Role Based Access Control (RBAC) has been a favourite feature of the System Center Configuration Manager community since its introduction, and now it’s available in Intune. RBAC in Intune enables you to easily define who can perform various Intune tasks within your organization, and who those tasks apply to. RBAC gives you greater flexibility and control while ensuring your IT administrators have the necessary permissions to perform their job.
Integration with Azure AD Directory Roles for high level access control
The new Intune admin experience on Azure delivers deeper levels of integration with Azure Active Directory, which includes Azure AD Groups as well as integration with Azure AD Directory Roles. This integration provides the underpinnings of Intune’s RBAC capabilities and our overall permissions management story. RBAC for Intune starts by leveraging four Azure AD Directory Roles that define high level administrative access to Intune workstreams and tasks:
- Global Administrator / Company Administrator: users in this role have access to all administrative features in Azure AD, including conditional access. They can also manage all of Intune.
- User Administrator: users in this role can manage users and groups but cannot manage all of Intune.
- Intune Service Administrator: users in this role can manage all of Intune, including management of users and devices, as well group creation and management. This role does not allow for management of Azure AD’s Conditional Access settings.
- Conditional Access Administrator: users in this role can manage Azure AD’s Conditional Access policies, but not all of Intune.