Microsoft Intune · Device & Endpoint Management
School Administrator
Manages apps and settings for education groups. Can take remote actions on devices including lock, restart, and retire.
Scope: Education-focused device and app management
Permissions
- Device configurations - Full CRUD + Assign
- Mobile apps - Full CRUD + Assign + Relate
- Managed devices - Delete, Read, Set primary user, Update
- Remote tasks - Wipe, Retire, Lock, Reboot, Reset passcode, Locate, and more
- Enrollment programs - Full profile and token management
- Customization - Full CRUD + Assign
- Terms and conditions - Full CRUD + Assign
- Remote Help - Elevation, Full control, View screen
- Endpoint Analytics - Full CRUD
Common use cases
- K-12 and higher education IT administrators
- Managing student and teacher devices
- Deploying educational apps
- Remote device support for classrooms
Best practices
- Use with Intune for Education portal
- Scope to education-specific groups
- Leverage Express Configuration for quick setup
- Use group-based assignments for classes/grades
Security considerations
- Can wipe and retire devices
- Has Remote Help elevation capability
- Can reset device passcodes
- Can locate devices
Common questions
When should I assign the School Administrator role?
Assign School Administrator when you need to: K-12 and higher education IT administrators; Managing student and teacher devices; Deploying educational apps; and Remote device support for classrooms. It is part of Microsoft Intune and should be granted as a least-privilege alternative to broader roles like Global Administrator.
What can someone with the School Administrator role do?
The School Administrator role grants permissions including: Device configurations - Full CRUD + Assign; Mobile apps - Full CRUD + Assign + Relate; Managed devices - Delete, Read, Set primary user, Update; Remote tasks - Wipe, Retire, Lock, Reboot, Reset passcode, Locate, and more; Enrollment programs - Full profile and token management; and Customization - Full CRUD + Assign. See the Permissions section above for the full list.
What are the security risks of the School Administrator role?
Key considerations when assigning School Administrator: Can wipe and retire devices; Has Remote Help elevation capability; Can reset device passcodes; and Can locate devices. Review the Security considerations section before assignment, and pair with Privileged Identity Management (PIM) for just-in-time access where possible.