Step 10: Create and assign a custom role
In this Intune topic, you'll create a custom role with specific permissions for a security operations department. Then you'll assign the role to a group of such operators. There are several default roles that you can use right away. But by creating custom roles like this one, you have precise access control to all parts of your mobile device management system.
Note
Use the information provided in this series of topics to try and evaluate Microsoft Intune. When you're ready, follow the complete process to set up Intune. For more information, see Set up Microsoft Intune.
If you don't have an Intune subscription, sign up for a free trial account.
Prerequisites
- To complete this evaluation step, you must create a group.
Sign in to Intune
Sign in to Intune as a Global Administrator or an Intune Service Administrator. If you have created an Intune Trial subscription, the account you created the subscription with is the Global administrator.
Create a custom role
When you create a custom role, you can set permissions for a wide range of actions. For the security operations role, we'll set a few Read permissions so that the operator can review a device's configurations and policies.
- In Intune, choose Roles > All roles > Add.
- Under Add custom role, in the Name box, enter Security operations.
- In the Description box, enter This role lets a security operator monitor device configuration and compliance information.
- Choose Configure > Corporate device identifiers > Yes next to Read > OK.
- Choose Device compliance policies > Yes next to Read > OK.
- Choose Device configurations > Yes next to Read > OK.
- Choose Organization > Yes next to Read > OK.
- Choose OK > Create.
Assign the role to a group
Before your security operator can use the new permissions, you must assign the role to a group that contains the security user.
- In Intune, choose Roles > All roles > Security operations.
- Under Intune roles, choose Assignments > Assign.
- In the Assignment name box, enter Sec ops.
- Choose Member (Groups) > Add.
- Choose the Contoso Testers group.
- Choose Select > OK.
- Choose Scope (Groups) > Select groups to include > Contoso Testers.
- Choose Select > OK > OK.
Now everyone in the group is a member of the Security operations role and can review the following information about a device: corporate device identifiers, device compliance policies, device configurations, and organization information.
Clean up resources
If you don't want to use the new custom role anymore, you can delete it. Choose Roles > All roles > choose the ellipses next to the role > Delete.
Next steps
In this quickstart, you created a custom security operations role and assigned it to a group. For more information about roles in Intune, see Role-based administration control (RBAC) with Microsoft Intune
To continue to evaluate Microsoft Intune, go to the next step:
Feedback
Coming soon: Throughout 2024 we will be phasing out GitHub Issues as the feedback mechanism for content and replacing it with a new feedback system. For more information see: https://aka.ms/ContentUserFeedback.
Submit and view feedback for