Role-based access control (RBAC) with Microsoft Intune
Role-based access control (RBAC) helps you manage who has access to your organization's resources and what they can do with those resources. By assigning roles to your Intune users, you can limit what they can see and change. Each role has a set of permissions that determine what users with that role can access and change within your organization.
To create, edit, or assign roles, your account must have one of the following permissions in Azure AD:
- Global Administrator
- Intune Service Administrator (also known as Intune Administrator)
A role defines the set of permissions granted to users assigned to that role. You can use both the built-in and custom roles. Built-in roles cover some common Intune scenarios. You can create your own custom roles with the exact set of permissions you need. Several Azure Active Directory roles have permissions to Intune. To see a role, choose Intune > Tenant administration > Roles > All roles > choose a role. You'll can manage the role on the following pages:
- Properties: The name, description, permissions, and scope tags for the role.
- Assignments: A list of role assignments defining which users have access to which users/devices. A role can have multiple assignments, and a user can be in multiple assignments.
You can assign built-in roles to groups without further configuration. You can't delete or edit the name, description, type, or permissions of a built-in role.
- Application Manager: Manages mobile and managed applications, can read device information and can view device configuration profiles.
- Endpoint Security Manager: Manages security and compliance features, such as security baselines, device compliance, conditional access, and Microsoft Defender for Endpoint.
- Help Desk Operator: Performs remote tasks on users and devices, and can assign applications or policies to users or devices.
- Intune Role Administrator: Manages custom Intune roles and adds assignments for built-in Intune roles. It's the only Intune role that can assign permissions to Administrators.
- Policy and Profile Manager: Manages compliance policy, configuration profiles, Apple enrollment, corporate device identifiers, and security baselines.
- Read Only Operator: Views user, device, enrollment, configuration, and application information. Can't make changes to Intune.
- School Administrator: Manages Windows 10 devices in Intune for Education.
You can create your own roles with custom permissions. For more information about custom roles, see Create a custom role.
Azure Active Directory roles with Intune access
|Azure Active Directory role||All Intune data||Intune audit data|
|Intune Service Administrator||Read/write||Read/write|
|Conditional Access Administrator||None||None|
|Security Administrator||Read only (full administrative permissions for Endpoint Security node)||Read only|
|Security Operator||Read only||Read only|
|Security Reader||Read only||Read only|
|Compliance Administrator||None||Read only|
|Compliance Data Administrator||None||Read only|
|Global Reader||Read Only||Read Only|
|Reports Reader||Read Only||None|
Intune also shows three Azure AD extensions: Users, Groups, and Conditional Access, which are controlled using Azure AD RBAC. Additionally, the User Account Administrator only performs AAD user/group activities and does not have full permissions to perform all activities in Intune. For more information, see RBAC with Azure AD.
A role assignment defines:
- which users are assigned to the role
- what resources they can see
- what resources they can change.
You can assign both custom and built-in roles to your users. To be assigned an Intune role, the user must have an Intune license. To see a role assignment, choose Intune > Tenant administration > Roles > All roles > choose a role > Assignments > choose an assignment. On the Properties page you can edit:
- Basics: The assignments name and description.
- Members: All users in the listed Azure security groups have permission to manage the users/devices that are listed in Scope (Groups).
- Scope (Groups): All users/devices in these Azure security groups can be managed by the users in Members.
- Scope (Tags): Users in Members can see the resources that have the same scope tags.
Multiple role assignments
If a user has multiple role assignments, permissions, and scope tags, those role assignments extend to different objects as follows:
- Assign permissions and scope tags only apply to the objects (like policies or apps) in that role's assignment Scope (Groups). Assign permissions and scope tags don't apply to objects in other role assignments unless the other assignment specifically grants them.
- Other permissions (such as Create, Read, Update, Delete) and scope tags apply to all objects of the same type (like all policies or all apps) in any of the user's assignments.
- Permissions and scope tags for objects of different types (like policies or apps), don't apply to each other. A Read permission for a policy, for example, doesn't provide a Read permission to apps in the user's assignments.