Intune Application Policy Manager RBA Controls In MEM Portal | Endpoint Manager Role-Based Access? We will discuss the access rights of the build-in Intune RBA role called Intune Application Manager.
Ideally, this role should have access to administrate Managed apps, Mobile apps and read device information depending upon the scope of users/devices assigned to this role.
Do you know what the scope is? “The users or devices that a specified person (the member) can manage.” If you are an SCCM admin, the SCOPE option is already there in SCCM 2012 and CB console. I’ve another post that talks about Configuration manager RBAC detail here.
Intune Application Policy Manager
In this post, we will see the permissions associated with Intune application manager build-in role. As per the Microsoft documentation, this role is to “Manage and deploy applications and profiles”.
We will do a deep dive into this topic and explain the exact actions an Intune app admin can perform from the MEM portal. Following are the access permissions given to Intune APP Manager RBAC role.
Assign managed apps to a security group
Create managed apps
Delete managed apps
Read managed apps
Update managed apps
Wipe Managed apps Managed Devices
No Access to delete devices
Access to read device information
No Access to update device properties Mobile Apps
Assign mobile apps to a security group
Create mobile apps
Delete mobile apps
Read mobile apps
Update mobile apps Overall Access Rights of Intune tiles
- It is allowed to administrate some actions in managing apps and configuring devices tiles.
- Access is denied to perform any activities in Conditional Access, Device Enrollment, Access control, and Set device compliance tiles.
- Allowed to set up certificate authority in Configure devices tile. However, no access to view profiles.
- Allowed to view the device information in the Device and Groups tile.
- Access is denied to create/delete new/existing groups or users profiles. It doesn’t matter whether the Intune policy manager is editing the groups in SCOPE or not. In a lot of places, save and add buttons are enabled, but when we try to save, it will give an error.
- Access is denied to change device and user settings in the Manage user tile.
- Access is denied to access Intune Silverlight console.
- Access is denied to Intune App Protection section. Intune mobile application management is not allowed for Intune App Managers. All these app protection options are probably already part of Intune – Manage Apps tab in the Azure portal.
Access rights – Manage Apps (Manage Apps and Mobile apps) – Intune Application Policy Manager RBA Controls
- Allowed to create new mobile apps.
- Allowed to edit mobile apps which are uploaded by admins. Access is Denied to edit the managed apps, which are automatically uploaded.
- Access is denied to remove assignments/deployments to a group out of scope for Intune application manager.
- Access is denied to remove assignments/deployments to a group in scope for Intune application manager. This SHOULD be allowed!
- Allowed to add an assignment to mobile/manage app if the user group is in the scope of Intune application manager.
- Access Denied adding an assignment to mobile/manage app if the user group is out of scope of Intune application manager.
- App Protection Policies are getting hung while trying to edit (or create) existing (or new) app protection policies from Intune App manager account.
- Allowed to perform App Selective wipe option from Intune app manager account. Allowed to perform app selective wipe only on “in scope users/devices”.
- Access is denied to edit Company portal Branding from Intune app manager account.
Anoop is Microsoft MVP! He is a Solution Architect in enterprise client management with more than 20 years of experience (calculation done in 2021) in IT. He is a blogger, Speaker, and Local User Group HTMD Community leader. His main focus is on Device Management technologies like SCCM 2012, Current Branch, and Intune. E writes about ConfigMgr, Windows 11, Windows 10, Azure AD, Microsoft Intune, Windows 365, AVD, etc…