Duplicate Intune RBAC Roles | Endpoint Manager Roles

In the post, You will see the details about the option that allows you to duplicate Intune RBAC roles. You can easily copy an existing role that will be helpful for MEM admin to create a custom Intune role that includes any permissions required for a specific job function.

Role-based access control (RBAC) helps Intune Admins to control who can perform various Intune tasks within your enterprise. There are seven (7) built-in Intune roles (RBAC roles). You can create custom Intune roles if none of the provided roles supports your scenario.

By assigning roles to your Intune users, you can limit what they can see and change. Each role has a set of permissions that determine what users with that role can access and change within your organization.

You can assign built-in roles to groups without further configuration. You can’t delete or edit the name, description, type, or permissions of a built-in role.

Patch My PC
  1. Application Manager: Manages mobile and managed applications, can read device information, and view device configuration profiles.
  2. Endpoint Security Manager: Manages security and compliance features, such as security baselines, device compliance, conditional access, and Microsoft Defender for Endpoint.
  3. Help Desk Operator: Performs remote tasks on users and devices and can assign applications or policies to users or devices.
  4. Intune Role Administrator: Manages custom Intune roles and adds assignments for built-in Intune roles. It’s the only Intune role that can assign permissions to Administrators.
  5. Policy and Profile Manager: Manages compliance policy, configuration profiles, Apple enrollment, corporate device identifiers, and security baselines.
  6. Read Only Operator: Views user, device, enrollment, configuration, and application information. Can’t make changes to Intune.
  7. School Administrator: Manages Windows 10 devices in Intune for Education.

The addition of a duplicate profile feature for the settings catalog will also be helpful for MEM admin in terms of time savior and effort to create a profile from scratch.

Duplicate Intune RBAC Roles

You can duplicate both custom and built-in roles. Your account must have Global Administrator or Intune Service Administrator permissions in Azure AD to create, edit, or assign Intune roles. Here’s how you can duplicate Intune RBAC Roles –

  • Login to the Endpoint Manager Admin Center https://endpoint.microsoft.com/
  • Navigate to Tenant administration > Roles > All roles.
Endpoint Manager All Roles - Duplicate Intune RBAC Roles
Endpoint Manager All Roles – Duplicate Intune RBAC Roles

Select the checkbox for a role in the list, and choose Duplicate. For Example, I duplicated the Read Only Operator role and removed certain permissions that were not needed.

Right-click on the role and select the ellipses context menu (…) in the same row. Select Duplicate.

Note – You can’t delete or edit the name, description, type, or permissions of a built-in role. By duplicating existing built-in roles, You can create your roles with custom permissions.

Select Role - Duplicate Intune RBAC Roles
Select Role – Duplicate Intune RBAC Roles

A Duplicate roles window and Enter the new Name and Description for the roles. Make sure to use a unique name.

Specify Name, Descriptions for the role - Duplicate Intune RBAC Roles
Specify Name, Descriptions for the role – Duplicate Intune RBAC Roles

All the permissions and scope tags from the original role will already be selected. You can change the roles for the available category. The following permissions are available when creating custom roles.

Configure Roles - Duplicate Intune RBAC Roles
Configure Roles – Duplicate Intune RBAC Roles

On the Scope tags page, you can assign a tag to filter the profile to specific IT groups. Add scope tags and click Next.

Configure Scope tags - Duplicate Intune RBAC Roles
Configure Scope tags – Duplicate Intune RBAC Roles

On Review + create, review assigned roles. Click on Create.

Review Assigned Roles - Duplicate Intune RBAC Roles
Review Assigned Roles – Duplicate Intune RBAC Roles

A notification will appear automatically in the top right-hand corner with a message. Here you can see, Read Only Access – Device successfully created.

Click the Refresh button at the top to quickly see the roles. You will be able to see the Custom Intune role duplicated in the roles list.

I’ve duplicated the Read Only Operator role, removed certain permissions that are not needed, and scoped to a group containing a list of members and assigned roles.

Custom Intune Role - Duplicate Intune RBAC Roles
Custom Intune Role – Duplicate Intune RBAC Roles

You can create a custom Intune role that includes any permissions required for a specific job function. After creating a custom role, you can assign it to any users that need those permissions.

Video Tutorial – Intune RBAC Roles

🎥Explore Video Guide From HTMD Free Intune Training to Create Intune Custom RBAC Role, and understand more about Custom role permissions.

Video Tutorial – Intune RBAC Roles HTMD Free Intune Training

Intune administrator Role permissions

Let’s check Intune administrator Role permissions from the following table.

ActionsDescription
microsoft.directory/bitlockerKeys/key/readRead bitlocker metadata and key on devices
microsoft.directory/contacts/createCreate contacts
microsoft.directory/contacts/deleteDelete contacts
microsoft.directory/contacts/basic/updateUpdate basic properties on contacts
microsoft.directory/devices/createCreate devices (enroll in Azure AD)
microsoft.directory/devices/deleteDelete devices from Azure AD
microsoft.directory/devices/disableDisable devices in Azure AD
microsoft.directory/devices/enableEnable devices in Azure AD
microsoft.directory/devices/basic/updateUpdate basic properties on devices
microsoft.directory/devices/extensionAttributeSet1/updateUpdate the extensionAttribute1 to extensionAttribute5 properties on devices
microsoft.directory/devices/extensionAttributeSet2/updateUpdate the extensionAttribute6 to extensionAttribute10 properties on devices
microsoft.directory/devices/extensionAttributeSet3/updateUpdate the extensionAttribute11 to extensionAttribute15 properties on devices
microsoft.directory/devices/registeredOwners/updateUpdate registered owners of devices
microsoft.directory/devices/registeredUsers/updateUpdate registered users of devices
microsoft.directory/deviceManagementPolicies/standard/readRead standard properties on device management application policies
microsoft.directory/deviceRegistrationPolicy/standard/readRead standard properties on device registration policies
microsoft.directory/groups/hiddenMembers/readRead hidden members of Security groups and Microsoft 365 groups, including role-assignable groups
microsoft.directory/groups.security/createCreate Security groups, excluding role-assignable groups
microsoft.directory/groups.security/deleteDelete Security groups, excluding role-assignable groups
microsoft.directory/groups.security/basic/updateUpdate basic properties on Security groups, excluding role-assignable groups
microsoft.directory/groups.security/classification/updateUpdate the classification property on Security groups, excluding role-assignable groups
microsoft.directory/groups.security/dynamicMembershipRule/updateUpdate the dynamic membership rule on Security groups, excluding role-assignable groups
microsoft.directory/groups.security/members/updateUpdate members of Security groups, excluding role-assignable groups
microsoft.directory/groups.security/owners/updateUpdate owners of Security groups, excluding role-assignable groups
microsoft.directory/groups.security/visibility/updateUpdate the visibility property on Security groups, excluding role-assignable groups
microsoft.directory/users/basic/updateUpdate basic properties on users
microsoft.directory/users/manager/updateUpdate manager for users
microsoft.directory/users/photo/updateUpdate photo of users
microsoft.azure.supportTickets/allEntities/allTasksCreate and manage Azure support tickets
microsoft.cloudPC/allEntities/allProperties/allTasksManage all aspects of Windows 365
microsoft.intune/allEntities/allTasksManage all aspects of Microsoft Intune
microsoft.office365.supportTickets/allEntities/allTasksCreate and manage Microsoft 365 service requests
microsoft.office365.webPortal/allEntities/standard/readRead basic properties on all resources in the Microsoft 365 admin center

References:-

Author

About Author – Jitesh, Microsoft MVP, has over five years of working experience in the IT Industry. He writes and shares his experiences related to Microsoft device management technologies and IT Infrastructure management. His primary focus is Windows 10 Deployment solution with Configuration Manager, Microsoft Deployment Toolkit (MDT), and Microsoft Intune.

Leave a Comment

This site uses Akismet to reduce spam. Learn how your comment data is processed.