Microsoft Intune RBAC Roles

Microsoft Intune built-in roles for endpoint management, policy administration, application management, and helpdesk support.

11 roles across 6 categories. Open the interactive map →

Device & Endpoint Management

Manage devices, security policies, and endpoint protection

  • Endpoint Security Manager

    Manages security and compliance features including security baselines, device compliance, Conditional Access, and Microsoft Defender for Endpoint.

  • Policy and Profile Manager

    Manages compliance policy, configuration profiles, Apple enrollment, corporate device identifiers, and security baselines.

  • School Administrator

    Manages apps and settings for education groups. Can take remote actions on devices including lock, restart, and retire.

Application Management

Deploy and manage mobile and managed applications

  • Application Manager

    Manages mobile and managed applications, can read device information and view device configuration profiles.

Support & Operations

Help desk operations and read-only monitoring

  • Help Desk Operator

    Performs remote tasks on users and devices, can assign applications or policies to users or devices.

  • Read Only Operator

    Views user, device, enrollment, configuration, and application information. Cannot make changes to Intune.

Endpoint Privilege Management

Manage elevation requests and EPM policies

  • Endpoint Privilege Manager

    Manages Endpoint Privilege Management (EPM) policies in the Intune console. Full control over elevation rules and requests.

  • Endpoint Privilege Reader

    Views Endpoint Privilege Management (EPM) policies and elevation requests. Cannot make changes.

Role Administration

Manage Intune RBAC roles and assignments

  • Intune Role Administrator

    Manages custom Intune roles and adds assignments for built-in Intune roles. The only Intune role that can assign permissions to administrators.

Cloud PC (Windows 365)

Manage Windows 365 Cloud PCs (requires subscription)

  • Cloud PC Administrator

    Has Read and Write access to all Cloud PC features located within the Cloud PC area. Requires Windows 365 subscription.

  • Cloud PC Reader

    Has Read access to all Cloud PC features. Cannot make changes. Requires Windows 365 subscription.