Using the New Role Based Access Controls in Intune


By Dave Randall | Sr. PM

I’m Dave, a Program Manager in the Intune team. Many of you – our customers and partners – are now using the Azure Portal to manage Intune. One new area of functionality is role based access control (RBAC). This feature offers much greater flexibility and control to ensure your IT administrators have the right permissions to perform their job, and no more. I want to walk you through some of the features of RBAC, plus help you understand how Azure Active Directory (Azure AD) Directory Roles are supported by Intune. They are an important part of the overall permissions management story for Intune. This post will help you get started by explaining the Intune on Azure role experience and show you just how granular you can get in your role based access!

Starting at the top

clip_image002

Azure AD provides four Directory Roles which are used in conjunction with Intune.

  • clip_image004Global Administrator / Company Administrator: Users with this role have access to all administrative features in Azure AD. Users with this role can manage all of Intune. Also provides management of Azure AD’s Conditional Access.
  •  clip_image006 User Administrator – User with this role can manage users and groups, but cannot manage all of Intune.
  •  clip_image008Intune Service Administrator: Users with this role can manage all of Intune. Additionally, this role can manage users and devices as well as create and manage groups. This role cannot manage Azure AD’s Conditional Access settings.
  •  clip_image010Conditional Access Administrator – Users with this role can manage Azure AD’s Conditional Access policies, but not all of Intune.

You can select one or more Limited Administrator directory roles to an administrative user. For example, you might want to select both the Intune Service Administrator and the Conditional Access Administrator. The full description of these roles and their uses are documented here: https://docs.microsoft.com/en-us/azure/active-directory/active-directory-assign-admin-roles.

 

Azure AD Directory Roles provide full access to one or more services (Exchange, Intune, Sharepoint, etc). If you want finer-grained controls and not full access to the service, each service offers its own roles with more fine-grained permissions specific to the service’s features.

 

Intune Roles

Intune Roles are designed to mirror your IT Department employee’s job functions. There are four built-in roles. See Table 1 for a full list of permissions by role.

  • Policy and Profile Manager – manages the configuration and compliance policies.
  • Application Manager – manages mobile and managed applications.
  • Helpdesk Operator – enables tasks appropriate for end-user service desk support personnel.
  • Read Only Operator – allows viewing of Intune information without the ability to change Intune.

You cannot change the permissions for a built-in role. If you need to customize the permissions, you can simply create a custom role that includes any permissions required for a job function. For example, if an IT department group manages applications, policies and configuration profiles, you can add all those permissions together in one custom role.

NOTE: When your company is migrated from the classic Intune experience to Intune on Azure, your Service Administrators with “Read Only” or “Helpdesk” console access are not migrated to the new Azure Portal. However, “Full” Service Administrators in the classic Intune console still have full permission to perform all activities in Intune; both in the classic Intune (Silverlight) Console and the Intune Azure Portal. You should re-assign your service administrators to new Intune roles and remove them from the old portal to transition those users unless they still need access to manage PC’s using the classic PC agent. Or, you can assign them to one of the Azure AD directory roles as appropriate.

Licensing: Administrators with an Intune Role require an Intune license.

Automation: You can automate any RBAC task such as creating custom roles, or adding/modifying role assignments using the Microsoft Graph API. We have a set of PowerShell scripts that can help you get started.

Role Assignments

A role assignment ties together the permissions with your IT staff and end users. This is a key concept to understand – it’s how permissions are enforced.

You can create one or more assignments for a role.

clip_image002[330]

Example – Contoso Helpdesk

At Contoso, we have a distributed helpdesk staff. There are three helpdesk groups, one that supports the Engineering Department, another for the shipping department and a third for the cooking department. We want to set up three separate role assignments to ensure each group of helpdesk operators can only manage their respective departments.

clip_image004[4]

Let’s add an assignment for one of those departments – Engineering. Start by clicking “+ Assign” in the Assignments for the Helpdesk Operator role.

clip_image005

Then, we’ll give it a name (1), click Members (2), Add (3) and pick the Contoso Helpdesk for Engineers user group.

Save the members with OK. Remember, the members represent your IT staff who have the helpdesk permissions.

NOTE: you can add the same Azure AD Security Group to multiple role assignments as necessary. For example you may have a small team of IT administrators that provide backup support for several roles. That Azure AD security group for the small team of IT Administrators can be added to each role for which they provide support.

clip_image007

Next, we’ll add the scope group – by picking Scope Groups (1), then Add (2), then selecting the user group (3) – Engineering Department Employees.

clip_image009

Choose OK to save the assignment.

Remember – scope groups limit the users who can have remote tasks or assignments performed to only the members in this role assignment.

I’ve made assignments for my other groups – Shipping and Cooks – they have the matched set of IT Admins (Helpdesk Operators for Cooks/Shipping) and Users (Cooks Department/Shipping Department).

clip_image010

Now that I have the assignments, “Helpdesk for Shipping” administrators can’t assign apps or perform remote tasks for Engineering users, or Cooks. And, the “Helpdesk for Engineers” can’t assign apps or policy or perform remote tasks for Shipping or Cooks, etc.

To demonstrate how this works, if Emma wants to assign an app to the Engineering Department, she can. But, if she tries to assign an app to the Shipping Department, she’ll see the following error message:

clip_image011

But, if she tries to add a deployment to Engineering, that will work.

clip_image013

One last topic…

Although not permissions related, sometimes you’ll see messages such as “We’re not quite ready for you yet…” Or “Coming Soon”

These are simply placeholders that indicate we’re making some service updates and we haven’t finalized the update quite yet. There isn’t anything you need to do on your side. Of course, you can always check the What’s New Page to see what’s changed recently.

Table 1 – Intune Role Permissions

 

AAD Global Administrator

AAD Intune Service Administrator

"Full" Service Administrator (Silverlight Console only)

Policy and Profile Manager

Application Manager

Helpdesk Operator

Read Only Operator

Role Administrator

AAD Users Manage

x

x

AAD Groups Manage

x

x
Apple Enrollment Create Serial Number x x x x
Delete Serial Number x x x x
Read Serial Number x x x x x x
Update Serial Number x x x x
Create Profile x x x x
Delete Profile x x x x
Read Profile x x x x x x
Update Profile x x x x
Create Token x x x x
Delete Token x x x x
Read Token x x x x x x
Update Token x x x x
Corporate Device Identifiers Create x x x x
Read x x x x x x
Update x x x x
Delete x x x x
Device Compliance Policies Assign x x x x
Create x x x x
Delete x x x x
Read x x x x x x
Update x x x x
Device Configurations Assign x x x x
Create x x x x
Delete x x x x
Read x x x x x
Update x x x x
Device Enrollment Managers Read x x x x x
Update x x x
Endpoint Protection Reports Read x x x x x
Managed Apps Assign x x x x x x
Create x x x x x
Delete x x x x x
Read x x x x x x x
Update x x x x x
Wipe x x x x x
Managed Devices Delete x x x
Read x x x x x x
Update x x x
Mobile Apps Assign x x x x x
Create x x x x
Delete x x x x
Read x x x x x x
Update x x x x
Organization Create x x x
Delete x x x
Read x x x x x x
Update x x x
Remote Assistance Read x x x x x
Update x x x
Remote Tasks Bypass Activation Lock x x x
Clean PC x x x x
Disable Lost Mode x x x x
Enable Lost Mode x x x x
Enable Windows Intune Agent x x x x
Locate Device x x x x
Reboot Now x x x x
Remote Lock x x x x
Request Remote Assistance x x x x
Reset Passcode x x x x
Retire x x x x
Wipe x x x x
Reports Read x x x x
Roles Assign x x x x
Create x x x x
Delete x x x x
Read x x x x x x
Update x x x x
Telecom Expenses Read x x x x x
Update x x x
Terms and Conditions Assign x x x
Create x x x
Delete x x x
Read x x x x x
Update x x x
Comments (8)

  1. Carl says:

    Nice post, especially the matrix…must’ve taken some time to produce so thanks for that

  2. Clawscorp says:

    Hi,
    I have been assigned Intune Service Administrator Role + Conditional Access Administrator Role.

    There are 2 Intune portals in AAD.
    1. Intune Portal – No issues. Able to access all settings.

    2. InTune App Protection Portal – There is a setting called & if i click either, it says NO ACCESS. Do you know if this a Bug ?

    This works only if the user has Global Admin access but that is too much permissions to give just to access this Intune App Protection portal – conditional access – Exchange online.

    If this is not a bug, then would you know why this doesnt open even if sufficient RBAC is present

    Thanks

    1. Clawscorp says:

      To clarify, setting not able to access is under Intune App Protection portal – conditional access – Exchange online. (even with Intune service admin + Conditional access admin)

      1. All the functionality that’s in the Intune App Protection portal is now over in the Intune Portal. The Intune Portal is a superset of the functionality from the App Protection Portal perspective (plus more, of course). You should start by using the Intune Portal for App Protection. If you’re unable to use the Intune Console to complete your App Protection scenarios, we can assist further. But the best way to start is just using the Intune Portal.

        1. Davidkloud says:

          I have the same issue – in the azure portal –> Intune App Protection –> Conditional Access – Exchange Online –> Allow apps –> shows an error (same with Conditional Access – SharePoint Online).

          If I go into the azure portal –> Intune –> Mobile Apps –> App Protection Policies –> I can create the app protection policy but where is the App based conditional access now?

          Also above you say that the Intune Service Administrator roles has the ability to manage Azure AD users and groups however I have this role and don’t have this ability –> I only get this ability with the User Account Administrator Role

          1. You can access App based Conditional Access at https://ms.portal.azure.com/#blade/Microsoft_AAD_IAM/ConditionalAccessBlade/Policies
            For the second part of your comment, the Intune Service Administrator Directory Role has the following abilities in Azure AD:
            Users: Read, Edit, Read Contacts, Manage Contacts
            Groups: Create Security Groups, Read Groups, Manage Groups, Manage Group Membership, Delete & Restore Groups, Read Group Settings, Manage Group Settings
            Applications: Read Application Registration Properties, Read Enterprise Application Properties
            Devices: Read Devices, Manage Devices
            Directory: Read Roles, Read Administrative Units, Read Administrative Unit Membership
            Intune: Manage Intune
            If you are still unable to manage Azure AD users and groups, please contact support so they can help solve the problem.

  3. Naytaris says:

    Great post, thanks.

  4. JavoMejia says:

    Many Thanks. Great Matrix!

Skip to main content