Intune RBAC Roles Permissions in the Intune Admin Center Portal

Intune RBAC roles and permissions in Intune Admin Center Portal are explained in this post. We will discuss the access rights of the built-in Intune RBAC role called Configuration policy manager.

Ideally, this role should have access to Manage and deploy configuration settings and profiles depending on the scope. Before going into details, let me explain, what is the scope.

Intune RBAC (Role-Based Access Controls) is the workflow that helps organizations segregate the roles and responsibilities of different support teams by providing them with limited access to specific resources. “The users or devices that a specified person (the member) can manage.” If you are an SCCM admin, then the SCOPE option is already there in SCCM 2012 and CB console.

Granular control to delegate the permissions to Level 1, 2, and 3 Intune teams from different operating groups (entities/opcos). Limit assigned permissions of Intune admins to specific user or device groups. Control/Manage the view permissions of Intune objects using RBAC.

Patch My PC

Intune RBAC Strategic options – Video

In this video, we will explain Intune RBAC Strategic Options | Role-Based Access Controls | Scope Groups | Intune Objects | Roles.

Intune RBAC Strategic options – Intune RBAC Roles Permissions in the Intune Admin Center Portal

What is Intune RBAC?

RBAC helps Intune Admins to control who can perform various Intune tasks within your enterprise. There are nine (9) built-in Intune roles (RBAC roles). The list of Intune RBAC built-in roles is updated in the table.

In this post, I will try to explain the access right of Intune’s default role called Configuration Policy Manager. I have created a user name Kaith in Azure Active Directory. This user is assigned to Configuration policy manager access and the scope is set to the group “All Bangalore Users”.

Intune configuration policy manager can access Assign, Create, Delete, Read, and Update profiles. However, we will go into deep dive to understand more details about the access rights for this role.

Adaptiva

Configuration Policy Manager – Permissions:-
Assign Device settings to AAD security groups
Create Device Settings
Delete Device Settings
Read Device Settings
Update Device Settings

Read More -> Intune Read-Only Experience Learn To Create Read-Only Operators Roles

Intune RBAC Roles Permissions in the Intune Admin Center Portal Fig. 1
Intune RBAC Roles Permissions in the Intune Admin Center Portal Fig. 1

Intune RBAC – Tired Hierarchy

Azure AD is the primary identity repository for Intune! The Intune Full Admin permissions – Azure AD.

  • Global Admin Role (Tier 1)
  • Intune Service Admin Role (Tier 2)
  • Intune RBAC Permissions – Intune Portal
  • Tier 3 Roles – App Admin, Helpdesk Admin, etc…

Updated Built-In Inutune RBAC Roles

Let’s check the built-in Intune RABC roles (endpoint manager roles) available in the MEM admin center portal.

Application ManagerBuilt-in Role
Endpoint Security ManagerBuilt-in Role
Read-Only OperatorBuilt-in Role
School AdministratorBuilt-in Role
Policy and Profile managerBuilt-in Role
Help Desk OperatorBuilt-in Role
Intune Role AdministratorBuilt-in Role
Cloud PC AdministratorBuilt-in Role
Cloud PC ReaderBuilt-in Role
Intune RBAC Roles Permissions in the Intune Admin Center Portal Table 1

Endpoint Manager Roles

Let’s understand what are the different types of roles available within Intune RBAC workflow. There are built-in roles and custom roles. I have given examples of custom roles in the previous posts.

Read More -> Create Custom Intune Helpdesk Operator Role

Intune RBAC Policy and Profile Manager

Assign administrators to Endpoint Manager Roles. Create and configure custom Endpoint Manager Roles. Allowed to edit the Intune Policy and Profile Manager.

  • Even the profile is ONLY deployed to out-of-scope users/groups. Intune Role-Based Access (RBA) rules don’t respect the scope of the editing profile.

This should be NOT allowed. Editing should be allowed only to those profiles which are assigned ONLY to Intune policy manager’s scope of users or devices (Intune policy manager = Kaith). Intune RBAC roles are still in development.

Access is denied to remove and add assignments to a profile that is already deployed to users who are not in the scope. Addition and removal of Assignments should be allowed if the admin is trying to deploy profiles to users in scope.

  • Access is denied to remove assignments to profiles that are targeted to the users or groups in scope. This should be allowed!

Allowed to delete all the profiles even if those profiles are targeted to out-of-scope users. This should NOT be allowed! If the profile is assigned only to in-scope users, then the deletion of the profile should be allowed.

Allowed to enable/disable certificate authority connector for SCEP or PFX profile deployment. Intune RBAC roles are still in development.

  • Login to MEM Admin Center (Intune).
  • Navigate to tenant admin -> Roles -> Endpoint Manager Roles.
Intune RBAC Roles Permissions in the Intune Admin Center Portal Fig. 2
Intune RBAC Roles Permissions in the Intune Admin Center Portal Fig. 2

Intune RBAC Access rights – Application Manager

Allowed to remove assignments of applications that are already targeted to the users NOT in the scope of an Intune Application Manager. This should NOT be allowed. If it’s deployed/assigned to the users who are in scope, then removal of the assignment should be allowed.

Allowed to add assignments to the application, even if the user’s Intune application manager is targeting is out of scope for him/her. This should NOT be allowed. Assign administrators to Endpoint Manager Roles and Create and configure custom Endpoint Manager Roles.

The addition of assignment to the Application policy should be allowed only when the targeted users are within the scope of an Intune application manager.

Intune RBAC Roles Permissions in the Intune Admin Center Portal Fig. 3
Intune RBAC Roles Permissions in the Intune Admin Center Portal Fig. 3

Intune RBAC – Endpoint Security Manager

Let’s discuss, Intune RBAC – Endpoint Security Manager. You can assign administrators to Endpoint Manager Roles. Create and configure custom Endpoint Manager Roles.

Intune RBAC Roles Permissions in the Intune Admin Center Portal Fig. 4
Intune RBAC Roles Permissions in the Intune Admin Center Portal Fig. 4

Intune Read-Only Operator

Name – Read-Only Operator. Description – Read-Only Operators view user, device, enrollment, configuration, and application information and cannot make changes to Intune.

More details -> Intune Read-Only Admin Experience After RBAC Solution

Intune RBAC Roles Permissions in the Intune Admin Center Portal Fig. 5
Intune RBAC Roles Permissions in the Intune Admin Center Portal Fig. 5

Intune School Administrator

Name – School Administrator. Description – School Administrators can manage apps and settings for their groups. They can take remote actions on devices, including remotely locking them, restarting them, and retiring them from management.

Intune RBAC Roles Permissions in the Intune Admin Center Portal Fig. 6
Intune RBAC Roles Permissions in the Intune Admin Center Portal Fig. 6

Intune RBAC – Help Desk Operator

Name – Help Desk Operator. Description – Help Desk Operators perform remote tasks on users and devices and can assign applications or policies to users or devices.

Intune RBAC Roles Permissions in the Intune Admin Center Portal Fig. 7
Intune RBAC Roles Permissions in the Intune Admin Center Portal Fig. 7

Intune Role Administrator

Name – Intune Role Administrator. Description – Intune Role Administrators manage custom Intune roles and add assignments for built-in Intune roles. It is the only Intune role that can assign permissions to Administrators.

Intune RBAC Roles Permissions in the Intune Admin Center Portal Fig. 8
Intune RBAC Roles Permissions in the Intune Admin Center Portal Fig. 8

Cloud PC Administrator

Name – Cloud PC Administrator. Description – Cloud PC Administrator has read and write access to all Cloud PC features located within the Cloud PC blade.

More Details on Cloud PC (Windows 365) Provisioning -> Windows 365 Cloud PC Deployment Provisioning Process Step By Step Guide

Intune RBAC Roles Permissions in the Intune Admin Center Portal Fig. 9
Intune RBAC Roles Permissions in the Intune Admin Center Portal Fig. 9

Intune RBAC – Cloud PC Reader

Name – Cloud PC Reader. Description – Cloud PC Reader has read access to all Cloud PC features located within the Cloud PC blade.

Intune RBAC Roles Permissions in the Intune Admin Center Portal Fig. 10
Intune RBAC Roles Permissions in the Intune Admin Center Portal Fig. 10

Video Tutorial – Intune RBAC Roles

A more detailed explanation is in the above Youtube video or you can click here.

Intune RBAC Roles Permissions in the Intune Admin Center Portal Video

Overall Access Rights of Intune tiles

Allowed to perform some administrative activities in configuring devices, and Setting device compliance tiles. Allowed to view details about users and groups in managing users’ tile.

  • Access is denied to perform any activities in Manage Apps, Conditional Access, Device Enrollment, Device and Groups, and Access control tiles.
  • Allowed to view objects in the Manage Users tile – Users and Groups.
  • Access is denied to create/delete new/existing groups. It doesn’t matter Intune policy manager is editing the groups which are in SCOPE or not.
  • Access is denied to change device and user settings in the Manage user tile.
  • Access is denied to Intune Silverlight console.

Intune administrator Role permissions

Let’s check Intune administrator Role permissions from the following table.

ActionsDescription
microsoft.directory/bitlockerKeys/key/readRead bitlocker metadata and key on devices
microsoft.directory/contacts/createCreate contacts
microsoft.directory/contacts/deleteDelete contacts
microsoft.directory/contacts/basic/updateUpdate basic properties on contacts
microsoft.directory/devices/createCreate devices (enroll in Azure AD)
microsoft.directory/devices/deleteDelete devices from Azure AD
microsoft.directory/devices/disableDisable devices in Azure AD
microsoft.directory/devices/enableEnable devices in Azure AD
microsoft.directory/devices/basic/updateUpdate basic properties on devices
microsoft.directory/devices/extensionAttributeSet1/updateUpdate the extensionAttribute1 to extensionAttribute5 properties on devices
microsoft.directory/devices/extensionAttributeSet2/updateUpdate the extensionAttribute6 to extensionAttribute10 properties on devices
microsoft.directory/devices/extensionAttributeSet3/updateUpdate the extensionAttribute11 to extensionAttribute15 properties on devices
microsoft.directory/devices/registeredOwners/updateUpdate registered owners of devices
microsoft.directory/devices/registeredUsers/updateUpdate registered users of devices
microsoft.directory/deviceManagementPolicies/standard/readRead standard properties on device management application policies
microsoft.directory/deviceRegistrationPolicy/standard/readRead standard properties on device registration policies
microsoft.directory/groups/hiddenMembers/readRead hidden members of Security groups and Microsoft 365 groups, including role-assignable groups
microsoft.directory/groups.security/createCreate Security groups, excluding role-assignable groups
microsoft.directory/groups.security/deleteDelete Security groups, excluding role-assignable groups
microsoft.directory/groups.security/basic/updateUpdate basic properties on Security groups, excluding role-assignable groups
microsoft.directory/groups.security/classification/updateUpdate the classification property on Security groups, excluding role-assignable groups
microsoft.directory/groups.security/dynamicMembershipRule/updateUpdate the dynamic membership rule on Security groups, excluding role-assignable groups
microsoft.directory/groups.security/members/updateUpdate members of Security groups, excluding role-assignable groups
microsoft.directory/groups.security/owners/updateUpdate owners of Security groups, excluding role-assignable groups
microsoft.directory/groups.security/visibility/updateUpdate the visibility property on Security groups, excluding role-assignable groups
microsoft.directory/users/basic/updateUpdate basic properties on users
microsoft.directory/users/manager/updateUpdate manager for users
microsoft.directory/users/photo/updateUpdate photo of users
microsoft.azure.supportTickets/allEntities/allTasksCreate and manage Azure support tickets
microsoft.cloudPC/allEntities/allProperties/allTasksManage all aspects of Windows 365
microsoft.intune/allEntities/allTasksManage all aspects of Microsoft Intune
microsoft.office365.supportTickets/allEntities/allTasksCreate and manage Microsoft 365 service requests
microsoft.office365.webPortal/allEntities/standard/readRead basic properties on all resources in the Microsoft 365 admin center
Table 2 – Intune RBAC Intune RBAC Roles Permissions in the Intune Admin Center Portal Table 2
  • Read, Delete, Wipe, Assign, Create, and Update are Inutne permissions can be assigned for each Intune objects.

Admin Groups – Admin group users are the administrators assigned to this role
Scope Groups – Administrators in this role assignment can target policies, applications, and remote tasks to Azure AD Device/User Groups
Scope tags – Who all can view this RBAC Role

41 Intune Objects List

Let’s check the list of 41 Intune Objects from Intune RBAC perspective.

Android FOTA
Android for work
Audit data
Certificate Connector
Chrome Enterprise (preview)
Cloud attached devices
Corporate device identifiers
Customization
Derived Credentials
Device compliance policies
Device configurations
Device enrollment managers
Endpoint Analytics
Endpoint protection reports
Enrollment programs
Filters
Intune data warehouse
Managed Device Cleanup Settings
Managed Google Play
Managed apps
Managed devices
Microsoft Defender ATP
Microsoft Store For Business
Microsoft Tunnel Gateway
Mobile Threat Defense
Mobile apps
Multi Admin Approval
Organization
Organizational Messages
Partner Device Management
Policy Sets
Quiet Time policies
Remote Help app
Remote assistance connectors
Remote tasks
Roles
Security baselines
Security tasks
Telecom expenses
Terms and conditions
Windows Enterprise Certificate

References:-

Author

Anoop is Microsoft MVP! He is a Solution Architect in enterprise client management with more than 20 years of experience (calculation done in 2021) in IT. He is a blogger, Speaker, and Local User Group HTMD Community leader. His main focus is on Device Management technologies like SCCM 2012, Current Branch, and Intune. E writes about ConfigMgr, Windows 11, Windows 10, Azure AD, Microsoft Intune, Windows 365, AVD, etc…

2 thoughts on “Intune RBAC Roles Permissions in the Intune Admin Center Portal”

  1. At References tab :-Role-based access control (RBAC) for Microsoft Intune – “here” is not hyperlink

    Reply

Leave a Comment

This site uses Akismet to reduce spam. Learn how your comment data is processed.