Microsoft Intune · Role Administration
Intune Role Administrator
Manages custom Intune roles and adds assignments for built-in Intune roles. The only Intune role that can assign permissions to administrators.
Scope: Intune RBAC management
Permissions
- Roles - Full CRUD + Assign
- Organization - Read
Common use cases
- Creating custom Intune roles
- Assigning built-in and custom roles to groups
- Managing role scope tags
- Delegating Intune administration
Best practices
- Limit to IAM/security team members
- Document custom role purposes and permissions
- Use scope tags to limit administrative boundaries
- Review role assignments periodically
Security considerations
- Can grant any Intune permission to any group
- Only role that can assign Intune permissions
- Changes affect entire Intune administrative model
Common questions
When should I assign the Intune Role Administrator role?
Assign Intune Role Administrator when you need to: Creating custom Intune roles; Assigning built-in and custom roles to groups; Managing role scope tags; and Delegating Intune administration. It is part of Microsoft Intune and should be granted as a least-privilege alternative to broader roles like Global Administrator.
What can someone with the Intune Role Administrator role do?
The Intune Role Administrator role grants permissions including: Roles - Full CRUD + Assign; and Organization - Read. See the Permissions section above for the full list.
What are the security risks of the Intune Role Administrator role?
Key considerations when assigning Intune Role Administrator: Can grant any Intune permission to any group; Only role that can assign Intune permissions; and Changes affect entire Intune administrative model. Review the Security considerations section before assignment, and pair with Privileged Identity Management (PIM) for just-in-time access where possible.