Intune RBAC Roles Permissions in the Intune Admin Center Portal

This post explains Intune RBAC roles and permissions in the Intune Admin Center Portal. We will discuss the access rights of the built-in Intune RBAC role and Configuration policy manager.

Ideally, this role should have access to Manage and deploy configuration settings and profiles, depending on the scope. Before going into details, let me explain the scope.

Intune RBAC (Role-Based Access Controls) is the workflow that helps organizations segregate the roles and responsibilities of different support teams by providing them with limited access to specific resources. “The users or devices that a specified person (the member) can manage.” If you are an SCCM admin, the SCOPE option exists in SCCM 2012 and the CB console.

Granular control delegates permissions to Level 1, 2, and 3 Intune teams from different operating groups (entities/opcos). Intune admins’ assigned permissions are limited to specific user or device groups. View permissions of Intune objects can be controlled/managed using RBAC.

Patch My PC

Intune RBAC Strategic Options – Video

This video will explain Intune RBAC Strategic Options, Role-Based Access Controls, Scope Groups, Intune Objects, and Roles.

Intune RBAC Roles Permissions in the Intune Admin Center Portal – Video 1

What is Intune RBAC?

RBAC helps Intune Admins to control who can perform various Intune tasks within your enterprise. There are nine (9) built-in Intune roles (RBAC roles). The list of Intune RBAC built-in roles is updated in the table.

Adaptiva

In this post, I will explain the access rights of Intune’s default role, Configuration Policy Manager. I have created a user named Kaith in the Azure Active Directory. This user is assigned Configuration policy manager access, and the scope is set to the group “All Bangalore Users.”

The Intune configuration policy manager can access Assign, Create, Delete, Read, and Update profiles. However, we will conduct a deep dive to understand more details about the access rights for this role.

  • Configuration Policy Manager – Permissions:-
  • Assign Device settings to AAD security groups
  • Create Device Settings
  • Delete Device Settings
  • Read Device Settings
  • Update Device Settings

Read More -> Intune Read-Only Experience Learn To Create Read-Only Operators Roles

Intune RBAC Roles Permissions in the Intune Admin Center Portal Fig. 1
Intune RBAC Roles Permissions in the Intune Admin Center Portal Fig. 1

Intune RBAC – Tired Hierarchy

Azure AD is the primary identity repository for Intune! The Intune Full Admin permissions—Azure AD. This means that user identities and access rights are managed through Azure AD, which integrates easily with Intune. For Intune Full Admin permissions, users need corresponding permissions in Azure AD.

  • Global Admin Role (Tier 1)
  • Intune Service Admin Role (Tier 2)
  • Intune RBAC Permissions – Intune Portal
  • Tier 3 Roles – App Admin, Helpdesk Admin, etc…

Updated Built-In Inutune RBAC Roles

Let’s check the built-in Intune RABC roles (endpoint manager roles) available in the MEM admin center portal. The permissions in Azure AD are crucial for managing users, devices, and policies effectively within Intune.

Updated Built-In Inutune RBAC RolesDetails
Application ManagerBuilt-in Role
Endpoint Security ManagerBuilt-in Role
Read-Only OperatorBuilt-in Role
School AdministratorBuilt-in Role
Policy and Profile managerBuilt-in Role
Help Desk OperatorBuilt-in Role
Intune Role AdministratorBuilt-in Role
Cloud PC AdministratorBuilt-in Role
Cloud PC ReaderBuilt-in Role
Intune RBAC Roles Permissions in the Intune Admin Center Portal Table 1

Endpoint Manager Roles

Let’s understand the different types of roles available within Intune RBAC workflow. There are built-in roles and custom roles, which I have given examples of in previous posts.

Read More -> Create Custom Intune Helpdesk Operator Role

Intune RBAC Policy and Profile Manager

Assign administrators to Endpoint Manager Roles. Create and configure custom Endpoint Manager Roles. You are allowed to edit the Intune Policy and Profile Manager.

  • Even the profile is ONLY deployed to out-of-scope users/groups.
  • Intune Role-Based Access (RBA) rules don’t respect the scope of the editing profile.

This should NOT be allowed. Editing should be allowed only to profiles assigned ONLY to the Intune policy manager’s scope of users or devices (Intune policy manager = Kaith). Intune RBAC roles are still in development.

Access is denied to remove and add assignments to a profile already deployed to users outside the scope. However, if the admin tries to deploy profiles to users in the scope, the addition and removal of assignments should be allowed.

  • Access is denied to remove assignments to profiles targeted to the users or groups in scope. This should be allowed!

They can delete all the profiles, even if they target out-of-scope users. This should NOT be allowed! If the profile is assigned only to in-scope users, then the deletion of the profile should be allowed.

They can enable/disable certificate authority connectors for SCEP or PFX profile deployment. Intune RBAC roles are still in development.

  • Login to MEM Admin Center (Intune).
  • Navigate to tenant admin -> Roles -> Endpoint Manager Roles.
Intune RBAC Roles Permissions in the Intune Admin Center Portal Fig. 2
Intune RBAC Roles Permissions in the Intune Admin Center Portal Fig. 2

Intune RBAC Access Rights – Application Manager

It is allowed to remove assignments of applications that are already targeted to users outside the scope of an Intune Application Manager. This should NOT be allowed. If the application is deployed/assigned to users who are in scope, then removal of the assignment should be allowed.

Allowed to add assignments to the application, even if the user’s Intune application manager is targeting is out of scope for them. This should NOT be allowed. Assign administrators to Endpoint Manager Roles and Create and configure custom Endpoint Manager Roles.

Assignments should be added to the Application policy only when the targeted users are within the scope of an Intune application manager.

Intune RBAC Roles Permissions in the Intune Admin Center Portal Fig. 3
Intune RBAC Roles Permissions in the Intune Admin Center Portal Fig. 3

Intune RBAC – Endpoint Security Manager

Let’s discuss Intune RBAC—Endpoint Security Manager. You can assign administrators to Endpoint Manager Roles and create and configure custom Endpoint Manager Roles.

Intune RBAC Roles Permissions in the Intune Admin Center Portal Fig. 4
Intune RBAC Roles Permissions in the Intune Admin Center Portal Fig. 4

Intune Read-Only Operator

Name – Read-Only Operator. Description – Read-Only Operators view user, device, enrollment, configuration, and application information and cannot change Intune.

More details -> Intune Read-Only Admin Experience After RBAC Solution

Intune RBAC Roles Permissions in the Intune Admin Center Portal Fig. 5
Intune RBAC Roles Permissions in the Intune Admin Center Portal Fig. 5

Intune School Administrator

Name—School Administrator. Description—School Administrators can manage apps and settings for their groups. They can also remotely manage devices, including locking, restarting, and retiring them from management.

Intune RBAC Roles Permissions in the Intune Admin Center Portal Fig. 6
Intune RBAC Roles Permissions in the Intune Admin Center Portal Fig. 6

Intune RBAC – Help Desk Operator

Name – Help Desk Operator. Description – Help Desk Operators perform remote tasks on users and devices and can assign applications or policies to users or devices.

Intune RBAC Roles Permissions in the Intune Admin Center Portal Fig. 7
Intune RBAC Roles Permissions in the Intune Admin Center Portal Fig. 7

Intune Role Administrator

Name – Intune Role Administrator. Description – Intune Role Administrators manage custom Intune roles and add assignments for built-in Intune roles. It is the only Intune role that can assign permissions to Administrators.

Intune RBAC Roles Permissions in the Intune Admin Center Portal Fig. 8
Intune RBAC Roles Permissions in the Intune Admin Center Portal Fig. 8

Cloud PC Administrator

Name: Cloud PC Administrator. Description: The Cloud PC Administrator has read and write access to all Cloud PC features within the Cloud PC blade.

More Details on Cloud PC (Windows 365) Provisioning -> Windows 365 Cloud PC Deployment Provisioning Process Step By Step Guide.

Intune RBAC Roles Permissions in the Intune Admin Center Portal Fig. 9
Intune RBAC Roles Permissions in the Intune Admin Center Portal Fig. 9

Intune RBAC – Cloud PC Reader

Name: Cloud PC Reader. Description: The Cloud PC Reader has read access to all Cloud PC features within the blade.

Intune RBAC Roles Permissions in the Intune Admin Center Portal Fig. 10
Intune RBAC Roles Permissions in the Intune Admin Center Portal Fig. 10

Intune Admin Configuration Policy Manager Intune RBA Permissions Issues

Discuss the Intune Admin Configuration Policy Manager and Intune RBA Permissions Issues. The video below explains all the details about these topics.

Intune RBAC Roles Permissions in the Intune Admin Center Portal – Video 2

Overall Access Rights of Intune Tiles

Allowed to perform administrative activities in configuring devices and Setting device compliance tiles. Allowed to view details about users and groups in managing users’ tile.

  • Access is denied to perform any activities in Manage Apps, Conditional Access, Device Enrollment, Device and Groups, and Access control tiles.
  • You can view objects in the Manage Users tile – Users and Groups.
  • Access is denied to create/delete new or existing groups. It doesn’t matter if the Intune policy manager is editing the groups in SCOPE.
  • Access is denied to change device and user settings in the Manage user tile.
  • Access is denied to the Intune Silverlight console.

Intune Administrator Role Permissions

Let’s check Intune administrator Role permissions from the following table. The table below helps you show the Actions and their corresponding details. Read, Delete, Wipe, Assign, Create, and Update are Intune permissions that can be assigned for each Intune object.

  • Admin Groups – Admin group users are the administrators assigned to this role
  • Scope Groups – Administrators in this role assignment can target policies, applications, and remote tasks to Azure AD Device/User Groups
  • Scope tags – Who all can view this RBAC Role
ActionsDescription
microsoft.directory/bitlockerKeys/key/readRead bitlocker metadata and key on devices
microsoft.directory/contacts/createCreate contacts
microsoft.directory/contacts/deleteDelete contacts
microsoft.directory/contacts/basic/updateUpdate basic properties on contacts
microsoft.directory/devices/createCreate devices (enroll in Azure AD)
microsoft.directory/devices/deleteDelete devices from Azure AD
microsoft.directory/devices/disableDisable devices in Azure AD
microsoft.directory/devices/enableEnable devices in Azure AD
microsoft.directory/devices/basic/updateUpdate basic properties on devices
microsoft.directory/devices/extensionAttributeSet1/updateUpdate the extensionAttribute1 to extensionAttribute5 properties on devices
microsoft.directory/devices/extensionAttributeSet2/updateUpdate the extensionAttribute6 to extensionAttribute10 properties on devices
microsoft.directory/devices/extensionAttributeSet3/updateUpdate the extensionAttribute11 to extensionAttribute15 properties on devices
microsoft.directory/devices/registeredOwners/updateUpdate registered owners of devices
microsoft.directory/devices/registeredUsers/updateUpdate registered users of devices
microsoft.directory/deviceManagementPolicies/standard/readRead standard properties on device management application policies
microsoft.directory/deviceRegistrationPolicy/standard/readRead standard properties on device registration policies
microsoft.directory/groups/hiddenMembers/readRead hidden members of Security groups and Microsoft 365 groups, including role-assignable groups
microsoft.directory/groups.security/createCreate Security groups, excluding role-assignable groups
microsoft.directory/groups.security/deleteDelete Security groups, excluding role-assignable groups
microsoft.directory/groups.security/basic/updateUpdate basic properties on Security groups, excluding role-assignable groups
microsoft.directory/groups.security/classification/updateUpdate the classification property on Security groups, excluding role-assignable groups
microsoft.directory/groups.security/dynamicMembershipRule/updateUpdate the dynamic membership rule on Security groups, excluding role-assignable groups
microsoft.directory/groups.security/members/updateUpdate members of Security groups, excluding role-assignable groups
microsoft.directory/groups.security/owners/updateUpdate owners of Security groups, excluding role-assignable groups
microsoft.directory/groups.security/visibility/updateUpdate the visibility property on Security groups, excluding role-assignable groups
microsoft.directory/users/basic/updateUpdate basic properties on users
microsoft.directory/users/manager/updateUpdate manager for users
microsoft.directory/users/photo/updateUpdate photo of users
microsoft.azure.supportTickets/allEntities/allTasksCreate and manage Azure support tickets
microsoft.cloudPC/allEntities/allProperties/allTasksManage all aspects of Windows 365
microsoft.intune/allEntities/allTasksManage all aspects of Microsoft Intune
microsoft.office365.supportTickets/allEntities/allTasksCreate and manage Microsoft 365 service requests
microsoft.office365.webPortal/allEntities/standard/readRead basic properties on all resources in the Microsoft 365 admin center
Table 2 – Intune RBAC Intune RBAC Roles Permissions in the Intune Admin Center Portal Table 2

41 Intune Objects List

Let’s check the list of 41 Intune Objects from the Intune RBAC perspective. The list includes Android FOTA, Android for work, Audit data, etc.

  • Android FOTA
  • Android for work
  • Audit data
  • Certificate Connector
  • Chrome Enterprise (preview)
  • Cloud attached devices
  • Corporate device identifiers
  • Customization
  • Derived Credentials
  • Device compliance policies
  • Device configurations
  • Device enrollment managers
  • Endpoint Analytics
  • Endpoint protection reports
  • Enrollment programs
  • Filters
  • Intune data warehouse
  • Managed Device Cleanup Settings
  • Managed Google Play
  • Managed apps
  • Managed devices
  • Microsoft Defender ATP
  • Microsoft Store For Business
  • Microsoft Tunnel Gateway
  • Mobile Threat Defense
  • Mobile apps
  • Multi Admin Approval
  • Organization
  • Organizational Messages
  • Partner Device Management
  • Policy Sets
  • Quiet Time policies
  • Remote Help app
  • Remote assistance connectors
  • Remote tasks
  • Roles
  • Security baselines
  • Security tasks
  • Telecom expenses
  • Terms and conditions
  • Windows Enterprise Certificate

References:-

We are on WhatsApp now. To get the latest step-by-step guides, news, and updates, Join our Channel. Click here. HTMD WhatsApp.

Author

Anoop C Nair is Microsoft MVP! He is a Device Management Admin with more than 20 years of experience (calculation done in 2021) in IT. He is a Blogger, Speaker, and Local User Group HTMD Community leader. His main focus is on Device Management technologies like SCCM 2012, Current Branch, and Intune. He writes about ConfigMgr, Windows 11, Windows 10, Azure AD, Microsoft Intune, Windows 365, AVD, etc.

2 thoughts on “Intune RBAC Roles Permissions in the Intune Admin Center Portal”

  1. At References tab :-Role-based access control (RBAC) for Microsoft Intune – “here” is not hyperlink

    Reply

Leave a Comment

This site uses Akismet to reduce spam. Learn how your comment data is processed.