Intune role permission to view 'Default Device Compliance Policy'

Question

Hi,

Please can someone advise which Intune role permission is required to allow visibility of the 'Default Device Compliance Policy' under the Device compliance page?

I have a RBAC role (assigned to a scope tag), with Read and View reports allowed for 'Device compliance policies':

However a user assigned this role can only see the policies scoped to the role and does not see the 'Default Device Compliance Policy':

Compared with a full admin:

It seems like the kind of thing I would expect to be possible, does anyone know how?

Thanks

Answer 1

Hello Phil

The Default Device Compliance Policy is not a policy that can be viewed by Intune users with a standard RBAC role, even if they have the necessary permissions. The Default Device Compliance Policy is a special policy that is automatically applied to devices when they are enrolled in Intune, and it's not intended to be managed or viewed directly by users.

The reason why full admins can see it is because they have the necessary permissions to view all device compliance policies, including the default one. The Device compliance policies permission only grants access to view policies created by users, not the default one.

To allow users to view the default device compliance policy, you would need to assign them the View all device compliance policies permission, which is only available on the built-in Intune Device Administrator role.

Alternatively, you could also consider creating a custom role with the necessary permissions and assigning it to your user. This way, you can grant them the specific permissions they need without having to assign them the full Intune Device Administrator role.

Keep in mind that the Default Device Compliance Policy is not meant to be modified or managed directly by users, so even if your user has the necessary permissions, they should not attempt to modify or delete it.

I hope this helps clarify things! Let me know if you have any further questions.