In this post we will discuss how to create custom RBAC roles in Intune and assign them to specific groups.
Table of Contents
RBAC Roles
Intune RBAC (Role-Based Access Control) roles refer to the predefined roles in Microsoft Intune that determine the permissions and actions that users can perform within the Intune service. RBAC allows administrators to grant appropriate levels of access and control to different users or groups based on their roles and responsibilities. In Microsoft Intune, there are several built-in RBAC roles that can be assigned to users or groups. Each role has different levels of permissions and access rights, allowing administrators to assign appropriate roles to users based on their responsibilities and requirements within the Intune environment. Additionally, Intune also provides the flexibility to create custom RBAC roles with specific permissions tailored to unique organizational needs.
Intune Built-In Roles
Let’s suppose that we want to give specific permissions on Intune to a user or a user group. That could mean to allow users to view device info, perform specific actions such as wipe or delete or import Autopilot hashes. Although, Intune, as mentioned above, provides us with specific built-in roles, we can create our own to meet specific requirements that may arise.
As we can see there are many built-in roles, such as Intune Role Administrator (Intune admin -> very powerful role) and Help Desk Operator. To see the specific actions allowed for each role we can click the desired role and explore its properties.
Custom Role Creation
Let’s suppose that we want to create a new custom role to allow a specific user group to be able to perform specific actions related to Windows devices on Intune platform.
The actions that we want to be allowed are:
- Read device information
- Upload device hardware hash
- Perform sync actions
The below Microsoft articles provide us with useful information:
Let’s create the role. First navigate to Intune portal and the Tenant Admin blade. Click Roles and create.
Give a name and a description to your custom role and proceed further.
Now we can see all the available permissions. Scroll through them to familiarize yourself with them.
By looking at the permissions the first one that interest us is the Device compliance policies one. We would like to allow the members of Device support group to read (! only read, not edit) the compliance policies of a device. Select Yes at the Read permission.
The autopilot part of the RBAC custom role requires the enablement of several permissions as shown below. Just to mention here that the process of creating a custom role is a trial and error process since several tries are required before achieving the desired result.
The next action that we want to allow is reading the managed devices information and state. To do this we have to allow Read permission in the Managed devices section.
Finally the sync action can be allowed by enabling the remote tasks sync devices task.
After selecting the desired permissions, select a scope tag if needed, and create the role.
Now that the role is created we have to assign it to a user group. Open the role and click Assign.
Give a name and a description to the role.
In the next step select the user group that you want to assign the role to. It is imperative to mention here that the users in the selected group should have an Intune license assigned. I created a user group named “Intune – Device Support Group” for this role.
At the next stage we have to select the Scope Groups, which essentially corresponds to the items that this role will be able to manage. The scope group can be:
- Specific device or user group (we choose device or user group depending on the permissions type)
- All users
- All devices
In this case we choose all devices, since we want our users to have visibility and the ability to manage all of our devices. A more strict approach would be to limit the devices by selecting a specific device group such as a group containing only Windows devices etc.
The assignment is now ready.
In this post we created a custom role that allows specific user group to view device information, perform sync actions and upload Autopilot hardware hash.
References and documentation: