Secure administrator access in Intune with Intune RBAC

For larger companies it can be quite challenging to assign the correct permissions for their helpdesk users. For example if your company is located in Brussels and New York you don’t want to give your helpdesk staff access towards all devices and configuration settings. We often see companies that are using the default Intune Administrator role this means this administrator account can access every configuration in Microsoft Intune. This blogpost describes how I use the functionality of Intune Role Based Access Control.

Use Case

In this scenario we have a user named Steven Jones which is a Sales Officer and is located in the Office in Gent (Belgium).

We have created a Dynamic Security Group that includes all the users that are located in the office in Gent.

We have created a group with all the Helpdesk employees that needs to manage the users and devices in Gent.

I’ve also created a device group for all devices that are part of the Gent office. The device of Steven Jones is part of this group. This is an assigned group but you can also create a dynamic one for example based on Device Category.

Create a scope tag

We also need a scope tag for the RBAC permissions on device level. In the Microsoft Endpoint Manager portal browse to Tenant Administration -> Roles -> Scope (Tags) and create a Scope Tag based on the previously created device group.

Configuring the permissions

In the Microsoft Endpoint Manager portal you can easily manage your RBAC permissions. Go to Tenant administration -> Roles.

You can create your own custom role or you can use an already existing role. I’ve used the default Help Desk Operator role.

Go to assignments and click on Assign

Give your assignment a name.

Select the group with the Helpdesk users. This includes the users that needs to manage the users and the devices.

Select the group of users that the Admin Groups needs to manage. I’ve used a group of users which means that I can manage and review the applications, policies, profiles, etc that are assigned to the users that are member of this group. To manage the devices you need to create a group with devices in it. I have used the Scope tags to assign permissions to specific devices (will be described later).

The next step is to assign your scope tag towards the Role Assignment. This means that the Admin Groups can manage the resources that includes that specific Scope Tag.


The device of Steven Jones is assigned the “Devices Gent” Scope Tag. This means that the Helpdesk group of Gent can manage this device. As shown in the underneath pictures.

We see more devices when we log in with a Global Administrator account or a Intune Administrator account:

Published by jordyblommaert

My passion is the cloud

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

%d bloggers like this: