Intune RBAC Roles Permissions in the Endpoint Manager Portal

Intune RBAC roles and permissions in Endpoint Manager Portal are explained in this post. We will discuss the access rights of the built-in Intune RBAC role called Configuration policy manager.

Ideally, this role should have access to Manage and deploy configuration settings and profiles depending upon the scope. Before going into details, let me explain, what is the scope?

“The users or devices that a specified person (the member) can manage.” If you are an SCCM admin then the SCOPE option is already there in SCCM 2012 and CB console.

What is Intune RBAC?

RBAC helps Intune Admins to control who can perform various Intune tasks within your enterprise. There are nine (9) built-in Intune roles (RBAC roles). The list of Intune RBAC built-in roles is updated in the table.

Patch My PC

In this post, I will try to explain the access right of Intune default role called Configuration Policy Manager. I have created a user name Kaith in Azure Active Directory. This user is assigned to Configuration policy manager access and the scope is set to the group “All Bangalore Users”.

Intune configuration policy manager has access to Assign, Create, Delete, Read and Update profiles. However, we will go into deep dive to understand more details about the access right for this role.

Configuration Policy Manager – Permissions:-
Assign Device settings to AAD security groups
Create Device Settings
Delete Device Settings
Read Device Settings
Update Device Settings

Read More -> Intune Read-Only Experience Learn To Create Read-Only Operators Roles

Intune RBAC Roles Permissions in Endpoint Manager Portal 1
Intune RBAC Roles Permissions in Endpoint Manager Portal 1

Updated Built-In Inutune RBAC Roles

Let’s check the built-in Intune RABC roles (endpoint manager roles) available in the MEM admin center portal.

Application ManagerBuilt-in Role
Endpoint Security ManagerBuilt-in Role
Read-Only OperatorBuilt-in Role
School AdministratorBuilt-in Role
Policy and Profile managerBuilt-in Role
Help Desk OperatorBuilt-in Role
Intune Role AdministratorBuilt-in Role
Cloud PC AdministratorBuilt-in Role
Cloud PC ReaderBuilt-in Role
Intune RBAC Roles

Endpoint Manager Roles

Let’s understand what are the different types of roles available within Intune RBAC workflow. There are built-in roles and custom roles. I have given examples of custom roles in the previous posts.

Read More -> Create Custom Intune Helpdesk Operator Role

Intune RBAC Policy and Profile Manager

Assign administrators to Endpoint Manager Roles. Create and configure custom Endpoint Manager Roles. Allowed to edit the Intune Policy and Profile Manager.

  • Even the profile is ONLY deployed to out-of-scope users/groups. Intune Role-Based Access (RBA) rules don’t respect the scope of the editing profile.

This should be NOT allowed. Editing should be allowed only to those profiles which are assigned ONLY to Intune policy manager’s scope of users or devices (Intune policy manager = Kaith). Intune RBAC roles are still in development.

Access is denied to remove and add assignments to a profile that is already deployed to users who are not in the scope. Addition and removal of Assignments should be allowed if the admin is trying to deploy profiles to users in scope.

  • Access is denied to remove assignments to profiles which are targeted the users or groups in scope. This should be allowed!

Allowed to delete all the profiles even if those profiles are targeted to out-of-scope users. This should NOT be allowed! If the profile is assigned only to in-scope users then the deletion of the profile should be allowed.

Allowed to enable/disable certificate authority connector for SCEP or PFX profile deployment. Intune RBAC roles are still in development.

  • Login to MEM Admin Center (Intune).
  • Navigate to tenant admin -> Roles -> Endpoint Manager Roles.
Intune RBAC Roles Permissions in Endpoint Manager Portal 2
Intune RBAC Roles Permissions in Endpoint Manager Portal 2

Intune RBAC Access rights – Application Manager

Allowed to remove assignments of applications that are already targeted to the users NOT in the scope of an Intune Application Manager. This should NOT be allowed. If it’s deployed/assigned to the users who are in scope then removal of assignment should be allowed.

Allowed to add assignments to the application, even if the user’s Intune application manager is targeting is out of scope for him/her. This should NOT be allowed. Assign administrators to Endpoint Manager Roles and Create and configure custom Endpoint Manager Roles.

The addition of assignment to the Application policy should be allowed only when the targeted users are within the scope of an Intune application manager.

Intune RBAC Roles Permissions in Endpoint Manager Portal 3
Intune RBAC Roles Permissions in the Endpoint Manager Portal 3

Intune RBAC – Endpoint Security Manager

Let’s discuss, Intune RBAC – Endpoint Security Manager. You can assign administrators to Endpoint Manager Roles. Create and configure custom Endpoint Manager Roles.

Intune RBAC Roles Permissions in Endpoint Manager Portal 4
Intune RBAC Roles Permissions in Endpoint Manager Portal 4

Intune Read-Only Operator

Name – Read-Only Operator. Description – Read-Only Operators view user, device, enrollment, configuration, and application information and cannot make changes to Intune.

More details -> Intune Read-Only Admin Experience After RBAC Solution

Intune RBAC Roles Permissions in Endpoint Manager Portal 5
Intune RBAC Roles Permissions in Endpoint Manager Portal 5

Intune School Administrator

Name – School Administrator. Description – School Administrators can manage apps and settings for their groups. They can take remote actions on devices, including remotely locking them, restarting them, and retiring them from management.

Intune RBAC Roles Permissions in Endpoint Manager Portal 6
Intune RBAC Roles Permissions in Endpoint Manager Portal 6

Intune RBAC – Help Desk Operator

Name – Help Desk Operator. Description – Help Desk Operators perform remote tasks on users and devices and can assign applications or policies to users or devices.

Intune RBAC Roles Permissions in Endpoint Manager Portal 7
Intune RBAC Roles Permissions in Endpoint Manager Portal 7

Intune Role Administrator

Name – Intune Role Administrator. Description – Intune Role Administrators manage custom Intune roles and add assignments for built-in Intune roles. It is the only Intune role that can assign permissions to Administrators.

Intune RBAC Roles Permissions in Endpoint Manager Portal 8
Intune RBAC Roles Permissions in Endpoint Manager Portal 8

Cloud PC Administrator

Name – Cloud PC Administrator. Description – Cloud PC Administrator has read and write access to all Cloud PC features located within the Cloud PC blade.

More Details on Cloud PC (Windows 365) Provisioning -> Windows 365 Cloud PC Deployment Provisioning Process Step By Step Guide

Intune RBAC Roles Permissions in Endpoint Manager Portal 9
Intune RBAC Roles Permissions in Endpoint Manager Portal 9

Intune RBAC – Cloud PC Reader

Name – Cloud PC Reader. Description – Cloud PC Reader has read access to all Cloud PC features located within the Cloud PC blade.

Intune RBAC Roles Permissions in Endpoint Manager Portal 10
Intune RBAC Roles Permissions in Endpoint Manager Portal 10

Video Tutorial – Intune RBAC Roles

A more detailed explanation is in the above Youtube video or you can click here.

Overall Access Rights of Intune tiles

Allowed to perform some administrative activities in configuring devices, and Setting device compliance tiles. Allowed to view details about users and groups in manage users tile.

  • Access is denied to perform any activities in Manage Apps, Conditional Access, Device Enrollment, Device and Groups, and Access control tiles.
  • Allowed to view objects in Manage Users tile – Users and Groups.
  • Access is denied to create/delete new/existing groups. It doesn’t matter Intune policy manager is editing the groups which are in SCOPE or not.
  • Access is denied to change device and user settings in the Manage user tile.
  • Access is denied to Intune Silverlight console.

Intune administrator Role permissions

Let’s check Intune administrator Role permissions from the following table.

ActionsDescription
microsoft.directory/bitlockerKeys/key/readRead bitlocker metadata and key on devices
microsoft.directory/contacts/createCreate contacts
microsoft.directory/contacts/deleteDelete contacts
microsoft.directory/contacts/basic/updateUpdate basic properties on contacts
microsoft.directory/devices/createCreate devices (enroll in Azure AD)
microsoft.directory/devices/deleteDelete devices from Azure AD
microsoft.directory/devices/disableDisable devices in Azure AD
microsoft.directory/devices/enableEnable devices in Azure AD
microsoft.directory/devices/basic/updateUpdate basic properties on devices
microsoft.directory/devices/extensionAttributeSet1/updateUpdate the extensionAttribute1 to extensionAttribute5 properties on devices
microsoft.directory/devices/extensionAttributeSet2/updateUpdate the extensionAttribute6 to extensionAttribute10 properties on devices
microsoft.directory/devices/extensionAttributeSet3/updateUpdate the extensionAttribute11 to extensionAttribute15 properties on devices
microsoft.directory/devices/registeredOwners/updateUpdate registered owners of devices
microsoft.directory/devices/registeredUsers/updateUpdate registered users of devices
microsoft.directory/deviceManagementPolicies/standard/readRead standard properties on device management application policies
microsoft.directory/deviceRegistrationPolicy/standard/readRead standard properties on device registration policies
microsoft.directory/groups/hiddenMembers/readRead hidden members of Security groups and Microsoft 365 groups, including role-assignable groups
microsoft.directory/groups.security/createCreate Security groups, excluding role-assignable groups
microsoft.directory/groups.security/deleteDelete Security groups, excluding role-assignable groups
microsoft.directory/groups.security/basic/updateUpdate basic properties on Security groups, excluding role-assignable groups
microsoft.directory/groups.security/classification/updateUpdate the classification property on Security groups, excluding role-assignable groups
microsoft.directory/groups.security/dynamicMembershipRule/updateUpdate the dynamic membership rule on Security groups, excluding role-assignable groups
microsoft.directory/groups.security/members/updateUpdate members of Security groups, excluding role-assignable groups
microsoft.directory/groups.security/owners/updateUpdate owners of Security groups, excluding role-assignable groups
microsoft.directory/groups.security/visibility/updateUpdate the visibility property on Security groups, excluding role-assignable groups
microsoft.directory/users/basic/updateUpdate basic properties on users
microsoft.directory/users/manager/updateUpdate manager for users
microsoft.directory/users/photo/updateUpdate photo of users
microsoft.azure.supportTickets/allEntities/allTasksCreate and manage Azure support tickets
microsoft.cloudPC/allEntities/allProperties/allTasksManage all aspects of Windows 365
microsoft.intune/allEntities/allTasksManage all aspects of Microsoft Intune
microsoft.office365.supportTickets/allEntities/allTasksCreate and manage Microsoft 365 service requests
microsoft.office365.webPortal/allEntities/standard/readRead basic properties on all resources in the Microsoft 365 admin center

References:-

Author

Anoop is Microsoft MVP! He is a Solution Architect in enterprise client management with more than 20 years of experience (calculation done in 2021) in IT. He is a blogger, Speaker, and Local User Group HTMD Community leader. His main focus is on Device Management technologies like SCCM 2012, Current Branch, and Intune. E writes about ConfigMgr, Windows 11, Windows 10, Azure AD, Microsoft Intune, Windows 365, AVD, etc…

2 thoughts on “Intune RBAC Roles Permissions in the Endpoint Manager Portal”

  1. At References tab :-Role-based access control (RBAC) for Microsoft Intune – “here” is not hyperlink

    Reply

Leave a Comment

This site uses Akismet to reduce spam. Learn how your comment data is processed.