Helpdesk Administrator is unable to change Primary user on a device using Intune.

shawn 21 Reputation points
2024-02-13T18:49:46.58+00:00

Our Helpdesk Administrator is unable to change the primary user for a device using Intune and before they were able to. Has something changed with Intune or Microsoft Intra that would stop this Administrator role from doing this?

Microsoft Intune
Microsoft Intune
A Microsoft cloud-based management solution that offers mobile device management, mobile application management, and PC management capabilities.
4,970 questions
{count} votes

3 answers

Sort by: Most helpful
  1. Michael Morten Sonne 585 Reputation points MVP
    2024-02-13T19:54:20.2766667+00:00

    Hi shawn,

    As I can see in the documentation at https://learn.microsoft.com/en-us/entra/identity/role-based-access-control/permissions-reference#helpdesk-administrator and from what I can read in the description for the role in my Entra ID Portal under the access scopes most of them is "/read" (read only) and the only one with permissions to do something is listed here:

    microsoft.directory/users/invalidateAllRefreshTokensPRIVILEGEDForce sign-out by invalidating user refresh tokensmicrosoft.directory/users/invalidateAllRefreshTokensPRIVILEGEDForce sign-out by invalidating user refresh tokensmicrosoft.directory/users/password/updatePRIVILEGEDReset passwords for all usersmicrosoft.azure.serviceHealth/allEntities/allTasksRead and configure Azure Service Healthmicrosoft.azure.supportTickets/allEntities/allTasksCreate and manage Azure support ticketsmicrosoft.office365.serviceHealth/allEntities/allTasksRead and configure Service Health in the Microsoft 365 admin centermicrosoft.office365.supportTickets/allEntities/allTasksCreate and manage Microsoft 365 service requests And as I see and from that I remember in my time useing Entra ID (Azure AD) and Intune, no changes where made to as this role has nothing to to with Intune/devices :) A role there gives that is needed.


  2. Crystal-MSFT 48,001 Reputation points Microsoft Vendor
    2024-02-14T02:27:29.85+00:00

    @shawn, Thanks for posting in Q&A. Based on my researching, I find "Managed Device/Set primary user” has been added to built-in roles including: Helpdesk Operator, School administrator, and Endpoint Security Manager. To use this feature, we need to have this privilege assigned.

    https://techcommunity.microsoft.com/t5/intune-customer-success/change-the-intune-primary-user-public-preview-now-available/ba-p/1221264

    I notice the Helpdesk Administrator is the role in Microsoft Entra. Please also assign one of the above role in Intune to change the primary user.

    User's image

    https://learn.microsoft.com/en-us/mem/intune/fundamentals/role-based-access-control

    Hope the above information can help.


    If the answer is helpful, please click "Accept Answer" and kindly upvote it. If you have extra questions about this answer, please click "Comment".

    Note: Please follow the steps in our documentation to enable e-mail notifications if you want to receive the related email notification for this thread.


  3. Crystal-MSFT 48,001 Reputation points Microsoft Vendor
    2024-03-05T05:45:05.8066667+00:00

    @shawn, Thanks for the update. I am glad the issue is resolved. Custom role is also a good option when we grant limited permission in Intune. You can choose either the built in one or the role you created.

    0 comments No comments

Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.