Intune Read-Only Admin and Scoped Admin Console Experience

Let’s discuss on Intune Read-Only Admin and Scoped Admin Console Experience. This post is the continuation of my previous post – Intune Admin RBAC Implementation Guide with Scope tags and Scope groups.

In this post, you will learn what is the Intune read-only admin experience after implementing the Role-Based Access Control(RBAC) solution with scope tags and scope groups.

Read More on -> Duplicate Intune RBAC Roles | Endpoint Manager Roles.

Intune RBAC Strategic options – Video

In this video, we will explain Intune RBAC Strategic options | Role-Based Access Controls | Scope Groups | Intune Objects | Roles.

Patch My PC
Intune RBAC Strategic options

Scenarios –  Intune Read-Only Admin and Scoped Admin

I have explained both the following scenarios in the video tutorial below.  This video will also be published on the video blog You can see two Intune admin scenarios explained in this post. The following are the scenarios:

#1 – The first scenario is of an Intune Admin called Santy, and she is a Read-Only admin. She can view all the intune objects for a particular tenant. She can consider all the scoped things in Intune, given those permissions.

#2 – The second scenario is of an Intune scoped admin console access experience. Rateesh is an Intune admin for one of the office locations in Mumbai. He has full access to the devices and profiles (+ policies) for the Mumbai location. But he can’t view any other scoped objects in Intune.

Intune Read-Only Admin and Scoped Admin Console Experience
Intune Read-Only Admin and Scoped Admin Console Experience

Scope Tag Filtering Effect – Intune Portal

You can see the experience of scope tag filtering for Intune scoped admin in the following screenshot. Intune read-only admin (in the above scenario) has access to all the objects in Intune.


As you can see, Intune Read-Only admin can view Four(4) Profiles in Intune console, but Intune scoped admin can view only three(3) profiles.

However, scoped admin can deploy or assign these three policies to his scope group (Mumbai Devices and Users). Also, he can change the settings of all three(3) device configuration profiles.

This difference is because of scoped objects. Scoped Admin can only view:

  • #1 – Objects scoped to Mumbai
  • #2 – Non-Scoped Objects
Intune Read-Only Admin - Scoped Admin
Intune Read-Only Admin and Scoped Admin Console Experience 1

This Intune scope filtering will work for Devices and all the other supported objects I mentioned in the previous post. Scoped admin can view and administrate only one device scoped for his location, and Intune Read-only admin can view two devices.

Video Experience – Intune Read-Only Admin and Scope admin

This video tutorial will give you an experience of two different Intune Admin roles.

  • Intune Read-Only Admin
  • Intune Scoped Admin

Where can I check the permissions of an Intune Admin?

Intune troubleshooting is always a bit different than SCCM troubleshooting. SCCM RBAC troubleshooting can be done using the RBA tool. But in Intune RBAC, troubleshooting and permission issues can be reviewed using the following method.

  1. Login to Azure Portal with Intune Admin ID which you want to review the permissions
  2. Click on Roles options from Intune blade.
  3. Click on the My Permissions from the Monitor section
  4. Check out the permissions – Resource & Permission table on the right side of the blade
  5. Click on the EXPORT button to export all the permissions to a CSV format


6 thoughts on “Intune Read-Only Admin and Scoped Admin Console Experience”

  1. I checked your post, for now, I want to see this feature working for managed devices. I configured all you mentioned in the post but it still doesn’t work. A restricted admin can see all my devices. I manually assigned a Tag for some devices and configured that tag for a restricted group of admins, but these restricted admins can still see all the devices I have in Intune (but not manage all of them). I just want to show the tagged manage devices to them. As you mentioned in the post, could it be that this feature is not working for managed devices for now?


Leave a Comment

This site uses Akismet to reduce spam. Learn how your comment data is processed.