Intune Role-Based Administration RBAC In Endpoint Manager Portal

Intune Role-Based Administration RBAC In Endpoint Manager Portal? We will discuss the access rights of the build-in Intune RBAC role called Configuration policy manager.

Ideally, this role should have access to Manage and deploy configuration settings and profiles depending upon the scope. Before going into details, let me explain, what is the scope?

“The users or devices that a specified person (the member) can manage.” If you are SCCM admin then SCOPE option is already there in SCCM 2012 and CB console.

Patch My PC


A more detailed explanation in the above video or you can click here

What is Intune RBAC?

RBAC helps Intune Admins to control who can perform various Intune tasks within your enterprise. There are six (6) built-in Intune roles (RBAC roles).

Policy and Profile manager
School Administrator
Help Desk Operator
Application Manager
Read Only Operator
Intune Role Administrator 

In this post, I will try to explain the access right of Intune default role called Configuration Policy Manager. I have created a user name Kaith in Azure Active Directory. This user is assigned to Configuration policy manager access and scope is set to the group “All Bangalore Users”.

1E Nomad

Intune configuration policy manager has access to Assign, Create, Delete, Read and Update profiles. However, we will go into deep dive to understand more details about the access right for this role.

Configuration Policy Manager – Permissions :-
Assign Device settings to AAD security groups
Create Device Settings
Delete Device Settings
Read Device Settings
Update Device Settings

Video Tutorial – Intune RBAC Roles

Watch this video on YouTube.

Overall Access Rights of Intune tiles

  1. Allowed to perform some administrative activities in Configure devices, Set device compliance tiles. Allowed to view details about users and groups in manage users tile.
  2. Access is denied to perform any activities in Manage Apps, Conditional Access, Device Enrollment, Device and Groups and Access control tiles.
  3. Allowed to view objects in Manage Users tile – Users and Groups.
  4. Access is denied to create/delete new/existing groups. It doesn’t matter Intune policy manager is editing the groups which are in SCOPE or not.
  5. Access is denied to change device and user settings in Manage user tile.
  6. Access is denied to Intune Silverlight console.

Access Rights  – Device Configuration Profiles

  1. Allowed to edit the configurations of all profiles. Even the profile is ONLY deployed to out of scope users/groups. Intune Role Based Access (RBA) rules don’t respect scope of the editing profile. This should be NOT allowed. Editing should be allowed only those profiles which are assigned ONLY to Intune policy manager’s scope of users or devices (Intune policy manager = Kaith). Intune RBAC roles are still in development.
  2. Access is denied to remove and add assignments to a profile which is already deployed to users who are not in the scope. Addition and removal of Assignments should be allowed if the admin is trying to deploy profile to users in scope.
  3. Access is denied to remove assignments to profiles which are targeted the users or groups in scope. This should be allowed!
  4. Allowed to delete all the profiles even if those profiles are targeted to out of scope users. This should NOT be allowed! If the profile is assigned only to in scope users then the deletion of profile should be allowed.
  5. Allowed to enable/disable certificate authority connector for SCEP or PFX profile deployment. Intune RBAC roles are still in development.

Access rights  – Device Compliance policies

Intune Role-Based Administration RBAC In Endpoint Manager Portal 2
  1. Allowed to remove assignments of compliance policies that are already targeted to the users NOT in the scope of an Intune Policy Manager. This should NOT be allowed. If it’s deployed/assigned to the users who are in scope then removal of assignment should be allowed.
  2. Allowed to add assignments to compliance policies, even if the user’s Intune policy manager is targeting are out of scope for him/her. This should NOT be allowed. The addition of assignment to compliance policy should be allowed only when the targeted users are in the scope of an Intune policy manager. Intune RBAC roles are still in development.

References :-