By implementing RBAC in Intune you can configure who can see what and perform which actions in Intune. This can be achieved by using RBAC in Intune. For example you can use it to configure the following situations:
- Help desk employees can only view devices, but are not allowed to remove devices from Intune.
- The system engineer from the London office is only able to view and edit configuretions and devices for the London office and not the office in Amsterdam or New York.
In the roles, you configure what permissions a user has within Intune. These roles can be applied on two levels. First you have the Azure Active Directory roles with Intune access. Examples of these roles are the Global and Intune administrator. These roles are assigned in Azure and provide rights in Intune. Roles which have been assigned in Azure cannot be limited by Intune RBAC rules. Second there are the roles which are assigned in Intune. Using these roles you can assign rights to specific parts in Intune for situations described above. In Intune you can use the Built-in roles, but you can also create custom roles where you can control which permissions a user will get in Intune.
In addition to roles, a key component in RBAC is the application of scopes. A role only defines what a member of that role is allowed to do within Intune, but you may also want to limit the policies or devices that the user is allowed to see or change. You can do this by assigning scope tags and scope groups. By applying scope tags you can specify which resources can be seen by a member. For example, if you only want to show the device profiles of the London office you can add a tag to these profiles. By using scope groups, you can define which users or devices are allowed to be managed by a member. For example, if a member is only allowed to assign policies to a particular group, then you can assign this group as the scope group.
Assigning a role consists of several steps. It begins with selecting a role or creating a custom role. Next, an assignment of the role is made. The third step is to assign the admin group. Once that is done a scope can be assigned ranging from a single group to all users/devices. The last step is to select the resource tags that should be visible to the members.
In this demonstration I will show how to create a custom role and assigning it to a member group. I will create a role based on the “Help Desk Operator” role for the 2nd line support. This role will then be assigned to scope for a specific office location (Amsterdam Office). This ensures that support staff will only be able to manage policies and devices for this location.
Creating a custom role
1. Login to the MEM admin center and select Tenant administration -> Roles -> All roles or click here. Either select an existing role and press “Duplicate” or press “+ Create”. I will select the “Help Desk Operator” role and press “Duplicate”
2. Enter the name for the new role and an (optional) description. Press “Next” to continue.
3. Edit the permissions for example allow the assigning of Device configurations. This will allow members of the role to add or remove device configuration assignments to (scope) groups. Press “Next” to continue.
4. Assign an additional Scope tag or change the default Scope tag to the new role. By default, the “default” scope tag is added to all untagged objects that support scope tags. Press “Next” to continue.
5. Create the new role by pressing the “Create” button.
By default, role members see all intune resources. As indicated under “Scopes” you can modify this by tagging resources. To do this, a Tag must first be created and then added to the resources that are allowed to be seen by members.
6. Select Tenant administration -> Roles -> Scope (Tags) or click here. Press “+ Create” to create a new Scope tag.
7. Enter a name for the new scope tag and press “Next”
8. Select the group(s) containing the devices you want to assign the new scope tag.
9.Press “Create” to add the new Scope tag to Intune.
10. Now we need to assign the Scope tags to the resources. Because I’ve created a scope tag for the Amsterdam Office, I will associate the tag to the resources associated to the Amsterdam Office. In this demo there are only two device configuration profiles associated to the Amsterdam Office.
11. Edit the both device configuration profiles and add the scope tag. Press “Review + save” to save the added tag.
Assign a role
In this step we are going to assign the the new “2nd Line Support” role to members of the 2nd Line support. I have already created a security group “2nd Line Support Amsterdam” containing all second line support employees for the Amsterdam Office. These employees will only be able to manage devices and resources with the “Amsterdam Office” tag. You can use the same role for multiple assignments with different tags and admin members. In this way, for example, you could support multiple locations.
12. Go to the newly created “2nd Line Support” role and select “Assignments”. Press “+ Assign” to create a new assignment.
13. Enter a name for the assignment and add a (optional) Description. Press “Next” to continue.
14. Select the admin groups these are the groups containing the administrators you want to assign the role to. Press “Next” to continue.
15. Select the Scope Groups for the role assignment. You can also select all devices/users if you don’t want to use scope groups. The Scope Groups are the groups which can be managed by the members of the Admin group(s) in the previous step. Press “Next” to continue.
16. Add the scope tag(s) of the resources that should be allowed to be seen by the admin group. Press “Next” to continue.
17. Review your settings and press “Create” to create the role assignment.
Test RBAC in Intune
Now let’s see what happens when you try to log in with a member of the admin group. For this test I will use the user Hank who is a member of the security group “2nd Line Support Amsterdam”.
18. Whoops an error… If you try to log in with a user immediately after creating the role assignment, you may get an error. It takes about 5 minutes for the role assignment to be processed. Grab a coffee and be patient.
19. After some extra time, we try again. The error message disappeared. When we look at “All devices” you can see that Hank only sees the 2 devices which are member of the security group “Devices Amsterdam Office”.
20. Now let’s have a look at the Compliance policies. Because no compliance policies are tagged, Hank does not see any of the 9 configured compliance policies.
21. Let’s take a final look at the Configuration profiles. Hank only sees the two profiles which have been tagged (step 11). The Intune administrator sees all configured Configuration profiles.
22. Let’s test the scope groups and see what happens when Hank tries to assign a configuration profile to a group that is not configured as a scope group (step 15). Hank can select the group, but as soon as he tries to save the change he gets an error message. When he tries the same thing with a scope group it goes well.
Using RBAC in Intune, you can solve most security challenges. However, there still remain certain resources that you cannot provide a scope tag such as:
– Devices -> Compliance policies -> Locations
– Devices -> Windows -> Windows Enrollment -> Enrollment status page
– Devices -> Windows -> Windows Enrollment -> Devices (Autopilot)
– Devices -> Enroll devices -> Corporate device identifiers
– Jamf devices in Intune
In addition, it is not currently possible to scope the uploading of Autopilot devices. This is only possible if you are a Global or Intune administrator. But except for these exceptions, RBAC in Intune will be sufficient for most organizations.