Intune Application Policy Manager RBA Controls In MEM Portal | Endpoint Manager Role-Based Access? We will discuss the access rights of the build-in Intune RBA role called Intune Application Manager.
Ideally, this role should have access to administrate Managed apps, Mobile apps, and read device information depending upon the scope of users/devices assigned to this role.
Do you know what is scope? “The users or devices that a specified person (the member) can manage.” If you are an SCCM admin then the SCOPE option is already there in SCCM 2012 and CB console. I’ve another post which talks about Configuration manager RBAC details here.
Table of Contents
A more detailed explanation in the above video or you can click here
Intune Application Policy Manager
In this post, we will see the permissions associated with Intune application manager build-in role. As per the Microsoft documentation, this role is to “Manage and deploy applications and profiles”.
We will do a deep dive into this topic and explain what are the exact actions an Intune app admin can perform from the MEM portal. Following are the access permissions given to Intune APP Manager RBAC role.
Assign managed apps to security group
Create managed apps
Delete managed apps
Read managed apps
Update managed apps
Wipe Managed apps Managed Devices
No Access to delete devices
Access to read device information
No Access to update device properties Mobile Apps
Assign mobile apps to security group
Create mobile apps
Delete mobile apps
Read mobile apps
Update mobile apps Overall Access Rights of Intune tiles
- Allowed to administrate some actions in manage apps and configure devices tiles.
- Access is denied to perform any activities in Conditional Access, Device Enrollment, Access control and Set device compliance tiles.
- Allowed to setup certificate authority in Configure devices tile. However, no access to view profiles.
- Allowed to view the device information in Device and Groups tile.
- Access is denied to create/delete new/existing groups or users profiles. It doesn’t matter Intune policy manager is editing the groups which are in SCOPE or not. Lot of places save and add buttons are enabled but when we try to save it will give an error.
- Access is denied to change device and user settings in Manage user tile.
- Access is denied to access Intune Silverlight console.
- Access is denied to Intune App Protection section. Intune mobile application management is not allowed for Intune App Managers. Most probably all these app protection options are already part of Intune – Manage Apps tab in the Azure portal.
Access rights – Manage Apps (Manage Apps and Mobile apps) – Intune Application Policy Manager RBA Controls
- Allowed to create new mobile apps.
- Allowed to edit mobile apps which are uploaded by admins. Access is Denied to edit the managed apps which are automatically uploaded.
- Access is denied to remove assignments/deployments to a group that is out of scope for Intune application manager.
- Access is denied to remove assignments/deployments to a group that is in scope for Intune application manager. This SHOULD be allowed!
- Allowed to add an assignment to mobile/manage app if the user group is in the scope of Intune application manager.
- Access Denied adding an assignment to mobile/manage app if the user group is out of scope of Intune application manager.
- App Protection Policies are getting hung while trying to edit (or create) existing (or new) app protection policies from Intune App manager account.
- Allowed to perform App Selective wipe option from Intune app manager account. Allowed to perform app selective wipe only on “in scope users/devices”.
- Access is denied to edit Company portal Branding from Intune app manager account
- Assigning administrator roles in Azure Active Directory – here
- Role-based access control (RBAC) for Microsoft Intune – here