Microsoft Adds Role-Based Access Control to Intune
- By Kurt Mackie
- August 16, 2017
Microsoft this week announced the addition of role-based access control (RBAC) capabilities to its Intune mobile management service.
This RBAC capability is already available for System Center Configuration Manager (SCCM) users, as well as for Azure Active Directory (AD) users. Intune's RBAC capability is specifically enhanced via Azure AD's groups and directory roles, so it comes with some of those capabilities.
Intune and Azure AD Roles
Organizations using Intune get access to four "high-level" Azure AD administrative roles. The roles typically vary on whether all of Intune can be managed, as well as whether there's access to Conditional Access service settings. Here are the four Azure AD roles, as described in Microsoft's announcement:
- Global Administrator/Company Administrator: users in this role have access to all administrative features in Azure AD, including conditional access. They can also manage all of Intune.
- User Administrator: users in this role can manage users and groups but cannot manage all of Intune.
- Intune Service Administrator: users in this role can manage all of Intune, including management of users and devices, as well group creation and management. This role does not allow for management of Azure AD's Conditional Access settings.
- Conditional Access Administrator: users in this role can manage Azure AD's Conditional Access policies, but not all of Intune.
It's possible to assign one or more roles to a single individual, explained Dave Randall, a senior program manager on the Intune team, in a blog post. However, the permissions assigned using the Azure AD roles act broadly across the various Office 365 services. To limit the scope, permissions can be assigned for each Office 365 service instead. Here's how Randall described it:
Azure AD Directory Roles provide full access to one or more services (Exchange, Intune, SharePoint, etc.). If you want finer grained controls and not full access to the service, each service offers its own roles with more fine-grained permissions specific to the service's features.
Built-In Intune Roles
IT departments also can assign permissions using the five built-in roles in Intune, according to Microsoft's announcement:
- Policy and Profile Manager: users in this role have rights to manage configuration and compliance policies.
- Application Manager: users in this role have rights to manage mobile and Intune managed app protection policies.
- Helpdesk Operator: users in this role have rights to manage tasks appropriate for end-user service desk support personnel.
- Read Only Operator: users in this role have rights to view Intune information without the ability to change configurations and policies.
- Intune Role Administrator: uses in this role have rights to manage of Intune Roles.
These five built-in Intune roles are supposed to mimic the job roles found in IT departments. The specific permissions are outlined in detail in Randall's blog post in a long table. The role assignments have licensing implications. Randall noted that "administrators with an Intune role require an Intune license."
Organizations can't change Intune's built-in roles, but they can create customized permissions. The customized permissions can contain "any permissions required for a job function," Randall explained.
Organizations also can automate RBAC assignments. That's done using the Microsoft Graph API or PowerShell scripts.
There's only one RBAC rollout caveat. Randall noted that some permissions, such as "Read Only" or "Helpdesk," will not migrate when moving from the "classic" Silverlight-based Intune user interface to the Intune interface within the Azure Portal. In such cases, organizations should "reassign your service administrators to new Intune roles and remove them from the old portal" or "assign them to one of the Azure AD directory roles as appropriate," he noted.
Kurt Mackie is senior news producer for the 1105 Enterprise Computing Group.