Events
Nov 19, 11 PM - Nov 21, 11 PM
Gain in-demand skills with online sessions designed to meet the industry’s challenges head-on at Microsoft Ignite.
Register nowThis browser is no longer supported.
Upgrade to Microsoft Edge to take advantage of the latest features, security updates, and technical support.
Role-based access control (RBAC) helps you manage who has access to your organization's resources and what they can do with those resources. By assigning roles to your Intune users, you can limit what they can see and change. Each role has a set of permissions that determine what users with that role can access and change within your organization.
To create, edit, or assign roles, your account must have one of the following permissions in Microsoft Entra ID:
A role defines the set of permissions granted to users assigned to that role. You can use both the built-in and custom roles. Built-in roles cover some common Intune scenarios. You can create your own custom roles with the exact set of permissions you need. Several Microsoft Entra roles have permissions to Intune. To see a role in the Intune admin center, go to Tenant administration > Roles > All roles > choose a role. You can manage the role on the following pages:
Note
To be able to administer Intune you must have an Intune license assigned. Alternatively, you can allow non-licensed users to administer Intune by setting Allow access to unlicensed admins to Yes.
You can assign built-in roles to groups without further configuration. You can't delete or edit the name, description, type, or permissions of a built-in role.
You can create your own roles with custom permissions. For more information about custom roles, see Create a custom role.
Microsoft recommends following the principle of least-permissions by only assigning the minimum required permissions for an administrator to perform their duties. Global Administrator and Intune Service Administrator are privileged roles and assignment should be limited.
Microsoft Entra role | All Intune data | Intune audit data |
---|---|---|
Global Administrator | Read/write | Read/write |
Intune Service Administrator | Read/write | Read/write |
Conditional Access Administrator | None | None |
Security Administrator | Read only (full administrative permissions for Endpoint Security node) | Read only |
Security Operator | Read only | Read only |
Security Reader | Read only | Read only |
Compliance Administrator | None | Read only |
Compliance Data Administrator | None | Read only |
Global Reader (This role is equivalent to the Intune Help Desk Operator role) | Read Only | Read Only |
Helpdesk administrator (This role is equivalent to the Intune Help Desk Operator role) | Read Only | Read Only |
Reports Reader | None | Read Only |
Tip
Intune also shows three Microsoft Entra extensions: Users, Groups, and Conditional Access, which are controlled using Microsoft Entra RBAC. Additionally, the User Account Administrator only performs Microsoft Entra user/group activities and does not have full permissions to perform all activities in Intune. For more information, see RBAC with Microsoft Entra ID.
A role assignment defines:
You can assign both custom and built-in roles to your users who are administrators in Intune. To be assigned an Intune role, the user must have an Intune license. To see a role assignment, choose Intune > Tenant administration > Roles > All roles > choose a role > Assignments > choose an assignment. On the Properties page, you can edit:
Note
Scope Tags are freeform text values that an administrator defines and then adds to a Role Assignment. The scope tag added on a role controls visibility of the role itself, while the scope tag added in role assignment limits the visibility of Intune objects (such as policies and apps) or devices to only administrators in that role assignment because the role assignment contains one or more matching scope tags.
If a user has multiple role assignments, permissions, and scope tags, those role assignments extend to different objects as follows:
Events
Nov 19, 11 PM - Nov 21, 11 PM
Gain in-demand skills with online sessions designed to meet the industry’s challenges head-on at Microsoft Ignite.
Register nowTraining
Module
Discover how to manage scoped administration and delegation with Microsoft Intune and Intune for Education.
Certification
Microsoft 365 Certified: Endpoint Administrator Associate - Certifications
Plan and execute an endpoint deployment strategy, using essential elements of modern management, co-management approaches, and Microsoft Intune integration.