We will discuss about the access rights of build-in Intune RBA role called Configuration policy manager. Ideally, this role should have access to Manage and deploy configuration settings and profiles depending upon the scope. Before going into details, let me explain, what is scope? “The users or devices that a specified person (the member) can manage.” If you are SCCM admin then SCOPE option is already there in SCCM 2012 and CB console.
More detailed explanation in the above video or you can click here
In this post, I will try to explain the access right of Intune default role called Configuration Policy Manager. I have created a user name Kaith in Azure Active Directory. This user is assigned to Configuration policy manager access and scope is set to the group “All Bangalore Users”. Intune configuration policy manager has access to Assign, Create, Delete, Read and Update profiles. However, we will go into deep dive to understand more details about the access right for this role.
Configuration Policy Manager – Permissions :-
Assign Device settings to AAD security groups
Create Device Settings
Delete Device Settings
Read Device Settings
Update Device Settings
Overall Access Rights of Intune tiles
- Allowed to perform some administrative activities in Configure devices, Set device compliance tiles. Allowed to view details about users and groups in manage users tile.
- Access is denied to perform any activities in Manage Apps, Conditional Access, Device Enrollment, Device and Groups and Access control tiles.
- Allowed to view objects in Manage Users tile – Users and Groups.
- Access is denied to create/delete new/existing groups. It doesn’t matter Intune policy manager is editing the groups which are in SCOPE or not.
- Access is denied to change device and user settings in Manage user tile.
- Access is denied to Intune Silverlight console.
Access Rights – Device Configuration Profiles
- Allowed to edit the configurations of all profiles. Even the profile is ONLY deployed to out of scope users/groups. Intune Role Based Access (RBA) rules don’t respect scope of the editing profile. This should be NOT allowed. Editing should be allowed only those profiles which are assigned ONLY to Intune policy manager’s scope of users or devices (Intune policy manager = Kaith).
- Access is denied to remove and add assignments to a profile which is already deployed to users who are not in the scope. Addition and removal of Assignments should be allowed if the admin is trying to deploy profile to users in scope.
- Access is denied to remove assignments to profiles which are targeted the users or groups in scope. This should be allowed!
- Allowed to delete all the profiles even if those profiles are targeted to out of scope users. This should NOT be allowed! If the profile is assigned only to in scope users then the deletion of profile should be allowed.
- Allowed to enable/disable certificate authority connector for SCEP or PFX profile deployment.
Access rights – Device Compliance policies
- Allowed to remove assignments of compliance policies which are already targeted to the users NOT in scope of an Intune Policy Manager. This should NOT be allowed. If it’s deployed/assigned to the users who are in scope then removal of assignment should be allowed.
- Allowed to add assignments to compliance policies, even if the users Intune policy manager is targeting are out of scope for him/her. This should NOT be allowed. Addition of assignment to compliance policy should be allowed only when the targeted users are in scope of an Intune policy manager.