Microsoft Intune · Endpoint Privilege Management

Endpoint Privilege Manager

Manages Endpoint Privilege Management (EPM) policies in the Intune console. Full control over elevation rules and requests.

Scope: EPM policy and elevation request management

Permissions

  • Endpoint Privilege Management Policy Authoring - Full CRUD + Assign + View reports
  • Endpoint Privilege Management Elevation Requests - Modify + View
  • Managed devices - Read
  • Organization - Read

Common use cases

  • Creating EPM elevation rules
  • Approving/denying user elevation requests
  • Managing support-approved elevations
  • Configuring default elevation behavior

Best practices

  • Assign to security team managing least privilege
  • Document elevation rules and business justification
  • Review elevation reports regularly
  • Use with file hash rules for known applications

Security considerations

  • Controls which apps can run with admin rights
  • Can approve elevation requests for any user
  • Elevation rules affect device security posture

Common questions

When should I assign the Endpoint Privilege Manager role?

Assign Endpoint Privilege Manager when you need to: Creating EPM elevation rules; Approving/denying user elevation requests; Managing support-approved elevations; and Configuring default elevation behavior. It is part of Microsoft Intune and should be granted as a least-privilege alternative to broader roles like Global Administrator.

What can someone with the Endpoint Privilege Manager role do?

The Endpoint Privilege Manager role grants permissions including: Endpoint Privilege Management Policy Authoring - Full CRUD + Assign + View reports; Endpoint Privilege Management Elevation Requests - Modify + View; Managed devices - Read; and Organization - Read. See the Permissions section above for the full list.

What are the security risks of the Endpoint Privilege Manager role?

Key considerations when assigning Endpoint Privilege Manager: Controls which apps can run with admin rights; Can approve elevation requests for any user; and Elevation rules affect device security posture. Review the Security considerations section before assignment, and pair with Privileged Identity Management (PIM) for just-in-time access where possible.

Official Microsoft Learn documentation →

Open the interactive RBACMap →