Create a custom role in Intune

You can create a custom Intune role that includes any permissions required for a specific job function. For example, if an IT department group manages applications, policies, and configuration profiles, you can add all those permissions together in one custom role. After creating a custom role, you can assign it to any users that need those permissions.

To create, edit, or assign roles, your account must have one of the following permissions in Azure AD:

  • Global Administrator
  • Intune Service Administrator

To create a custom role

  1. In the Microsoft Endpoint Manager admin center, choose Tenant administration > Roles > All roles > Create.

  2. On the Basics page, enter a name and description for the new role, then choose Next.

  3. On the Permissions page, choose the permissions you want to use with this role.

  4. On the Scope (Tags) page, choose the tags for this role. When this role is assigned to a user, that user can access resources that also have these tags. Choose Next.

  5. On the Review + create page, when you're done, choose Create. The new role is displayed in the list on the Intune roles - All roles blade.

Copy a role

You can also copy an existing role.

  1. In the Microsoft Endpoint Manager admin center, choose Tenant administration > Roles > All roles > select the checkbox for a role in the list > Duplicate.

  2. On the Basics page, enter a name. Make sure to use a unique name.

  3. All the permissions and scope tags from the original role will already be selected. You can subsequently change the duplicate role's Name, Description, Permissions, and Scope (Tags).

  4. After you've made all the changes that you want, choose Next to get to the Review + create page. Select Create.

Next steps