Summary

In this module, you learned how to implement a secure delegation model in Microsoft Intune using Role-Based Access Control (RBAC) and scope tags.

RBAC controls what actions an admin can perform. Scope tags control which objects are visible to them.
Built-in roles cover common scenarios: Policy and Profile Manager, Help Desk Operator, Application Manager, and others.
Custom roles let you build a granular permission set when no built-in role fits.

Direct assignment grants a role to an individual user. It works for emergency break-glass accounts but is hard to manage at scale.
Group-based assignment is the recommended approach. Assign the role to a role-assignable Entra ID security group, then manage membership to grant or revoke access.
Role assignments bind three elements: the admin group (members), the user/device groups they can target (scope groups), and the scope tags that filter their object visibility.

Create scope tags in Tenant administration > Roles > Scope (Tags).
Apply tags to configuration profiles, compliance policies, and apps. Remove the Default tag from any object you want to hide from general admins.
Create a role assignment that connects the admin group, their target scope, and the matching scope tag.

Audit logs record every create, modify, delete, and assign action, including who did it and when.
Operational logs track system behavior such as enrollment failures. Reviewing both together helps identify whether a recent admin change caused a broader issue.
Export logs manually as CSV for targeted investigations, or use Diagnostic settings to route logs continuously to a Log Analytics workspace, a storage account, or a SIEM tool.
Combine Intune audit logs with Microsoft Entra PIM activation logs to confirm that changes happened during an approved window.

Feedback

Was this page helpful?