Role Based Access Controls (RBAC) are one of my favorite feature in Microsoft Intune. Lack of RBAC was one of the reasons for people choosing Intune hybrid instead of Intune standalone. Intune team introduced RBAC features into their product back in 2017. In this post, we will learn how to provide read only access to Intune console.
I have two (2) posts which cover Intune role-based access controls in details. I recommend reading through those two posts to get more details about Intune RBAC. But Intune team did an excellent work to include scope features into Intune RBAC. Now it’s getting close to SCCM RBAC features. Following are my previous posts about Intune RBAC.
- Intune Role Based Administration RBA Controls In Azure Portal
- Intune Application Policy Manager RBA Controls In Azure Portal
How to Provide Read Only Access to Intune
RBAC helps Intune Admins to control who can perform various Intune tasks within your enterprise. There are six (6) built-in Intune roles (RBAC roles). I use Intune default role called “Read Only Operator” to provide read only access to Intune console.
- Navigate Azure Portal – Microsoft Intune blade – Intune roles – All roles – Read Only Operator – Assignments – Click on + Assign
- Once you click on “+ Assign” button, new Read Only Operator – Role assignments blade will get displayed
- Enter the following information in the blade Assignment Name = Read Only Intune Users
Assignment Description = Details of Read Only Assignment Group
Members (Groups)# = Click on + Add button and select the Azure AD User Group which includes Intune Read Only users (my example – Intune ReadOnly Users) Scope (Groups)* = Click on + Add and select the Azure AD User or/and Device group. Read Only operator would be able to manage the resources in this group. More details below.
- Save the Intune Role assignment by clicking OK button
* Administrators in Scope Groups Role Assignment can target policies, applications or remote tasks to these Scope Groups. So the Intune ReadOnly user group members (in my example screenshot) would be able to target policies, applications or remote tasks for the users/devices in my scoping group Intune ReadOnly. This is as per the design.
# Member Group users are the administrators assigned to this role.
Do you know what Intune scope group is?
Do you know what is Intune scope group? “The users or devices that a specified person (the member) can manage.” In the above example, Intune ReadOnly users can manage devices or users part of their Scope Groups. If you are an SCCM admin, then SCOPE option is already there in SCCM 2012 and CB console. I’ve another post which talks about Configuration manager RBAC details here.
Intune Read Only User Experience
In this scenario, the Intune read only user is a regular user in Azure Active Directory (without any additional access). But the user has a valid Intune (EMS) license assigned. I will cover all the following scenarios with Intune read only user experience. More details available in the video tutorial called read only access to Intune.
Device enrollment Experience for Read Only User
The user has read or view access to all the blades of device enrollment. I have noticed that Configure MDM Push Certificate blade doesn’t provide any option to download the CSR file.
Android work enrollment experience is different from Apple. I can see the following error while trying to signup with Intune read only account – An error occurred requesting Android for Work signup Url.
Windows enrollment, Terms and conditions, Enrollment restrictions, Device categories, Corporate device identifiers, and Device enrollment managers also work as expected for Intune read only user.
Device Compliance Experience for Read Only Users
Device compliance experience is different than the device enrollment experience. Read only user has access to change the compliance policy schedule time for action for non compliance, but it never gets saved. Instead, it gives an error while trying to save the configuration. So we are fine!
The read only user doesn’t have any access to assign the compliance policy to any group as per my testing. You can refer to the video tutorial called read only access to Intune for more details. However, read only user has access to check the status of the compliance policy on devices.
Devices Blade Experience for Intune Read Only User
The view access is intact for the devices blade. The user can view the properties of all the devices. Azure AD scope option may provide some options to limit read only users from checking out the properties of the devices which are not in read only users scope.
Also read only user can’t not any remote actions (Remove company data, Factory reset, Delete, and Remote Lock) on devices.
Device Configuration Experience for Intune Read Only User
Configuration profiles blade provides classic view experience for Intune read only users. The read only users have view access to Overview, Properties, Assignments, Device status, User status, and Per-setting status.
Configuration PowerShell Scripts blade provides a different experience for Intune read only users. Similar to compliance policy experience (explained above),PowerShell scripts blade provides option to edit or rename PowerShell script name. But we are fine as Intune won’t allow read only users to save those changes.
Similar experience with PowerShell Script assignment. It allows to assign PowerShell script to change the assignments. But it won’t allow the read only user to save the changes.
Mobile Apps (Applications) Experience for Intune Read Only User
Mobile apps experience for Intune read only user is similar to device enrollment. Mobile apps Manage options provides standard view access to read only users for Apps, App configuration policies, App protection policies, App selective wipe and iOS app provisioning profiles.
Monitor options under mobile apps gives similar view experience for App licenses, Discovered apps, App install status, App protection status, and Audit logs
SETUP options also gives similar view experience for iOS VPP tokens, Windows enterprise certificate, Windows Symantec certificate, Microsoft Store for Business, Windows side loading keys, Company Portal branding, App categories, and Android for Work.
Conditional Access Experience for Intune Read Only User
Conditional Access blade provides view access to read only operators. I love to see Azure AD Conditional Access What If works fine for read only users. This would be very helpful from learning perspective.
All the following items work fine as expected to provide standard view access.
- Software Updates