Microsoft Intune · Endpoint Privilege Management

Endpoint Privilege Reader

Views Endpoint Privilege Management (EPM) policies and elevation requests. Cannot make changes.

Scope: Read-only access to EPM

Permissions

  • Endpoint Privilege Management Policy Authoring - Read + View reports
  • Endpoint Privilege Management Elevation Requests - View only
  • Managed devices - Read
  • Organization - Read

Common use cases

  • Auditing EPM policies and rules
  • Viewing elevation request history
  • Compliance monitoring for least privilege
  • Reporting on elevation activity

Best practices

  • Use for audit and oversight roles
  • Assign to security reviewers without approval authority
  • Combine with other read-only roles as needed

Common questions

When should I assign the Endpoint Privilege Reader role?

Assign Endpoint Privilege Reader when you need to: Auditing EPM policies and rules; Viewing elevation request history; Compliance monitoring for least privilege; and Reporting on elevation activity. It is part of Microsoft Intune and should be granted as a least-privilege alternative to broader roles like Global Administrator.

What can someone with the Endpoint Privilege Reader role do?

The Endpoint Privilege Reader role grants permissions including: Endpoint Privilege Management Policy Authoring - Read + View reports; Endpoint Privilege Management Elevation Requests - View only; Managed devices - Read; and Organization - Read. See the Permissions section above for the full list.

Official Microsoft Learn documentation →

Open the interactive RBACMap →