How to Assign a User an RBAC Role in Intune

Overview

Role-based access control (RBAC) helps you manage who has access to your organization's resources and what they can do with those resources. By assigning roles to your Intune users, you can limit what they can see and change. Each role has a set of permissions that determine what users with that role can access and change within your organization.

To create, edit, or assign roles, your account must have one of the following permissions in Entra ID:

Global Administrator
Intune Service Administrator (also known as Intune Administrator)

Roles

Built-in roles

You can assign built-in roles to groups without further configuration. You can't delete or edit the name, description, type, or permissions of a built-in role.

• Application Manager: Manages mobile and managed applications, can read device information and can view device configuration profiles.
• Endpoint Privilege Manager: Manages Endpoint Privilege Management policies in the Intune console.
• Endpoint Privilege Reader: Endpoint Privilege Readers can view Endpoint Privilege Management policies in the Intune console.
• Endpoint Security Manager: Manages security and compliance features, such as security baselines, device compliance, conditional access, and Microsoft Defender for Endpoint.
• Help Desk Operator: Performs remote tasks on users and devices, and can assign applications or policies to users or devices.
• Intune Role Administrator: Manages custom Intune roles and adds assignments for built-in Intune roles. It's the only Intune role that can assign permissions to Administrators.
• Policy and Profile Manager: Manages compliance policy, configuration profiles, Apple enrollment, corporate device identifiers, and security baselines.
• Read Only Operator: Views user, device, enrollment, configuration, and application information. Can't make changes to Intune.
• School Administrator: Manages Windows 10 devices in Intune for Education.
• Cloud PC Administrator: A Cloud PC Administrator has read and write access to all Cloud PC features located within the Cloud PC area.
• Cloud PC Reader: A Cloud PC Reader has read access to all Cloud PC features located within the Cloud PC area.

Assign a role

You can assign a built-in or custom role to an Intune user.

To create, edit, or assign roles, your account must have one of the following permissions in Entra ID:

• Global Administrator
• Intune Service Administrator

1. In the Microsoft Intune portal, choose Tenant administration > Roles.
   

2. Then select All Roles.
   

3. On the Endpoint Manager roles - All roles blade, choose the built-in role you want to assign > Assignments > + Assign.
   

4. On the Basics page, enter an Assignment name and optional Assignment description, and then choose Next.

5. On the Admin Groups page, select the group that contains the user you want to give the permissions to. Choose Next.

6. On the Scope (Groups) page, choose a group containing the users/devices that the member above will be allowed to manage. You also have the option to choose all users and/or all devices. Choose Next.
   For Entra ID security groups, nesting is supported.

7. On the Scope (Tags) page, choose tags where this role assignment will be applied. Choose Next.

8. On the Review + Create page, when you're done, choose Create. The new assignment is displayed in the list of assignments.

Note: The All users and All devices are Intune virtual groups and not Entra ID security groups. As a result, for Scope (Groups) assignment purposes you cannot use them as parents of Entra ID security groups. If you need both All users and All devices and specific Entra ID security groups for Scope (Groups) assignments, you must add them separately with separate assignments. Otherwise, even if the Scope (Groups) assignment for a role is set to All Users the admin in this role won't have access to specific Entra ID user groups.