Microsoft Intune · Endpoint Privilege Management
Endpoint Privilege Manager
Manages Endpoint Privilege Management (EPM) policies in the Intune console. Full control over elevation rules and requests.
Scope: EPM policy and elevation request management
Permissions
- Endpoint Privilege Management Policy Authoring - Full CRUD + Assign + View reports
- Endpoint Privilege Management Elevation Requests - Modify + View
- Managed devices - Read
- Organization - Read
Common use cases
- Creating EPM elevation rules
- Approving/denying user elevation requests
- Managing support-approved elevations
- Configuring default elevation behavior
Best practices
- Assign to security team managing least privilege
- Document elevation rules and business justification
- Review elevation reports regularly
- Use with file hash rules for known applications
Security considerations
- Controls which apps can run with admin rights
- Can approve elevation requests for any user
- Elevation rules affect device security posture
Common questions
When should I assign the Endpoint Privilege Manager role?
Assign Endpoint Privilege Manager when you need to: Creating EPM elevation rules; Approving/denying user elevation requests; Managing support-approved elevations; and Configuring default elevation behavior. It is part of Microsoft Intune and should be granted as a least-privilege alternative to broader roles like Global Administrator.
What can someone with the Endpoint Privilege Manager role do?
The Endpoint Privilege Manager role grants permissions including: Endpoint Privilege Management Policy Authoring - Full CRUD + Assign + View reports; Endpoint Privilege Management Elevation Requests - Modify + View; Managed devices - Read; and Organization - Read. See the Permissions section above for the full list.
What are the security risks of the Endpoint Privilege Manager role?
Key considerations when assigning Endpoint Privilege Manager: Controls which apps can run with admin rights; Can approve elevation requests for any user; and Elevation rules affect device security posture. Review the Security considerations section before assignment, and pair with Privileged Identity Management (PIM) for just-in-time access where possible.