Assign a role to an Intune user

You can assign a built-in or custom role to an Intune user.

To create, edit, or assign roles, your account must have one of the following permissions in Microsoft Entra ID:

  • Global Administrator
  • Intune Service Administrator
  1. In the Microsoft Intune admin center, choose Tenant administration > Roles > All roles.

  2. In the Endpoint Manager roles - All roles page, choose the built-in role you want to assign > Assignments > + Assign.

  3. On the Basics page, enter an Assignment name and optional Assignment description, and then choose Next.

  4. On the Admin Groups page, select the group that contains the user you want to give the permissions to. Choose Next.

  5. On the Scope (Groups) page, choose a group containing the users/devices that the member you selected is allowed to manage. You can also choose All users and/or All devices. Choose Next.


    The All users and All devices are Intune virtual groups and not Microsoft Entra security groups. As a result, for Scope (Groups) assignment purposes you cannot use them as parents of Microsoft Entra security groups. If you need both All users and All devices and specific Microsoft Entra security groups for Scope (Groups) assignments, you must add them separately with separate assignments. Otherwise, even if the Scope (Groups) assignment for a role is set to All Users the admin in this role won't have access to specific Microsoft Entra user groups.

    For Microsoft Entra security groups, nesting is supported.

  6. On the Scope (Tags) page, choose tags where this role assignment is applied. Choose Next.

  7. On the Review + Create page, when you're done, choose Create. The new assignment is displayed in the list of assignments.


    When you create scope groups and assign a scope tag, you can only target groups that are listed in the Scope (Groups) of your role assignment.

Next steps