Intune Read-Only Experience Learn to Create Read-Only Operators Roles Admin Access

Intune Read-Only Experience Learn to Create Read-Only Operators Roles Admin Access. Role-Based Access Controls (RBAC) are one of my favorite features in Microsoft Intune.

The lack of RBAC was why people chose Intune hybrid instead of Intune standalone. Intune team introduced RBAC features into their product back in 2017. In this post, we will learn how to provide read-only access to Intune console.

I have two (2) posts covering Intune role-based access controls in detail. I recommend reading through those two posts to get more about Intune RBAC.

But Intune team did excellent work to include scope features into Intune RBAC. Now it’s getting close to SCCM RBAC features. Following are my previous posts about Intune RBAC.

Patch My PC

How to Provide Read-Only Access to Intune

RBAC helps Intune Admins control who can perform various Intune tasks within your enterprise. There are six (6) built-in Intune roles (RBAC roles). I use Intune default role called “Read Only Operator” to provide read-only access to Intune console.

  1. Navigate Azure PortalMicrosoft Intune blade – Intune rolesAll roles Read-Only Operator – Assignments  – Click on + Assign.
  2. Once you click on the “+ Assign” button, a new Read-Only Operator – Role assignments blade will get displayed.
  3. Enter the following information in the blade                                                  Assignment Name = Read-Only Intune Users
    Assignment Description = Details of Read-Only Assignment Group
    Members (Groups)# = Click on the + Add button and select the Azure AD User Group, including Intune Read-Only users (my example – Intune ReadOnly Users). Scope (Groups)* = Click on + Add and select the Azure AD User or/and Device group. Read Only operator would be able to manage the resources in this group. More details are below.
  4. Save the Intune Role assignment by clicking the OK button

Administrators in Scope Groups Role Assignment can target policies, applications, or small
tasks to these Scope Groups. So the Intune ReadOnly user group members (in my
example screenshot) would be able to target procedures, applications, or small functions
for the users/devices in my scoping group Intune ReadOnly. This is as per the design.

  •  Member Group users are the administrators assigned to this role.
Read Only Access to Intune Intune Read-Only Experience Learn to Create Read-Only Operators Roles Admin Access. Role-Based Access Controls (RBAC) are one of my favorite features in Microsoft Intune.
Intune Read-Only Experience Learn to Create Read-Only Operators Roles Admin Access. Role-Based Access Controls (RBAC) are one of my favorite features in Microsoft Intune.

Do you know what Intune scope group is?

Do you know what Intune scope group is? “The users or devices that a specified person (the member) can manage.” In the above example, Intune ReadOnly users can manage devices or parts of their Scope Groups.

If you are an SCCM admin, then the SCOPE option is already there in SCCM 2012 and CB console. I’ve another post that talks about Configuration manager RBAC detail.

Adaptiva

Intune Read-Only User Experience

In this scenario, the Intune read-only user is a regular user in Azure Active Directory (without any other access). But the user has a valid Intune (EMS) license assigned.

I will cover all the following scenarios with Intune read-only user experience. More details are available in the video tutorial called read-only access to Intune.

Device enrollment Experience for Read-Only User

The user has read or view access to all the blades of device enrollment. I have noticed that Configure MDM Push Certificate blade doesn’t provide any option to download the CSR file.

Android work enrollment experience is different from Apple. I can see the following error while trying to signup with Intune read-only account – An error occurred requesting Android for Work signup Url.

Windows enrollment, Terms and conditions, Enrollment restrictions, Device categories, Corporate device identifiers, and Device enrollment managers also work as expected for Intune read-only users.

Device Compliance Experience for Read-Only Users

The device compliance experience is different than the device enrollment experience. Read-only user has access to change the compliance policy schedule time for action for non compliance, but it never gets saved. Instead, it gives an error while trying to save the configuration. So we are fine!

As per my testing, the read-only user doesn’t have access to assign the compliance policy to any group. You can refer to the video tutorial called read-only access to Intune for more details. However, the read-only user has access to check the status of the compliance policy on devices.

Devices Blade Experience  for Intune Read-Only User

The view access is intact for the device’s blade. The user can view the properties of all the devices. Azure AD scope option may provide some opportunities to limit read only users from checking out the properties of the devices which are not in read-only users’ scope.

Also, read only users can’t not any remote actions (Remove company data, Factory reset, Delete, and Remote Lock) on devices.

Device Configuration Experience  for Intune Read-Only User

Configuration profiles blade provides a classic view experience for Intune read-only users. The read-only users have view access to Overview, Properties, Assignments, Device status, User status, and Per-setting status.

Configuration PowerShell Scripts blade provides a different experience for Intune read only users.  Similar to compliance policy experience (explained above), PowerShell scripts blade offers the option to edit or rename PowerShell script name. But we are fine as Intune won’t allow read only users to save those changes.

Similar experience with PowerShell Script assignment. It allows assigning PowerShell script to change the assignments. But it won’t allow the read-only user to save the changes.

Mobile Apps (Applications) Experience  for Intune Read-Only User

The mobile apps experience for Intune read only user is similar to devise enrollment. Mobile apps Manage options provides standard view access to read only users for Apps, App configuration policies, App protection policies, App selective wipe, and iOS app provisioning profiles.

Monitor options under mobile apps give a similar view experience for App licenses, Discovered apps, App install status, App protection status, and Audit logs.

SETUP options also give a similar view experience for iOS VPP tokens, Windows enterprise certificate, Windows Symantec certificate, Microsoft Store for Business, Windows sideloading keys, Company Portal branding, App categories, and Android for Work.

Conditional Access Experience  for Intune Read-Only User

Conditional Access blade provides view access to read-only operators. I love to see Azure AD Conditional Access What If works fine for read-only users. This would be very helpful from a learning perspective.

All the following items work fine as expected to provide standard view access.

  • On-premises access
  • Users
  • Groups
  • Intune roles
  • Software Updates

Useful Links

2 thoughts on “Intune Read-Only Experience Learn to Create Read-Only Operators Roles Admin Access”

  1. I testing read only on intune

    not ok for me I don’t access tenant, if put test user on administrator all access is normal

    could you help me for this feature ?

    Reply

Leave a Comment

This site uses Akismet to reduce spam. Learn how your comment data is processed.