Microsoft Intune · Endpoint Privilege Management
Endpoint Privilege Reader
Views Endpoint Privilege Management (EPM) policies and elevation requests. Cannot make changes.
Scope: Read-only access to EPM
Permissions
- Endpoint Privilege Management Policy Authoring - Read + View reports
- Endpoint Privilege Management Elevation Requests - View only
- Managed devices - Read
- Organization - Read
Common use cases
- Auditing EPM policies and rules
- Viewing elevation request history
- Compliance monitoring for least privilege
- Reporting on elevation activity
Best practices
- Use for audit and oversight roles
- Assign to security reviewers without approval authority
- Combine with other read-only roles as needed
Common questions
When should I assign the Endpoint Privilege Reader role?
Assign Endpoint Privilege Reader when you need to: Auditing EPM policies and rules; Viewing elevation request history; Compliance monitoring for least privilege; and Reporting on elevation activity. It is part of Microsoft Intune and should be granted as a least-privilege alternative to broader roles like Global Administrator.
What can someone with the Endpoint Privilege Reader role do?
The Endpoint Privilege Reader role grants permissions including: Endpoint Privilege Management Policy Authoring - Read + View reports; Endpoint Privilege Management Elevation Requests - View only; Managed devices - Read; and Organization - Read. See the Permissions section above for the full list.