Intune Role-Based Administration RBAC In Endpoint Manager Portal

Intune Role-Based Administration RBAC In Endpoint Manager Portal? We will discuss the access rights of the build-in Intune RBAC role called Configuration policy manager.

Ideally, this role should have access to Manage and deploy configuration settings and profiles depending upon the scope. Before going into details, let me explain, what is the scope?

“The users or devices that a specified person (the member) can manage.” If you are an SCCM admin then the SCOPE option is already there in SCCM 2012 and CB console.

Patch My PC


A more detailed explanation is in the above video or you can click here

What is Intune RBAC?

RBAC helps Intune Admins to control who can perform various Intune tasks within your enterprise. There are six (6) built-in Intune roles (RBAC roles).

Policy and Profile manager
School Administrator
Help Desk Operator
Application Manager
Read Only Operator
Intune Role Administrator 

In this post, I will try to explain the access right of Intune default role called Configuration Policy Manager. I have created a user name Kaith in Azure Active Directory. This user is assigned to Configuration policy manager access and the scope is set to the group “All Bangalore Users”.

Intune configuration policy manager has access to Assign, Create, Delete, Read and Update profiles. However, we will go into deep dive to understand more details about the access right for this role.

Configuration Policy Manager – Permissions:-
Assign Device settings to AAD security groups
Create Device Settings
Delete Device Settings
Read Device Settings
Update Device Settings

Video Tutorial – Intune RBAC Roles

Overall Access Rights of Intune tiles

  1. Allowed to perform some administrative activities in Configure devices, Set device compliance tiles. Allowed to view details about users and groups in manage users tile.
  2. Access is denied to perform any activities in Manage Apps, Conditional Access, Device Enrollment, Device and Groups, and Access control tiles.
  3. Allowed to view objects in Manage Users tile – Users and Groups.
  4. Access is denied to create/delete new/existing groups. It doesn’t matter Intune policy manager is editing the groups which are in SCOPE or not.
  5. Access is denied to change device and user settings in the Manage user tile.
  6. Access is denied to Intune Silverlight console.

Access Rights – Device Configuration Profiles

  1. Allowed to edit the configurations of all profiles. Even the profile is ONLY deployed to out-of-scope users/groups. Intune Role-Based Access (RBA) rules don’t respect the scope of the editing profile. This should be NOT allowed. Editing should be allowed only to those profiles which are assigned ONLY to Intune policy manager’s scope of users or devices (Intune policy manager = Kaith). Intune RBAC roles are still in development.
  2. Access is denied to remove and add assignments to a profile that is already deployed to users who are not in the scope. Addition and removal of Assignments should be allowed if the admin is trying to deploy profiles to users in scope.
  3. Access is denied to remove assignments to profiles which are targeted the users or groups in scope. This should be allowed!
  4. Allowed to delete all the profiles even if those profiles are targeted to out-of-scope users. This should NOT be allowed! If the profile is assigned only to in-scope users then the deletion of the profile should be allowed.
  5. Allowed to enable/disable certificate authority connector for SCEP or PFX profile deployment. Intune RBAC roles are still in development.

Access rights – Device Compliance policies

Intune Role-Based Administration RBAC In Endpoint Manager Portal 1
  1. Allowed to remove assignments of compliance policies that are already targeted to the users NOT in the scope of an Intune Policy Manager. This should NOT be allowed. If it’s deployed/assigned to the users who are in scope then removal of assignment should be allowed.
  2. Allowed to add assignments to compliance policies, even if the user’s Intune policy manager is targeting are out of scope for him/her. This should NOT be allowed. The addition of assignment to compliance policy should be allowed only when the targeted users are in the scope of an Intune policy manager. Intune RBAC roles are still in development.



Anoop is Microsoft MVP! He is a Solution Architect in enterprise client management with more than 20 years of experience (calculation done in 2021) in IT. He is a logger, Speaker, and Local User Group HTMD Community leader. His main focus is on Device Management technologies like SCCM 2012, Current Branch, and Intune. He writes about ConfigMgr, Windows 11, Windows 10, Azure AD, Microsoft Intune, Windows 365, AVD, etc…

2 thoughts on “Intune Role-Based Administration RBAC In Endpoint Manager Portal”

  1. At References tab :-Role-based access control (RBAC) for Microsoft Intune – “here” is not hyperlink


Leave a Comment

This site uses Akismet to reduce spam. Learn how your comment data is processed.