Microsoft Intune · Support & Operations

Read Only Operator

Views user, device, enrollment, configuration, and application information. Cannot make changes to Intune.

Scope: Read-only access to entire Intune console

Permissions

  • All Intune areas - Read only
  • Device compliance policies - Read + View reports
  • Device configurations - Read + View reports
  • Managed devices - Read + View reports
  • Mobile apps - Read
  • Endpoint Analytics - Read
  • Security baselines - Read
  • Audit data - Read
  • Remote tasks - Get FileVault key only

Common use cases

  • Auditors reviewing Intune configuration
  • Managers needing visibility without change capability
  • Reporting and analytics users
  • Compliance monitoring

Best practices

  • Use for audit and oversight roles
  • Assign to stakeholders needing visibility only
  • Combine with other read-only roles for broader access
  • Use for automated reporting integrations

Security considerations

  • Can view audit data and device information
  • Can retrieve FileVault recovery keys (macOS)
  • Has access to view all policy configurations

Common questions

When should I assign the Read Only Operator role?

Assign Read Only Operator when you need to: Auditors reviewing Intune configuration; Managers needing visibility without change capability; Reporting and analytics users; and Compliance monitoring. It is part of Microsoft Intune and should be granted as a least-privilege alternative to broader roles like Global Administrator.

What can someone with the Read Only Operator role do?

The Read Only Operator role grants permissions including: All Intune areas - Read only; Device compliance policies - Read + View reports; Device configurations - Read + View reports; Managed devices - Read + View reports; Mobile apps - Read; and Endpoint Analytics - Read. See the Permissions section above for the full list.

What are the security risks of the Read Only Operator role?

Key considerations when assigning Read Only Operator: Can view audit data and device information; Can retrieve FileVault recovery keys (macOS); and Has access to view all policy configurations. Review the Security considerations section before assignment, and pair with Privileged Identity Management (PIM) for just-in-time access where possible.

Official Microsoft Learn documentation →

Open the interactive RBACMap →