Note
Access to this page requires authorization. You can try signing in or changing directories.
Access to this page requires authorization. You can try changing directories.
The information in this article can help you assign users Microsoft Intune built-in or custom role-based access control (RBAC) roles to users who administer your Intune subscription. RBAC roles are assigned to groups, and not individual users.
Before you assign roles to groups, ensure you have sufficient groups for the different Intune administrative tasks, and review the membership of those groups. Each member of a group that is assigned an RBAC role receives the permissions granted by that role. Permissions from multiple groups are cumulative for a user and there are no options to deny specific permissions. However, you can use Scope Tags with RBAC to limit the scope of what different groups of individuals can view and manage.
Important
Microsoft advises against using accounts with Intune Administrator-level permissions for daily management when lesser-privileged roles suffice. However, Intune Administrator permissions are necessary during initial Intune setup for tasks such as:
- Add users to Intune who serve as your Intune administrators. (See Add users)
- Create groups of users that share similar administrative duties. (See Add groups)
- Assign RBAC roles to groups of users, providing each group with only the permissions required to carry out their daily tasks. (This article)
After you complete these steps, switch to an account with only the permissions needed for ongoing administration to uphold the principle of least privilege.
RBAC permissions required to assign roles
To manage RBAC roles and assignments in Intune, your account must have one of the following permission sets:
The Intune built-in role of Intune Role Administrator. Least privileged built-in role
A custom role that includes the following categories and category permissions:
Roles:
- Assign
- Create
- Delete
- Read
- Update
Organization:
- Read
Deploy Intune role assignments
Before you deploy Intune roles, be familiar with About Intune role assignments which provides details about several aspects of Intune role assignements.
Sign in to the Microsoft Intune admin center and go to Tenant administration > Roles > All roles.
On the Intune roles - All roles page, you can find all Intune roles that are available to assign in your Tenant. Each role has a Type that identifies it as either a Built-in Role provided by Intune or a Custom Intune role created by your organization.
Select the role you want to assign and then select Assignments > + Assign.
On the Basics page, enter an Name and optional Description, and then select Next.
On the Admin Groups page, select Add groups and then choose a group that contains the users you want to assign the roles permissions to.
Tip
When you assign a role to a group, every member of that group receives the permissions granted by that role. Only assign roles to groups for which you know the membership, and which don't include users that shouldn't receive the administrative privileges provided by the role.
Select Next.
On the Scope (Groups) page, add groups that contain only the users or devices that the members of the Admin Groups you selected in the previous step should be allowed to manage. Then, select Next.
Note
The All users and All devices groups are Intune virtual groups, not Microsoft Entra security groups. Therefore, you can't use them as parents for Microsoft Entra security groups in Scope (Groups) assignments. To assign All users and All devices and specific Microsoft Entra security groups, add them separately. Otherwise, admins won't have access to specific Microsoft Entra user groups even if the role’s Scope (Groups) is set to All Users.
Nesting is supported for Microsoft Entra security groups.
On the Scope (Tags) page, choose tags where this role assignment is applied. Select Next.
Note
When you define scope groups and then assign a scope tag, admins can only target groups that are listed in the Scope (Groups) of the role assignment.
On the Review + Create page, when you're done, select Create.
The new assignment is displayed in the list of assignments.