By Dave Randall | Sr. PM
I’m Dave, a Program Manager in the Intune team. Many of you – our customers and partners – are now using the Azure Portal to manage Intune. One new area of functionality is role based access control (RBAC). This feature offers much greater flexibility and control to ensure your IT administrators have the right permissions to perform their job, and no more. I want to walk you through some of the features of RBAC, plus help you understand how Azure Active Directory (Azure AD) Directory Roles are supported by Intune. They are an important part of the overall permissions management story for Intune. This post will help you get started by explaining the Intune on Azure role experience and show you just how granular you can get in your role based access!
Starting at the top
Azure AD provides four Directory Roles which are used in conjunction with Intune.
- Global Administrator / Company Administrator: Users with this role have access to all administrative features in Azure AD. Users with this role can manage all of Intune. Also provides management of Azure AD’s Conditional Access.
- User Administrator – User with this role can manage users and groups, but cannot manage all of Intune.
- Intune Service Administrator: Users with this role can manage all of Intune. Additionally, this role can manage users and devices as well as create and manage groups. This role cannot manage Azure AD’s Conditional Access settings.
- Conditional Access Administrator – Users with this role can manage Azure AD’s Conditional Access policies, but not all of Intune.
You can select one or more Limited Administrator directory roles to an administrative user. For example, you might want to select both the Intune Service Administrator and the Conditional Access Administrator. The full description of these roles and their uses are documented here: https://docs.microsoft.com/en-us/azure/active-directory/active-directory-assign-admin-roles.
Azure AD Directory Roles provide full access to one or more services (Exchange, Intune, Sharepoint, etc). If you want finer-grained controls and not full access to the service, each service offers its own roles with more fine-grained permissions specific to the service’s features.
Intune Roles are designed to mirror your IT Department employee’s job functions. There are four built-in roles. See Table 1 for a full list of permissions by role.
- Policy and Profile Manager – manages the configuration and compliance policies.
- Application Manager – manages mobile and managed applications.
- Helpdesk Operator – enables tasks appropriate for end-user service desk support personnel.
- Read Only Operator – allows viewing of Intune information without the ability to change Intune.
You cannot change the permissions for a built-in role. If you need to customize the permissions, you can simply create a custom role that includes any permissions required for a job function. For example, if an IT department group manages applications, policies and configuration profiles, you can add all those permissions together in one custom role.
NOTE: When your company is migrated from the classic Intune experience to Intune on Azure, your Service Administrators with “Read Only” or “Helpdesk” console access are not migrated to the new Azure Portal. However, “Full” Service Administrators in the classic Intune console still have full permission to perform all activities in Intune; both in the classic Intune (Silverlight) Console and the Intune Azure Portal. You should re-assign your service administrators to new Intune roles and remove them from the old portal to transition those users unless they still need access to manage PC’s using the classic PC agent. Or, you can assign them to one of the Azure AD directory roles as appropriate.
Licensing: Administrators with an Intune Role require an Intune license.
Automation: You can automate any RBAC task such as creating custom roles, or adding/modifying role assignments using the Microsoft Graph API. We have a set of PowerShell scripts that can help you get started.
- Microsoft Graph API’s for Intune: https://developer.microsoft.com/en-us/graph/docs/api-reference/beta/resources/intune_graph_overview
- Sample PowerShell Scripts: https://github.com/microsoftgraph/powershell-intune-samples
A role assignment ties together the permissions with your IT staff and end users. This is a key concept to understand – it’s how permissions are enforced.
You can create one or more assignments for a role.
Example – Contoso Helpdesk
At Contoso, we have a distributed helpdesk staff. There are three helpdesk groups, one that supports the Engineering Department, another for the shipping department and a third for the cooking department. We want to set up three separate role assignments to ensure each group of helpdesk operators can only manage their respective departments.
Let’s add an assignment for one of those departments – Engineering. Start by clicking “+ Assign” in the Assignments for the Helpdesk Operator role.
Then, we’ll give it a name (1), click Members (2), Add (3) and pick the Contoso Helpdesk for Engineers user group.
Save the members with OK. Remember, the members represent your IT staff who have the helpdesk permissions.
NOTE: you can add the same Azure AD Security Group to multiple role assignments as necessary. For example you may have a small team of IT administrators that provide backup support for several roles. That Azure AD security group for the small team of IT Administrators can be added to each role for which they provide support.
Next, we’ll add the scope group – by picking Scope Groups (1), then Add (2), then selecting the user group (3) – Engineering Department Employees.
Choose OK to save the assignment.
Remember – scope groups limit the users who can have remote tasks or assignments performed to only the members in this role assignment.
I’ve made assignments for my other groups – Shipping and Cooks – they have the matched set of IT Admins (Helpdesk Operators for Cooks/Shipping) and Users (Cooks Department/Shipping Department).
Now that I have the assignments, “Helpdesk for Shipping” administrators can’t assign apps or perform remote tasks for Engineering users, or Cooks. And, the “Helpdesk for Engineers” can’t assign apps or policy or perform remote tasks for Shipping or Cooks, etc.
To demonstrate how this works, if Emma wants to assign an app to the Engineering Department, she can. But, if she tries to assign an app to the Shipping Department, she’ll see the following error message:
But, if she tries to add a deployment to Engineering, that will work.
One last topic…
Although not permissions related, sometimes you’ll see messages such as “We’re not quite ready for you yet…” Or “Coming Soon”
These are simply placeholders that indicate we’re making some service updates and we haven’t finalized the update quite yet. There isn’t anything you need to do on your side. Of course, you can always check the What’s New Page to see what’s changed recently.
Table 1 – Intune Role Permissions
AAD Global Administrator
AAD Intune Service Administrator
"Full" Service Administrator (Silverlight Console only)
Policy and Profile Manager
Read Only Operator
|Apple Enrollment||Create Serial Number||x||x||x||x|
|Delete Serial Number||x||x||x||x|
|Read Serial Number||x||x||x||x||x||x|
|Update Serial Number||x||x||x||x|
|Corporate Device Identifiers||Create||x||x||x||x|
|Device Compliance Policies||Assign||x||x||x||x|
|Device Enrollment Managers||Read||x||x||x||x||x|
|Endpoint Protection Reports||Read||x||x||x||x||x|
|Remote Tasks||Bypass Activation Lock||x||x||x|
|Disable Lost Mode||x||x||x||x|
|Enable Lost Mode||x||x||x||x|
|Enable Windows Intune Agent||x||x||x||x|
|Request Remote Assistance||x||x||x||x|
|Terms and Conditions||Assign||x||x||x|