So far, this guide has covered terminology and theory used to develop Delegated Administrator roles for Intune’s RBAC system and how to create users with limited rights to Intune in Step by Step: Intune Admin Delegation with RBAC #1
Next, we covered building RBAC scope tags and assigning those tags with device groups in Step by Step: Intune Delegation with RBAC #2
For this article, we’ll cover the creation of an actual Role in Intune. This will bring all the pieces together, an administrative user in an admin group, a scope tag assigned to the devices we want to administer, a core scope group, and permissions that we’ll delegate to users assigned to the role.
The complete RBAC plan we will deploy in this guide is shown below:
As you can see, our final scope diagram, which has advanced itself a little through this guids, shows four Roles that we want to create. The fourth role, which we are adding in this part of the series, will allow us to assign permissions to manage phones regardless of OS. This represents a very common role used in “the field.” It will also illustrate Intune’s ability to assign multiple roles to the same devices. The result is a three tier admin delegation scheme. “But there are only two tiers shown here,” you might say. Well, remember that there’s an implicit administrative tier associated with the Global Admin role. Global Administrators and Intune Service Administrators always have full access to the services in Office 365, and this becomes our “Level 3” tech role (The guys at the top of the support ladder) in Intune.
There’s not a lot to creating a role itself. We have four pieces; permissions, delegated administrator group, core object group, and scopes. So fasten your seat-belts, here we go!
- Open Intune and go to the Roles section.
- Click All Roles, then click Add to open the Role Creation blade. Enter a name for the role. For this guide, we’ll call the role “Phone Admins”
- Click on Permissions to begin assigning the permissions you want this admin group to have in Intune.
There are a lot of permissions available to assign to groups. You won’t need to assign very many of them unless you are creating a custom role for full administrative rights (Global Admins don’t have full admin rights in Intune, surprisingly enough, but can create roles that do).
- Set the permissions you need for the role. For this example, we want to set a moderate set of administrative rights for iOS and Android devices, since we’re building a Phone admins group. If you want specific guidance, go to Intune Permissions for iOS and Android Devices to get an example of what you’ll want to set.
- Once the permissions are set, you’ll have the Role ready to create. You should see the following:
Note: Don’t assign a scope to Custom Roles unless you are building a different Role. The Scope (Tags) setting on the Custom Role page is meant to assign a tag to the role itself for delegation. One thing to remember is that just about everything in Intune can be tagged with a Scope Tag for delegation.
- Click create to build the Core role object.
- Now that we’ve got the Role Built, we’ll assign the role. Here’s where we get all the pieces together. First, open the role to show this screen:
- Click Assignments then Assign to start assigning the role.
- You will see the screen below once you begin the assignment. Note the three sections here. We’ll be adding an Administrative User group for our Phone Admins, the All Devices Group as the scope group to pull our objects that we’ll assign permissions to, then the scope tags that will define which objects in that larger scope group the admins will actually have the set permissions on.
- First, of course, give the Assignment a name. You can have multiple assignments associated with the same permission set. This means we can use the same permission set for our Phone Admins group, our iOS Admins group, and our Android Admins group. Once you have a name, click Members and assign the group of admins to the role. Click Ok.
- Now, select the Scope (Groups) entry. We’ll just use the All Devices group for this, but we could use the groups we used in part 2 to assign our Tags.
- Finally, we’ll assign the tags that we want to grant permissions to. These will be the scope tags that we created in part 2.
- Click OK twice from the screen above and you will create the role.
Patience, Young ITGuy
Before you do any testing on this, remember that many updates in Azure AD and Office 365 require replication time throughout the environment. This can take up to an hour or more, depending on a number of unknown factors. You can regularly check permissions on the assigned users to make sure things apply, but you do need to be patient. This is not something you can get setup and expect the permissions to apply immediately. This means you’ll need to be very intentional when reducing permissions and delegation levels in Intune because there will be a period of time where the admins you are removing rights from will still be able to perform those actions. Not taking this into account can cause some major problems.
And that’s it. Now you know how to delegate permissions in Intune. It’s way more complicated than delegating rights in Active Directory or any other on-prem system you are probably familiar with, but believe me, it’s way easier than some delegation techniques out there (I’m looking at you, Azure AD Delegation). Play around with it and draw things out to come up with different delegation levels. Also make sure to look through the permissions you can delegate for Intune, as they do cover most functions and you’ll want to know exactly how to assign the right permissions.