Intune - Limit role to add/remove devices to groups

Question

question

HerveRichard asked Mar 5, '21 JamesTran-MSFT edited Jun 28, '22

Intune - Limit role to add/remove devices to groups

Hi everyone,

I am trying to figure out how to limit the permissions in Intune just to add and remove devices to groups.

Any groups would be fine, a specific subset of groups would be better.

For the moment I tried:

Azure roles:
Cloud Device Administrator, without luck. It does not give permissions in Intune (as far as I have seen).
Groups Administrator, seems to provide too much rights.
Intune roles:
HelpDesk Operator, does not seems to work for the job.

Would there be a way to achieve this even with PowerShell or limiting the perms of the Groups Administrator role?

Any help appreciated,

Thanks a lot

mem-intune-general azure-rbac

5 |1600 characters needed characters left characters exceeded

Attachments: Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

Answer 1 · 2021-03-05T20:18:26.29Z

PaD-7009 answered Mar 5, '21 HerveRichard commented Mar 12, '21

Use custom role in Intune

Intune > Tenant Admin > Roles > All Roles > Create > scroll down "Manage devices" (See attached screenshot)

image.png (31.2 KiB)

· 1

5 |1600 characters needed characters left characters exceeded

Attachments: Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

HerveRichard · Mar 12, 2021 at 10:40 AM

Dear PaD-7009,

Thanks for the reply.

What should be the other permissions then because I do not want the user to be able to access the Tenant Configuration in Intune for instance, nor deploy apps, or even create remove apps, etc...

Thanks again for your help,

Regards.

0 ·

Answer 2 · 2021-03-07T10:52:23.473Z

RahulJindal-2267 answered Mar 7, '21 HerveRichard commented Mar 12, '21

Managing membership of cloud groups will fall outside the remit of RBA in Intune. I don’t think you can limit restrictions on a particular group for managing membership in Azure at the moment.

· 1

5 |1600 characters needed characters left characters exceeded

Attachments: Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

HerveRichard · Mar 12, 2021 at 10:47 AM

Hi Rahul,

Thanks for your reply.

Indeed I am afraid.

Roles linked to managed devices can be found both in Azure AD and Intune which does does make thing easier according to me.

In Azure there is the Cloud Device Administrator role which should cover the possibility of changing the device group membership but, in the Intune portal it does not seems to have any effect even if groups and users management are an AAD aspect and not Intune.

So again, I think there is still a room for improvement in terms of Intune / AAD which manage what, where to set which roles/permissions and the panel of permissions you can choose.

Thanks again,

Regards.

0 ·

Answer 3 · 2021-03-08T02:42:21.74Z

Crystal-MSFT answered Mar 8, '21 Crystal-MSFT commented Aug 23, '21

@HerveRichard, From your description, I know we want the user can only add or remove members from group. If there's any misunderstanding, please let us know.

Based on my research, in Intune, I don't find such custom role. In Azure AD, I find the action "microsoft.directory/groups/members/update" seems to help update the members of groups. There are some built-in roles in Azure AD that contains this action. We can choose one and assign it to the specific users to accomplish our needs.

Here is an article for the reference:
https://docs.microsoft.com/en-us/azure/active-directory/roles/permissions-reference#user-administrator

Hope it can help.

If the response is helpful, please click "Accept Answer" and upvote it.
Note: Please follow the steps in our documentation to enable e-mail notifications if you want to receive the related email notification for this thread.

· 4

5 |1600 characters needed characters left characters exceeded

Attachments: Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

HerveRichard · Mar 12, 2021 at 11:12 AM

Hi Crystal,

I would like to thank you for your reply.

Indeed, I would like to find a way to just enable a specific user or group of user to add/remove devices from any groups (or better specific groups defining a scope for instance).

Thanks for your suggestion. I have seen this permission in the document you mentioned but I was indeed not able to find/select it when creating a custom role from the Azure portal.
Even with a global admin account.

This permission can be found in other exiting AD roles as well:

Directory Writers but Microsoft says this role has to be used for applications and not users:
"Assign this role only to applications that don’t support the Consent Framework. It should not be assigned to any users."
(https://docs.microsoft.com/en-us/azure/active-directory/roles/permissions-reference#directory-writers)
Groups Administrator seems to be focused on users.

I will post the answer if I find anything.

Thanks again,

Regards.

0 ·

Crystal-MSFT HerveRichard · Mar 15, 2021 at 05:48 AM

@HerveRichard, Thanks for the reply. Yes, the permission can be in many built in AD roles. I notice you will post back when you find the answer. Thanks for the sharing in advance..

Have a nice day!

0 ·

HerveRichard Crystal-MSFT · Aug 20, 2021 at 02:41 PM

Hi @Crystal-MSFT,

My apologies for my late reply.

The solution I have found to my question is to create a custom role in Azure AD with the permission: microsoft.directory/groups.security/members/update
It allows the users you have assigned the role to, to add/remove members from groups (in general).
To restrict the add/remove action to a specific group (to suite my needs) I created an administrative unit.

There is also a "Groups administrator" role which permissions to modify groups extend to Office 365 groups which was out of my scope for my usage.

Thanks,

Regards,

0 ·

Show more comments

question