RBAC in Azure AD, Intune and scope tags explained

Microsoft Intune has a pretty good RBAC model to allow you to give permissions to users who need to be able to perform an administrative task or role within Intune. A role can be for instance a predefined role in Intune or a custom role. Before digging into the Intune roles, there are also Intune related roles available within Azure AD.

Azure AD Roles versus Intune roles

Last month I presented at our local user group (WMUG NL) how many Global Administrators they had in their environment. Several environments had more than 5 Global Administrators in their environment, five is the general recommendation by Microsoft but the lower the better! Not everybody needs to be a Global Admins to do their job in Exchange, SharePoint, Azure AD, or even Microsoft Intune! ???? Unfortunately, I see a lot of companies not or hardly using any RBAC.

Azure AD has the following roles for Intune related administrators:

  • Global Administrator (duh!)
  • Intune Administrator
  • Conditional Access Administrator
  • Application administrator

As an Intune Administrator you have all permissions within Microsoft Intune, you can do anything you need to do when working with Intune, users and devices.

Since Conditional Access is part of Azure AD and its one of the most important ways of protecting your data at the front door, the Conditional Access Administrator is able to manage everything related to the Conditional Access rules.

If you want to publish internal resources on your mobile devices, you may need the Azure AD App Proxy to allow users access in a secure way. The Application Administrator is a special role that allows you to manage the apps you create so that the internal apps are published via the App Proxy and controlled by Conditional Access based on device compliance from Microsoft Intune. (more on this in a separate blog in the future)

Microsoft Intune Roles

A role in Intune is basically defined by, a role definition, members, a scope and an assignment. Currently the following default roles are available.

  • Policy and Profile manager
  • School Administrator
  • Help Desk Operator
  • Application Manager
  • Read Only Operator
  • Intune Role Administrator

The Role Definition describes what a member is able to do when member of this role, it defines the permissions on objects in Microsoft Intune. The role definition of default roles can not be changed but when you create a custom role, you can always add or remove permissions.

Members are the administrators that need to be able to perform the work which is related with the role. Members are added via Assignments.

While Assigning a role you need to add a group of users (administrators) that need to be member of the Role.

The Scope is a group of Users or Devices that can be managed by the members added in this Role Assignment. If you add a Group of Users, the users and related devices are part of the scope, when adding a group of devices only the devices can be managed.

New to RBAC is that we are now also able to create and assign Scope Tags. With Scope Tags we are able to tag an object so you are able to filter objects based on the tags assigned.

So, in what scenarios are we able to use this?

So, if we create a role called Intune Operators for Intune Administrators in The Netherlands, Denmark and the USA, that need to manage the users and their devices in the country they represent. Also, the Intune Operators need to be able to create, read and assign Configuration Profiles, Compliance Policies and Applications for their country they represent.

The result of creating a role as above, allows the members to manage Device Compliance Policies, Device Configuration Profiles, Managed Apps, Mobile Apps and execute Remote Tasks. Since per assignment a scope with a user group is added, the Intune Operators only see users and devices of their scope. Next to this the Intune Operators see the objects tagged for their “country” and objects that are not tagged. When an Intune Operator creates a new profile, the profile is not automatically tagged for the “country”, the admin needs to tag the object themselves.

The following objects are currently supporting Scope Tags;

  • Configuration Profiles
  • Compliance Policies

So far for the theory, let’s see in a next blog how it is actually working ????


Leave a Reply

Your email address will not be published. Required fields are marked *

Previous Post

New App Protection capabilities added to Microsoft Intune

Next Post

Session controls in Conditional Access now also controlling Exchange Online

Related Posts