Microsoft Adds Role-Based Access Control to Intune

Microsoft this week announced the addition of role-based access control (RBAC) capabilities to its Intune mobile management service.

This RBAC capability is already available for System Center Configuration Manager (SCCM) users, as well as for Azure Active Directory (AD) users. Intune's RBAC capability is specifically enhanced via Azure AD's groups and directory roles, so it comes with some of those capabilities.

Intune and Azure AD Roles
Organizations using Intune get access to four "high-level" Azure AD administrative roles. The roles typically vary on whether all of Intune can be managed, as well as whether there's access to Conditional Access service settings. Here are the four Azure AD roles, as described in Microsoft's announcement:

  • Global Administrator/Company Administrator: users in this role have access to all administrative features in Azure AD, including conditional access. They can also manage all of Intune.
  • User Administrator: users in this role can manage users and groups but cannot manage all of Intune.
  • Intune Service Administrator: users in this role can manage all of Intune, including management of users and devices, as well group creation and management. This role does not allow for management of Azure AD's Conditional Access settings.
  • Conditional Access Administrator: users in this role can manage Azure AD's Conditional Access policies, but not all of Intune.

It's possible to assign one or more roles to a single individual, explained Dave Randall, a senior program manager on the Intune team, in a blog post. However, the permissions assigned using the Azure AD roles act broadly across the various Office 365 services. To limit the scope, permissions can be assigned for each Office 365 service instead. Here's how Randall described it:

Azure AD Directory Roles provide full access to one or more services (Exchange, Intune, SharePoint, etc.). If you want finer grained controls and not full access to the service, each service offers its own roles with more fine-grained permissions specific to the service's features.

Built-In Intune Roles
IT departments also can assign permissions using the five built-in roles in Intune, according to Microsoft's announcement:

  • Policy and Profile Manager: users in this role have rights to manage configuration and compliance policies.
  • Application Manager: users in this role have rights to manage mobile and Intune managed app protection policies.
  • Helpdesk Operator: users in this role have rights to manage tasks appropriate for end-user service desk support personnel.
  • Read Only Operator: users in this role have rights to view Intune information without the ability to change configurations and policies.
  • Intune Role Administrator: uses in this role have rights to manage of Intune Roles.

These five built-in Intune roles are supposed to mimic the job roles found in IT departments. The specific permissions are outlined in detail in Randall's blog post in a long table. The role assignments have licensing implications. Randall noted that "administrators with an Intune role require an Intune license."

Organizations can't change Intune's built-in roles, but they can create customized permissions. The customized permissions can contain "any permissions required for a job function," Randall explained.

Organizations also can automate RBAC assignments. That's done using the Microsoft Graph API or PowerShell scripts.

There's only one RBAC rollout caveat. Randall noted that some permissions, such as "Read Only" or "Helpdesk," will not migrate when moving from the "classic" Silverlight-based Intune user interface to the Intune interface within the Azure Portal. In such cases, organizations should "reassign your service administrators to new Intune roles and remove them from the old portal" or "assign them to one of the Azure AD directory roles as appropriate," he noted.

About the Author

Kurt Mackie is senior news producer for 1105 Media's Converge360 group.


  • The 2021 Microsoft Product Roadmap

    From Windows 10X to the next generation of Microsoft's application server products, here are the product milestones coming down the pipeline in 2021.

  • After High-Profile Attacks, Biden Calls for Better Software Security

    Recent high-profile security attacks have prompted the Biden administration to issue an executive order aiming to tighten software security practices across the board.

  • With Hybrid Networks on Rise, Microsoft Touts Zero Trust Security

    Hybrid networks, which combine use of cloud services with on-premises software, require a "zero trust" security approach, Microsoft said this week.

  • Feds Advise Orgs on How To Block Ransomware Amid Colonial Pipeline Attack

    A recent ransomware attack on a U.S. fuel pipeline company has put a spotlight on how "critical infrastructure" organizations can prevent similar attacks.