Intune role permission to view 'Default Device Compliance Policy'

Phil 96 Reputation points
2024-07-11T10:50:56.2133333+00:00

Hi,

Please can someone advise which Intune role permission is required to allow visibility of the 'Default Device Compliance Policy' under the Device compliance page?

I have a RBAC role (assigned to a scope tag), with Read and View reports allowed for 'Device compliance policies':

User's image

However a user assigned this role can only see the policies scoped to the role and does not see the 'Default Device Compliance Policy':

User's image

Compared with a full admin:

User's image

It seems like the kind of thing I would expect to be possible, does anyone know how?

Thanks

Microsoft Intune Compliance
Microsoft Intune Compliance
Microsoft Intune: A Microsoft cloud-based management solution that offers mobile device management, mobile application management, and PC management capabilities.Compliance: Adhering to rules, standards, policies, and laws.
170 questions
Microsoft Intune
Microsoft Intune
A Microsoft cloud-based management solution that offers mobile device management, mobile application management, and PC management capabilities.
5,249 questions
{count} votes

1 answer

Sort by: Most helpful
  1. glebgreenspan 2,245 Reputation points
    2024-07-11T13:04:51.6366667+00:00

    Hello Phil

    The Default Device Compliance Policy is not a policy that can be viewed by Intune users with a standard RBAC role, even if they have the necessary permissions. The Default Device Compliance Policy is a special policy that is automatically applied to devices when they are enrolled in Intune, and it's not intended to be managed or viewed directly by users.

    The reason why full admins can see it is because they have the necessary permissions to view all device compliance policies, including the default one. The Device compliance policies permission only grants access to view policies created by users, not the default one.

    To allow users to view the default device compliance policy, you would need to assign them the View all device compliance policies permission, which is only available on the built-in Intune Device Administrator role.

    Alternatively, you could also consider creating a custom role with the necessary permissions and assigning it to your user. This way, you can grant them the specific permissions they need without having to assign them the full Intune Device Administrator role.

    Keep in mind that the Default Device Compliance Policy is not meant to be modified or managed directly by users, so even if your user has the necessary permissions, they should not attempt to modify or delete it.

    I hope this helps clarify things! Let me know if you have any further questions.


Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.