Intune Read-Only Admin and Scoped Admin Console Experience

This post is the continuation my previous post –  Intune Admin RBAC Implementation Guide with Scope tags and Scope groups. In this post, you will learn what is the Intune read-only admin experience after implementing the Role Based Access Control(RBAC) solution with scope tags and scope groups.

Scenarios –   Intune Read-Only Admin and Scoped Admin

I have explained both the following scenarios in the video tutorial below.  This video will also be published in video blog You can see two Intune admin scenarios explained in this post. The following are the scenarios:

#1 – The first scenario is of an Intune Admin called Santy, and she is a Read-Only admin. She can view all the intune objects for a particular tenant. She can view all the scoped objects in Intune as she has given those permissions.

#2 – The second scenario is of an Intune scoped admin console access experience. Rateesh is an Intune admin for one of the office location Mumbai. He has the full access to the devices and profiles (+ policies) for the Mumbai location. But he can’t view any other scoped objects in Intune.

Patch My PC

Scope Tag Filtering Effect – Intune Portal

You can see the experience of scope tag filtering for Intune scoped admin in the following screenshot. Intune read-only admin (in the above scenario) has access to all the objects in Intune.

As you can see, Intune Read-Only admin can view Four(4) Profiles in Intune console but Intune scoped admin can view only three(3) profiles. However, scoped admin can deploy or assign these three policies to his scope group (Mumbai Devices and Users). Also, he can change the settings of all the three(3) device configuration profiles.

This difference is because of scoped objects. Scoped Admin can only view:

1E Nomad

#1 – Objects scoped to Mumbai

#2 – Non-Scoped Objects

Intune Read-Only Admin - Scoped Admin

This Intune scope filtering will work for Devices and all the other supported objects which I mentioned in the previous post. Scoped admin can view and administrate only one device which is scoped for his location, and Intune Read-only admin can view two devices.

Video Experience – Intune Read-Only Admin and Scope admin

This video tutorial will give you an experience of two different Intune Admin roles.

Intune Read-Only Admin

Intune Scoped Admin

Watch this video on YouTube.

Where can I check the permissions of an Intune Admin?

Intune troubleshooting is always a bit different than SCCM troubleshooting. SCCM RBAC troubleshooting can be done using the RBA tool. But in Intune RBAC troubleshooting and permission issues can be reviewed using the following method.

  1. Login to Azure Portal with Intune Admin ID which you want to review the permissions
  2. Click on Roles options from Intune blade
  3. Click on My Permissions from Monitor section
  4. Check out the permissions – Resource & Permission table on the right side of the blade
  5. Click on the EXPORT button to export all the permissions to a CSV format


Intune Role Based Administration RBAC

Intune Read Only Experience to Create Read Only Operators

Role-based administration control (RBAC) with Microsoft Intune

Using the New Role Based Access Controls in Intune

6 thoughts on “Intune Read-Only Admin and Scoped Admin Console Experience”

  1. I checked your post, for now, I want to see this feature working for managed devices. I configured all you mentioned in the post but it still doesn’t work. A restricted admin can see all my devices. I manually assigned a Tag for some devices and configured that tag for a restricted group of admins, but these restricted admins can still see all the devices I have in Intune (but not manage all of them). I just want to show the tagged manage devices to them. As you mentioned in the post, could it be that this feature is not working for managed devices for now?


Leave a Comment

This site uses Akismet to reduce spam. Learn how your comment data is processed.