Tenant administration > Roles > All roles.
Endpoint Manager All Roles - Duplicate Intune RBAC Roles
Endpoint Manager All Roles – Duplicate Intune RBAC Roles

Select the checkbox for a role in the list, and choose Duplicate. For Example, I duplicated the Read Only Operator role and removed certain permissions that were not needed.

Right-click on the role and select the ellipses context menu (…) in the same row. Select Duplicate.

Note – You can’t delete or edit the name, description, type, or permissions of a built-in role. By duplicating existing built-in roles, You can create your roles with custom permissions.

Select Role - Duplicate Intune RBAC Roles
Select Role – Duplicate Intune RBAC Roles

A Duplicate roles window and Enter the new Name and Description for the roles. Make sure to use a unique name.

Specify Name, Descriptions for the role - Duplicate Intune RBAC Roles
Specify Name, Descriptions for the role – Duplicate Intune RBAC Roles

All the permissions and scope tags from the original role will already be selected. You can change the roles for the available category. The following permissions are available when creating custom roles.

Configure Roles - Duplicate Intune RBAC Roles
Configure Roles – Duplicate Intune RBAC Roles

On the Scope tags page, you can assign a tag to filter the profile to specific IT groups. Add scope tags and click Next.

Configure Scope tags - Duplicate Intune RBAC Roles
Configure Scope tags – Duplicate Intune RBAC Roles

On Review + create, review assigned roles. Click on Create.

Review Assigned Roles - Duplicate Intune RBAC Roles
Review Assigned Roles – Duplicate Intune RBAC Roles

A notification will appear automatically in the top right-hand corner with a message. Here you can see, Read Only Access – Device successfully created.

Click the Refresh button at the top to quickly see the roles. You will be able to see the Custom Intune role duplicated in the roles list.

I’ve duplicated the Read Only Operator role, removed certain permissions that are not needed, and scoped to a group containing a list of members and assigned roles.

Custom Intune Role - Duplicate Intune RBAC Roles
Custom Intune Role – Duplicate Intune RBAC Roles

You can create a custom Intune role that includes any permissions required for a specific job function. After creating a custom role, you can assign it to any users that need those permissions.

Video Tutorial – Intune RBAC Roles

🎥Explore Video Guide From HTMD Free Intune Training to Create Intune Custom RBAC Role, and understand more about Custom role permissions.

Video Tutorial – Intune RBAC Roles HTMD Free Intune Training

Author

About Author – Jitesh, Microsoft MVP, has over five years of working experience in the IT Industry. He writes and shares his experiences related to Microsoft device management technologies and IT Infrastructure management. His primary focus area is Windows 10 Deployment solution with Configuration Manager, Microsoft Deployment Toolkit (MDT), and Microsoft Intune.

Leave a Comment

This site uses Akismet to reduce spam. Learn how your comment data is processed.