Microsoft Intune · Device & Endpoint Management

School Administrator

Manages apps and settings for education groups. Can take remote actions on devices including lock, restart, and retire.

Scope: Education-focused device and app management

Permissions

  • Device configurations - Full CRUD + Assign
  • Mobile apps - Full CRUD + Assign + Relate
  • Managed devices - Delete, Read, Set primary user, Update
  • Remote tasks - Wipe, Retire, Lock, Reboot, Reset passcode, Locate, and more
  • Enrollment programs - Full profile and token management
  • Customization - Full CRUD + Assign
  • Terms and conditions - Full CRUD + Assign
  • Remote Help - Elevation, Full control, View screen
  • Endpoint Analytics - Full CRUD

Common use cases

  • K-12 and higher education IT administrators
  • Managing student and teacher devices
  • Deploying educational apps
  • Remote device support for classrooms

Best practices

  • Use with Intune for Education portal
  • Scope to education-specific groups
  • Leverage Express Configuration for quick setup
  • Use group-based assignments for classes/grades

Security considerations

  • Can wipe and retire devices
  • Has Remote Help elevation capability
  • Can reset device passcodes
  • Can locate devices

Common questions

When should I assign the School Administrator role?

Assign School Administrator when you need to: K-12 and higher education IT administrators; Managing student and teacher devices; Deploying educational apps; and Remote device support for classrooms. It is part of Microsoft Intune and should be granted as a least-privilege alternative to broader roles like Global Administrator.

What can someone with the School Administrator role do?

The School Administrator role grants permissions including: Device configurations - Full CRUD + Assign; Mobile apps - Full CRUD + Assign + Relate; Managed devices - Delete, Read, Set primary user, Update; Remote tasks - Wipe, Retire, Lock, Reboot, Reset passcode, Locate, and more; Enrollment programs - Full profile and token management; and Customization - Full CRUD + Assign. See the Permissions section above for the full list.

What are the security risks of the School Administrator role?

Key considerations when assigning School Administrator: Can wipe and retire devices; Has Remote Help elevation capability; Can reset device passcodes; and Can locate devices. Review the Security considerations section before assignment, and pair with Privileged Identity Management (PIM) for just-in-time access where possible.

Official Microsoft Learn documentation →

Open the interactive RBACMap →