Intune Application Policy Manager RBA Controls In Azure Portal

Application management is another key part of Intune administration. Intune RBAC built-in role application manager helps organizations to provide appropriate access to respective teams depending up on their location and responsibilities.


We will discuss about the access rights of build-in Intune RBA role called Intune Application Manager. Ideally, this role should have  access to administrate Managed apps, Mobile apps and read device information depending upon the scope of users/devices assigned to this role. Do you know what is scope? “The users or devices that a specified person (the member) can manage.” If you are SCCM admin then SCOPE option is already there in SCCM 2012 and CB console. I’ve another post which talks about Configuration manager RBAC details here.

More detailed explanation in the above video or you can click here

In this post, we will see the permissions associated with Intune application manager build in role. As per the Microsoft documentation, this role is to “Manage and deploy applications and profiles”. We will do a deep dive in to this topic and explain what are the exact actions an Intune app admin can perform from Azure portal. Following are the access permissions given to Intune APP Manger RBAC role.

Managed Apps
Assign managed apps to security group
Create managed apps
Delete managed apps
Read managed apps
Update managed apps
Wipe Managed apps
Managed Devices
No Access to delete devices
Access to read device information
No Access to update device properties
Mobile Apps
Assign mobile apps to security group
Create mobile apps
Delete mobile apps
Read mobile apps
Update mobile apps
Overall Access Rights of Intune tiles
  1. Allowed to administrate some actions in manage apps and configure devices tiles.
  2. Access is denied to perform any activities in Conditional Access, Device Enrollment, Access control and Set device compliance tiles.
  3. Allowed to setup certificate authority in Configure devices tile. However, no access to view profiles.
  4. Allowed to view the device information in Device and Groups tile.
  5. Access is denied to create/delete new/existing groups or users profiles. It doesn’t matter Intune policy manager is editing the groups which are in SCOPE or not. Lot of places save and add buttons are enabled but when we try to save it will give an error.
  6. Access is denied  to change device and user settings in Manage user tile.
  7. Access is denied to access Intune Silverlight console.
  8. Access is denied to Intune App Protection section. Intune mobile application management is not allowed for Intune App Managers. Most probably all these app protection options are already part of Intune – Manage Apps tab in the Azure portal.
Access rights – Manage Apps (Manage Apps and Mobile apps)
  1. Allowed to create new mobile apps.
  2. Allowed to edit mobile apps which are uploaded by admins. Access is Denied to edit the managed apps which are automatically uploaded.
  3. Access is denied to remove assignments/deployments to a group which is out of scope for Intune application manager.
  4. Access is denied to remove assignments/deployments to a group which is in scope for Intune application manager. This SHOULD be allowed!
  5. Allowed to add assignment to mobile/manage app if the user group is in scope of Intune application manager.
  6. Access Denied to add assignment to mobile/manage app if the user group is out of scope of Intune application manager.
  7. App Protection Policies are getting hung while trying to edit (or create) existing (or new) app protection policies from Intune App manager account.
  8. Allowed to perform App Selective wipe option from Intune app manager account. Allowed to perform app selective wipe only on “in scope users/devices”.
  9. Access is denied to edit Company portal Branding from Intune app manager account

References :-

  • Assigning administrator roles in Azure Active Directory – here
  • Role-based access control (RBAC) for Microsoft Intune – here



Please enter your comment!
Please enter your name here

This site uses Akismet to reduce spam. Learn how your comment data is processed.