Add users and grant administrative permission to Intune

As an administrator, you can add users directly or synchronize users from your on-premises Active Directory. Once added, users can enroll devices and access company resources. You can also give users additional permissions including global administrator and service administrator permissions.

Add users to Intune

You can manually add users to your Intune subscription via the Microsoft 365 admin center or the Microsoft Endpoint Manager admin center. An administrator can edit user accounts to assign Intune licenses. You can assign licenses in either the Microsoft 365 admin center or the Microsoft Endpoint Manager admin center. For more information on using the Microsoft 365 admin center, see Add users individually or in bulk to the Microsoft 365 admin center.

Add Intune users in the Microsoft 365 admin center

  1. Sign in to Microsoft 365 admin center with a global administrator or user management administrator account.
  2. In the Microsoft 365 menu, select Users > Active users > Add a user.
  3. Provide the following user details:
    • First name
    • Last name
    • Display name
    • User name - Universal principle name (UPN) stored in Azure Active Directory used to access the service.
    • Password - Autogenerate or create.
  4. Choose Next.
  5. On the Assign product licenses page, select a Location and then choose a license for this user. A license including Intune is required.
  6. Choose Next.
  7. On the Optional settings page, you have the option to:
    • Assign the new user additional roles (by default the new user is given the User role).
    • Provide profile information.
  8. Choose Next.
  9. On the Review and finish page, select Finish adding to add the user. Choose Close to close the Add a user page.

Add Intune users in the Azure portal

  1. In the Microsoft Endpoint Manager admin center, choose Users > All users > New user > Create user.
  2. Specify the following user details:
    • User name - The new name that the user will use to sign in to Azure Active Directory.
    • Name - The user's given name.
  3. Choose whether you want to create the password for the new user or have it autogenerated.
  4. To assign the new user to groups (optional), choose 0 groups selected to open the Groups pane. Here you can select the groups you want to assign to the user. When finished selecting groups, choose Select.
  5. By default, the new user is assigned the role of User. If you want to add roles to the user, select User under Groups and roles. In the Directory roles pane, select the roles you want to assign to the user and then choose Select.
  6. If you want to block the user from signing in, you can select Yes for Block sign in. Make sure to switch this back to No when you're ready to let the user sign in.
  7. Choose a Usage location for the new user. Usage location is required before you can assign the new user an Intune license.
  8. Optionally, you can provide information for the Job title, Department, Company name, and Manager fields.
  9. Select Create to add the new user to Intune.

Grant admin permissions

After you've added users to your Intune subscription, we recommend that you grant a few users administrative permission. To grant admin permissions, follow these steps:

Give admin permissions in Microsoft 365

  1. Sign in to the Microsoft 365 admin center with a global administrator account > select Users > Active users > choose the user to give admin permissions.
  2. In the user pane, choose Manage roles under Roles.
  3. In the Manage roles pane, choose the admin permission to grant from the list of available roles.
  4. Choose Save changes.

Give admin permissions in the Azure portal

  1. Sign in to the Microsoft Endpoint Manager admin center with a global administrator account > Users > then choose the user you want to give admin permissions.
  2. Select Assigned roles > Add assignments.
  3. In the Directory roles pane, select the roles you want to assign to the user > Add

Types of administrators

Assign users one or more administrator permissions. These permissions define the administrative scope for users and the tasks they can manage. Administrator permissions are common between the different Microsoft cloud services, and some services might not support some permissions. Both the Azure portal and Microsoft 365 admin center list limited administrator roles that aren't used by Intune. Intune administrator permissions include the following options:

  • Global administrator - (Microsoft 365 and Intune) Accesses all administrative features in Intune. By default the person who signs up for Intune becomes a Global admin. Global admins are the only admins who can assign other admin roles. You can have more than one global admin in your organization. As a best practice, we recommend that only a few people in your company have this role to reduce the risk to your business.
  • Password administrator - (Microsoft 365 and Intune) Resets passwords, manages service requests, and monitors service health. Password admins are limited to resetting passwords for users.
  • Service support administrator - (Microsoft 365 and Intune) Opens support requests with Microsoft, and views the service dashboard and message center. They have "view only" permissions except for opening support tickets and reading them.
  • Billing administrator - (Microsoft 365 and Intune) Makes purchases, manages subscriptions, manages support tickets, and monitors service health.
  • User administrator - (Microsoft 365 and Intune) Resets passwords, monitors service health, adds and deletes user accounts, and manages service requests. The user management admin can't delete a global admin, create other admin roles, or reset passwords for other admins.
  • Intune administrator - All Intune Global administrator permissions except permission to create administrators with Directory Role options.

The account you use to create your Microsoft Intune subscription is a global administrator. As a best practice, don't use a global administrator for day-to-day management tasks. While an administrator doesn't require an Intune license to access the Intune on Azure portal, in order to perform certain management tasks, such as setting up the Exchange service Connector, an Intune license is required.

To access the Microsoft 365 admin center, your account must have a Sign-in allowed set. In the Azure portal under Profile, set Block sign in to No to allow access. This status is different from having a license to the subscription. By default, all user accounts are Allowed. Users without administrator permissions can use the Microsoft 365 admin center to reset Intune passwords.

Sync Active Directory and add users to Intune

You can configure directory synchronization to import user accounts from your on-premises Active Directory to Microsoft Azure Active Directory (Azure AD) which includes Intune users. Having your on-premises Active Directory service connected with all of your Azure Active Directory-based services makes managing user identity much simpler. You can also configure single sign-on features to make the authentication experience for your users familiar and easy. By linking the same Azure AD tenant with multiple services, the user accounts that you have previously synchronized are available to all cloud-based services.

How to sync on-premises users with Azure AD

The only tool that you need to synchronize your user accounts with Azure AD is the Azure AD Connect wizard. The Azure AD Connect wizard provides a simplified and guided experience for connecting your on-premises identity infrastructure to the cloud. Choose your topology and needs (single or multiple directories, password hash sync, pass-through authentication, or federation). The wizard deploys and configures all components required to get your connection up and running. Including: sync services, Active Directory Federation Services (AD FS), and the Azure AD PowerShell module.

Tip

Azure AD Connect encompasses functionality that was previously released as Dirsync and Azure AD Sync. Learn more about directory integration. To learn about syncing user accounts from a local directory to Azure AD, see Similarities between Active Directory and Azure AD.