In the post, You will see the details about the option that allows you to duplicate Intune RBAC roles. You can easily copy an existing role that will be helpful for MEM admin to create a custom Intune role that includes any permissions required for a specific job function.
Role-based access control (RBAC) helps Intune Admins to control who can perform various Intune tasks within your enterprise. There are seven (7) built-in Intune roles (RBAC roles). You can create custom Intune roles if none of the provided roles supports your scenario.
By assigning roles to your Intune users, you can limit what they can see and change. Each role has a set of permissions that determine what users with that role can access and change within your organization.
You can assign built-in roles to groups without further configuration. You can’t delete or edit the name, description, type, or permissions of a built-in role.
- Application Manager: Manages mobile and managed applications, can read device information, and view device configuration profiles.
- Endpoint Security Manager: Manages security and compliance features, such as security baselines, device compliance, conditional access, and Microsoft Defender for Endpoint.
- Help Desk Operator: Performs remote tasks on users and devices and can assign applications or policies to users or devices.
- Intune Role Administrator: Manages custom Intune roles and adds assignments for built-in Intune roles. It’s the only Intune role that can assign permissions to Administrators.
- Policy and Profile Manager: Manages compliance policy, configuration profiles, Apple enrollment, corporate device identifiers, and security baselines.
- Read Only Operator: Views user, device, enrollment, configuration, and application information. Can’t make changes to Intune.
- School Administrator: Manages Windows 10 devices in Intune for Education.
The addition of a duplicate profile feature for the settings catalog will also be helpful for MEM admin in terms of time savior and effort to create a profile from scratch.
- Intune Role-Based Administration RBAC In Endpoint Manager Portal
- Intune Read-Only Experience Learn to Create Read-Only Operators Roles Admin Access
- Create Custom Intune Helpdesk Operator Role
Duplicate Intune RBAC Roles
You can duplicate both custom and built-in roles. Your account must have Global Administrator or Intune Service Administrator permissions in Azure AD to create, edit, or assign Intune roles. Here’s how you can duplicate Intune RBAC Roles –
- Login to the Endpoint Manager Admin Center https://endpoint.microsoft.com/
- Navigate to Tenant administration > Roles > All roles.
Select the checkbox for a role in the list, and choose Duplicate. For Example, I duplicated the Read Only Operator role and removed certain permissions that were not needed.
Right-click on the role and select the ellipses context menu (…) in the same row. Select Duplicate.
Note – You can’t delete or edit the name, description, type, or permissions of a built-in role. By duplicating existing built-in roles, You can create your roles with custom permissions.
A Duplicate roles window and Enter the new Name and Description for the roles. Make sure to use a unique name.
All the permissions and scope tags from the original role will already be selected. You can change the roles for the available category. The following permissions are available when creating custom roles.
On the Scope tags page, you can assign a tag to filter the profile to specific IT groups. Add scope tags and click Next.
On Review + create, review assigned roles. Click on Create.
A notification will appear automatically in the top right-hand corner with a message. Here you can see, Read Only Access – Device successfully created.
Click the Refresh button at the top to quickly see the roles. You will be able to see the Custom Intune role duplicated in the roles list.
I’ve duplicated the Read Only Operator role, removed certain permissions that are not needed, and scoped to a group containing a list of members and assigned roles.
You can create a custom Intune role that includes any permissions required for a specific job function. After creating a custom role, you can assign it to any users that need those permissions.
Video Tutorial – Intune RBAC Roles
🎥Explore Video Guide From HTMD Free Intune Training to Create Intune Custom RBAC Role, and understand more about Custom role permissions.
Author
About Author – Jitesh, Microsoft MVP, has over five years of working experience in the IT Industry. He writes and shares his experiences related to Microsoft device management technologies and IT Infrastructure management. His primary focus area is Windows 10 Deployment solution with Configuration Manager, Microsoft Deployment Toolkit (MDT), and Microsoft Intune.