What permissions we need to show and rotate local password of devices?

Question

What permissions we need to show and rotate local password of devices?

Gus-0185 125

Hello,

I'm trying to create a custom role to allow our Helpdesk to see/rotate the local administrator password from Entra or Intune without having to use Intune Administrator Role (too much permisssions). For starter, I am trying to allow them to see the password, but even with the following permissions : microsoft.directory/deviceLocalCredentials/password/read & microsoft.directory/deviceLocalCredentials/standard/read they can't see it (see screenshots below)

User's image Is it possible to give read / rotate access without giving Intune Administrator? Or at least give read access on either Entra or Intune center. If so, how?

Thank you very much!

Gus

Answer accepted by question author

0 additional answers

Your answer

Answer 1

Marcin Policht 81,395 MVP Volunteer Moderator

Refer to https://learn.microsoft.com/en-us/intune/intune-service/remote-actions/device-rotate-local-admin-password?pivots=windows

To run this remote action, use an account with at least one of the following roles:

Custom role that includes:
- The permission Remote tasks/Rotate Local Admin Password
- Permissions that provide visibility into and access to managed devices in Intune (for example, Organization/Read, Managed devices/Read)

If the above response helps answer your question, remember to "Accept Answer" so that others in the community facing similar issues can easily find the solution. Your contribution is highly appreciated.

hth

Marcin

Gus-0185 125 Reputation points

2026-02-23T18:30:01.27+00:00

Hello Marcin,

It is working for Entra but they still don't have access to Intune for some reason.. I will keep troubleshooting.

Thanks!
Gus
Marcin Policht 81,395 Reputation points MVP Volunteer Moderator

2026-02-23T22:43:32.6366667+00:00

Start by granting a more privileged role in Intune - and verify it works as intended. If so, create a custom role based on the working one and remove individual permissions one by one. In addition, verify that scopes do not interfere.

If the above response helps answer your question, remember to "Accept Answer" so that others in the community facing similar issues can easily find the solution. Your contribution is highly appreciated.

hth

Marcin
Gus-0185 125 Reputation points

2026-02-26T19:44:33.4766667+00:00

Hello Marcin,

So It is working for my test user (Entra and Intune) but not my admin accounts (Only able to see in Entra) even though they have the exact same permissions. The only difference I can think would be licenses. Do we need any specific licenses to access Intune?

Thank you :)

Gus
Marcin Policht 81,395 Reputation points MVP Volunteer Moderator

2026-02-26T20:06:36.9533333+00:00

Yep - Intune is a licensed product. https://learn.microsoft.com/en-us/intune/intune-service/fundamentals/licenses

If the above response helps answer your question, remember to "Accept Answer" so that others in the community facing similar issues can easily find the solution. Your contribution is highly appreciated.

hth

Marcin
Gus-0185 125 Reputation points

2026-02-26T20:16:13.4466667+00:00

Thanks Marcin, I also found this : https://learn.microsoft.com/en-us/intune/intune-service/fundamentals/unlicensed-admins I will try again in a few hours now that admins should not need a license.

Thank you for your help on this!

Gus
Marcin Policht 81,395 Reputation points MVP Volunteer Moderator

2026-02-26T20:30:30.2133333+00:00

You're welcome

If the above response helps answer your question, remember to "Accept Answer" so that others in the community facing similar issues can easily find the solution. Your contribution is highly appreciated.

hth

Marcin

Share via

What permissions we need to show and rotate local password of devices?

0 additional answers

Your answer