Microsoft Intune · Support & Operations
Read Only Operator
Views user, device, enrollment, configuration, and application information. Cannot make changes to Intune.
Scope: Read-only access to entire Intune console
Permissions
- All Intune areas - Read only
- Device compliance policies - Read + View reports
- Device configurations - Read + View reports
- Managed devices - Read + View reports
- Mobile apps - Read
- Endpoint Analytics - Read
- Security baselines - Read
- Audit data - Read
- Remote tasks - Get FileVault key only
Common use cases
- Auditors reviewing Intune configuration
- Managers needing visibility without change capability
- Reporting and analytics users
- Compliance monitoring
Best practices
- Use for audit and oversight roles
- Assign to stakeholders needing visibility only
- Combine with other read-only roles for broader access
- Use for automated reporting integrations
Security considerations
- Can view audit data and device information
- Can retrieve FileVault recovery keys (macOS)
- Has access to view all policy configurations
Common questions
When should I assign the Read Only Operator role?
Assign Read Only Operator when you need to: Auditors reviewing Intune configuration; Managers needing visibility without change capability; Reporting and analytics users; and Compliance monitoring. It is part of Microsoft Intune and should be granted as a least-privilege alternative to broader roles like Global Administrator.
What can someone with the Read Only Operator role do?
The Read Only Operator role grants permissions including: All Intune areas - Read only; Device compliance policies - Read + View reports; Device configurations - Read + View reports; Managed devices - Read + View reports; Mobile apps - Read; and Endpoint Analytics - Read. See the Permissions section above for the full list.
What are the security risks of the Read Only Operator role?
Key considerations when assigning Read Only Operator: Can view audit data and device information; Can retrieve FileVault recovery keys (macOS); and Has access to view all policy configurations. Review the Security considerations section before assignment, and pair with Privileged Identity Management (PIM) for just-in-time access where possible.