Microsoft Intune in the Azure portal preview – Part – 8 (Role Based Access Control)

Intune has now introduced Role Based Access Control in the new Azure portal.

The following roles are built into Intune and you can either customize these roles, or assign them to groups with no further configuration.

  • Intune Administrator – Has full permissions for all Intune operations.
  • Application Manager – Manage and deploy applications and profiles.
  • Configuration Policy Manager – Manage and deploy configuration settings and profiles.
  • Helpdesk Operator – Perform remote tasks and view user and device information.
  • Read Only Operator – View information in the Intune portal without the ability to make changes.

A detailed list of Custom roles are available here –

Custom role settings reference

When you create a custom role, you can configure one or more of the following settings:+

Device configurations

Assign Assign device profiles to groups.
Create Create device profiles.
Delete Delete device profiles.
Read Read device profiles and their properties.
Update Update existing device profiles.

Managed apps

Assign Assign managed apps to groups.
Create Add new managed apps to Intune.
Delete Delete managed apps.
Read Read managed apps and their properties.
Update Update existing managed apps.
Wipe Wipe managed apps from devices.

Managed devices

Delete Delete managed devices from Intune.
Read View information about managed devices in the Intune portal.
Update Update information about managed devices.

Mobile apps

Assign Assign mobile apps to groups.
Create Add new mobile apps to Intune.
Delete Delete mobile apps.
Read Read mobile apps and their properties.
Update Update existing mobile apps.

Organization

Read Read tenant settings.
Update Update tenant settings.

Remote tasks

Bypass Activation Lock Remove the activation lock from an iOS device without the user’s Apple ID and password.
Disable Lost Mode Disable Lost Mode. Lost mode lets you specify a message and a phone number that will be displayed on the lock screen of the device.
Enable Lost Mode Enable Lost Mode. Lost mode lets you specify a message and a phone number that will be displayed on the lock screen of the device.
Locate Device
Reboot Now Causes the device to restart.
Remote Lock Locks a device. The device owner must use their passcode to unlock it.
Reset Passcode Generates a new passcode for the device which will be displayed on the Overview blade.
Retire Removes only company data managed by Intune. Does not remove personal data from the device.
Wipe Returns the device to its default settings.

Telecom expenses

Read Read Telecom Expense Management (TEM) settings.
Update Update Telecom Expense Management (TEM) settings.

Terms and conditions

Assign Assign terms and conditions to groups.
Create Create terms and conditions settings.
Delete Delete terms and conditions settings.
Read Read terms and conditions settings in the Intune portal.
Update Update existing terms and conditions settings.

How to define custom role in Intune Portal –

  1. In the Azure portal, choose More Services > Intune > Intune Roles

    1

  2. Click on Add Custom and provide the info

    2

  3. Assign the custom role to an Admin Group

    3