Hi everyone, I am trying to figure out how to limit the permissions in Intune just to add and remove devices to groups. Any groups would be fine, a specific subset of groups would be better. For the moment I tried: Azure roles: Cloud Device Administrator, without luck. It does not give permissions in Intune (as far as I have seen). Groups Administrator, seems to provide too much rights. Intune roles: HelpDesk Operator, does not seems to work for the job. Would there be a way to achieve this even with PowerShell or limiting the perms of the Groups Administrator role? Any help appreciated, Thanks a lot

@Yop , From your description, I know we want the user can only add or remove members from group. If there's any misunderstanding, please let us know. Based on my research, in Intune, I don't find such custom role. In Azure AD, I find the action "microsoft.directory/groups/members/update" seems to help update the members of groups. There are some built-in roles in Azure AD that contains this action. We can choose one and assign it to the specific users to accomplish our needs. Here is an article for the reference: https://learn.microsoft.com/en-us/azure/active-directory/roles/permissions-reference#user-administrator Hope it can help. If the response is helpful, please click "Accept Answer" and upvote it. Note: Please follow the steps in our documentation to enable e-mail notifications if you want to receive the related email notification for this thread.

Use custom role in Intune Intune > Tenant Admin > Roles > All Roles > Create > scroll down "Manage devices" (See attached screenshot)

Managing membership of cloud groups will fall outside the remit of RBA in Intune. I don’t think you can limit restrictions on a particular group for managing membership in Azure at the moment.

Intune - Limit role to add/remove devices to groups

Yop 81

Hi everyone,

I am trying to figure out how to limit the permissions in Intune just to add and remove devices to groups.

Any groups would be fine, a specific subset of groups would be better.

For the moment I tried:

Azure roles:
Cloud Device Administrator, without luck. It does not give permissions in Intune (as far as I have seen).
Groups Administrator, seems to provide too much rights.
Intune roles:
HelpDesk Operator, does not seems to work for the job.

Would there be a way to achieve this even with PowerShell or limiting the perms of the Groups Administrator role?

Any help appreciated,

Thanks a lot

3 answers

Crystal-MSFT 43,381 Reputation points Microsoft Vendor

2021-03-08T02:42:21.74+00:00

@Yop , From your description, I know we want the user can only add or remove members from group. If there's any misunderstanding, please let us know.

Based on my research, in Intune, I don't find such custom role. In Azure AD, I find the action "microsoft.directory/groups/members/update" seems to help update the members of groups. There are some built-in roles in Azure AD that contains this action. We can choose one and assign it to the specific users to accomplish our needs.

Here is an article for the reference:
https://learn.microsoft.com/en-us/azure/active-directory/roles/permissions-reference#user-administrator

Hope it can help.

If the response is helpful, please click "Accept Answer" and upvote it.
Note: Please follow the steps in our documentation to enable e-mail notifications if you want to receive the related email notification for this thread.
Please sign in to rate this answer.

1 person found this answer helpful.
Yop 81 Reputation points

2021-03-12T11:12:06.507+00:00

Hi Crystal,

I would like to thank you for your reply.

Indeed, I would like to find a way to just enable a specific user or group of user to add/remove devices from any groups (or better specific groups defining a scope for instance).

Thanks for your suggestion. I have seen this permission in the document you mentioned but I was indeed not able to find/select it when creating a custom role from the Azure portal.
Even with a global admin account.

This permission can be found in other exiting AD roles as well:

Directory Writers but Microsoft says this role has to be used for applications and not users:
"Assign this role only to applications that don’t support the Consent Framework. It should not be assigned to any users."
(https://learn.microsoft.com/en-us/azure/active-directory/roles/permissions-reference#directory-writers)

Groups Administrator seems to be focused on users.

I will post the answer if I find anything.

Thanks again,

Regards.

Crystal-MSFT 43,381 Reputation points Microsoft Vendor

2021-03-15T05:48:14.677+00:00

@Yop , Thanks for the reply. Yes, the permission can be in many built in AD roles. I notice you will post back when you find the answer. Thanks for the sharing in advance..

Have a nice day!

Yop 81 Reputation points

2021-08-20T14:41:00.24+00:00

Hi @Crystal-MSFT ,

My apologies for my late reply.

The solution I have found to my question is to create a custom role in Azure AD with the permission: microsoft.directory/groups.security/members/update
It allows the users you have assigned the role to, to add/remove members from groups (in general).
To restrict the add/remove action to a specific group (to suite my needs) I created an administrative unit.

There is also a "Groups administrator" role which permissions to modify groups extend to Office 365 groups which was out of my scope for my usage.

Thanks,

Regards,

Crystal-MSFT 43,381 Reputation points Microsoft Vendor

2021-08-23T05:49:16.667+00:00

@Yop , Thanks for sharing your solution here. I appreciate it. If there's anything else we can discuss together in the future, feel free to post in our Q&A.

Thanks for your time and have a nice day!
Sign in to comment
Pa_D 1,071 Reputation points

2021-03-05T20:18:26.29+00:00

Use custom role in Intune

Intune > Tenant Admin > Roles > All Roles > Create > scroll down "Manage devices" (See attached screenshot)
Please sign in to rate this answer.
Yop 81 Reputation points

2021-03-12T10:40:14.29+00:00

Dear PaD-7009,

Thanks for the reply.

What should be the other permissions then because I do not want the user to be able to access the Tenant Configuration in Intune for instance, nor deploy apps, or even create remove apps, etc...

Thanks again for your help,

Regards.
Sign in to comment
Rahul Jindal [MVP] 9,151 Reputation points MVP

2021-03-07T10:52:23.473+00:00

Managing membership of cloud groups will fall outside the remit of RBA in Intune. I don’t think you can limit restrictions on a particular group for managing membership in Azure at the moment.
Please sign in to rate this answer.
Yop 81 Reputation points

2021-03-12T10:47:43.297+00:00

Hi Rahul,

Thanks for your reply.

Indeed I am afraid.

Roles linked to managed devices can be found both in Azure AD and Intune which does does make thing easier according to me.

In Azure there is the Cloud Device Administrator role which should cover the possibility of changing the device group membership but, in the Intune portal it does not seems to have any effect even if groups and users management are an AAD aspect and not Intune.

So again, I think there is still a room for improvement in terms of Intune / AAD which manage what, where to set which roles/permissions and the panel of permissions you can choose.

Thanks again,

Regards.
Sign in to comment