Microsoft Entra ID · M365 Workloads & Services

Intune Administrator

Can manage all aspects of Microsoft Intune product including devices, apps, policies, and user management for endpoints.

Scope: Full Microsoft Intune and endpoint management administration

Permissions

  • Intune - Full Intune administration
  • Cloud PCs - Manage Windows 365 Cloud PCs
  • BitLocker - Read BitLocker recovery keys
  • Contacts - Update contact properties
  • Contacts - Create contacts
  • Contacts - Delete contacts
  • Devices - Update device properties
  • Devices - Create/enroll devices
  • Devices - Delete devices
  • Devices - Disable devices
  • Devices - Enable devices
  • Extension Attributes - Update extension attributes
  • Device Ownership - Update device owners
  • Device Users - Update device users
  • LAPS - Read local admin credentials
  • Security Groups - Create security groups
  • Security Groups - Delete security groups
  • Group Membership - Update security group members
  • Group Ownership - Update security group owners
  • User Properties - Update user properties
  • User Management - Update user managers
  • User Photos - Update user photos
  • Org Messages - Read organizational messages
  • Compliance - Create and manage device compliance policies
  • App Management - Deploy and manage applications
  • Updates - Configure Windows Update for Business

Common use cases

  • Endpoint management team lead responsibilities
  • MDM and MAM policy administration
  • Device compliance and security policy management
  • Application deployment and lifecycle management
  • Windows Autopilot configuration and management
  • macOS, iOS, and Android device management
  • Windows Update ring configuration
  • BitLocker and encryption key management
  • Endpoint security baseline configuration
  • Windows 365 Cloud PC management
  • Corporate device enrollment configuration
  • BYOD policy and app protection

Best practices

  • Limit full Intune Admin to 3-5 people maximum
  • Use Intune built-in RBAC roles for granular delegation
  • Use scope tags to limit device/policy visibility
  • Consider PIM for just-in-time access
  • Create separate roles for helpdesk vs. policy management
  • Use device groups for targeted policy deployment
  • Test policies in pilot groups before broad deployment
  • Implement change management for policy changes
  • Document all configuration baselines
  • Use compliance policies with Conditional Access
  • Configure enrollment restrictions appropriately
  • Monitor device compliance dashboard regularly
  • Set up alerts for compliance policy failures
  • Use Windows Autopilot for zero-touch deployment

Security considerations

  • Can access BitLocker recovery keys for all devices
  • Can read local administrator passwords (LAPS)
  • Can wipe or retire corporate devices
  • Can deploy applications that run on endpoints
  • Can modify security baselines affecting all devices
  • Can access device information including location
  • Can create/modify groups used for Conditional Access
  • Monitor for policy changes affecting security posture
  • Alert on bulk device wipe operations
  • Review app deployment for malicious content
  • Consider separation from security policy roles

Official Microsoft Learn documentation →

Open the interactive RBACMap →