intune/endpoint manager roles & permissions

Question

I am tying to get a basic understanding of the higher permission roles within Microsoft Intune/Endpoint Manager, to ensure they have only been granted to the correct support staff. To help with this, in a ‘worst case’ scenario, it would be worth understanding with granting of such permissions to the wrong people, what "chaos" could somebody cause to your devices/environment if they had malicious intentions.
Can you provide a listing of the higher risk permissions/roles so we can verify who has access, as well as provide some insight into what a malicious user could do with those privileges.

Answer 1

@crib bar Thanks for posting in our Q&A.

For roles in intune, Global Administrator and Intune Service Administrator (also known as Intune Administrator) have the highest permission. So, it is needed to limit the number of this two roles.
https://learn.microsoft.com/en-us/mem/intune/fundamentals/role-based-access-control

For example, if you just want a user have the permission to read the data in intune portal, but you give the user Global Administrator role, this user will edit or delete everything in intune portal.

For other roles, the details are in the following article:
https://learn.microsoft.com/en-us/azure/active-directory/roles/permissions-reference#all-roles

Which roles and permissions you need depends on what management and limitation your organization needs.

Hope it will help.

---

If the response is helpful, please click "Accept Answer" and upvote it.
Note: Please follow the steps in our documentation to enable e-mail notifications if you want to receive the related email notification for this thread.