Microsoft Intune Roles

Question

Microsoft Intune Roles

Eduards 771

Hello,

I created custom Microsoft Intune Role.

I want that users which will be assigned to this roles can only see Android Dedicated devices and operate only with them.

We also have "Personally owned work-profile" devices in Intune and we want to separate data between Intune administrators.

I tried to configure setting but users that are assigned to custom Android role still see work-profile devices.

Is there some information about what permission should i enable/disable so i achieve my goal?

Thank you!

Answer 1

Lu Dai-MSFT 28,191

@Eduards Thanks for posting in our Q&A. From your description, I know that you want to get a role that only see Android Dedicated devices and operate only with them. If there is any misunderstanding, feel free to let us know.

For the user can only manage the test device in Intune portal, here are the detailed steps for a reference:
1.Create a user group and add a test user to this user group A.

2.Create a device group and add the target device to this device group B.

3.Create a scope tag in Tenant Administrator > Roles > Scope (Tags) and assign to the device group B

4.Create a custom role in Tenant Administrator > Roles > All roles, set Permission for this role, choose Scope tags.

5.Choose the custom role we created, select Assignments to add Role Assignment, configure Admin Groups, users in these group will have permissions to manage users/devices in the Scope (Groups), configure Scope groups and select scope tags

6.When I login intune portal with the test user, I only see this target device.

The following link for the reference:
https://learn.microsoft.com/en-us/mem/intune/fundamentals/scope-tags

Hope it can help.

If the response is helpful, please click "Accept Answer" and upvote it.
Note: Please follow the steps in our documentation to enable e-mail notifications if you want to receive the related email notification for this thread.

Eduards 771 Reputation points

2020-12-21T09:15:02.437+00:00

Thank you for the answer @Lu Dai-MSFT .

So basically i can't configure settings what i mentioned in my question?
Lu Dai-MSFT 28,191 Reputation points

2020-12-21T09:44:00.12+00:00

@Eduards Thanks for your response.

Yes, currently, we can't configure settings mentioned in your question.
Eduards 771 Reputation points

2020-12-28T09:58:42.14+00:00

Hello @Lu Dai-MSFT

And what about Scope tags and scope groups?

Can i do something with this?
Lu Dai-MSFT 28,191 Reputation points

2020-12-29T06:50:24.067+00:00

@Eduards Thanks for the reply. Based on my research, for Scope groups, the users/devices in this group can be managed by the users in the Admin Groups. For scope tags, it determine which objects admins can see.

Based on my test, when I add the test device into a group which is added into scope groups, I find the user in the admin group I configured can only manage the test device in Intune portal. For the detailed steps, I have modified in my first Answer. We can refer to it. For our situation, I think we can try to add the devices into different groups with different enrollment method, use Scope tags, Scope groups to see if it can meet our requests.
Eduards 771 Reputation points

2020-12-29T09:07:22.467+00:00

Thank you @Lu Dai-MSFT this is what i needed!
Lu Dai-MSFT 28,191 Reputation points

2020-12-29T09:17:15.47+00:00

@Eduards You're welcome. If you have any problem in the future, welcome to post in our Q&A.

Thanks and have a nice day. : )

Microsoft Intune Roles

0 additional answers

Activity