Muokkaa

Jaa


Built-in role permissions for Microsoft Intune

The following tables lists the built-in roles for Microsoft Intune. The tables also list the permissions that are associated with each role.

Note

This article was partially created with the help of artificial intelligence. Before publishing, an author reviewed and revised the content as needed. See Our principles for using AI-generated content in Microsoft Learn.

Application Manager

Application Managers manage mobile and managed applications, can read device information and can view device configuration profiles.

Permission Action
Android for work Read
Android for work Update app sync
Filters Create
Filters Delete
Filters Read
Filters Update
Certificate Connector Read
Cloud attached devices Take application actions
Cloud attached devices View applications
Cloud attached devices View client details
Cloud attached devices View collections
Cloud attached devices View resource explorer
Cloud attached devices View software updates
Cloud attached devices View timeline
Customization Read
Derived Credentials Read
Device configurations Read
Managed apps Assign
Managed apps Create
Managed apps Delete
Managed apps Read
Managed apps Update
Managed apps Wipe
Managed devices Read
Microsoft Defender ATP Read
Microsoft Store For Business Read
Mobile apps Assign
Mobile apps Create
Mobile apps Delete
Mobile apps Read
Mobile apps Relate
Mobile apps Update
Mobile Threat Defense Read
Organization Read
Partner Device Management Read
Policy Sets Assign
Policy Sets Create
Policy Sets Delete
Policy Sets Read
Policy Sets Update
Windows Enterprise Certificate Read

Endpoint Security Manager

Manages security and compliance features such as security baselines, device compliance, Conditional Access, and Microsoft Defender ATP.

Permission Action
Android FOTA Read
Android for work Read
App Control for Business Assign - (Added with the 2406 service release)
App Control for Business Create - (Added with the 2406 service release)
App Control for Business Delete - (Added with the 2406 service release)
App Control for Business Read - (Added with the 2406 service release)
App Control for Business Update - (Added with the 2406 service release)
App Control for Business View reports - (Added with the 2406 service release)
Attack surface reduction Assign - (Added with the 2406 service release)
Attack surface reduction Create - (Added with the 2406 service release)
Attack surface reduction Delete - (Added with the 2406 service release)
Attack surface reduction Read - (Added with the 2406 service release)
Attack surface reduction Update - (Added with the 2406 service release)
Attack surface reduction View reports - (Added with the 2406 service release)
Audit data Read
Certificate Connector Read
Cloud attached devices View client details
Cloud attached devices Run CMPivot query
Cloud attached devices View collections
Cloud attached devices View resource explorer
Cloud attached devices View scripts
Cloud attached devices View software updates
Cloud attached devices View timeline
Corporate device identifiers Read
Customization Read
Derived Credentials Read
Device compliance policies Assign
Device compliance policies Create
Device compliance policies Delete
Device compliance policies Read
Device compliance policies Update
Device compliance policies View reports
Device configurations Read
Device configurations View reports
Device enrollment managers Read
Endpoint Analytics Read
Endpoint protection reports Read
Enrollment programs Read token
Endpoint detection and response Assign - (Added with the 2406 service release)
Endpoint detection and response Create - (Added with the 2406 service release)
Endpoint detection and response Delete - (Added with the 2406 service release)
Endpoint detection and response Read - (Added with the 2406 service release)
Endpoint detection and response Update - (Added with the 2406 service release)
Endpoint detection and response View reports - (Added with the 2406 service release)
Endpoint Privilege Management Policy Authoring Assign
Endpoint Privilege Management Policy Authoring Create
Endpoint Privilege Management Policy Authoring Delete
Endpoint Privilege Management Policy Authoring Read
Endpoint Privilege Management Policy Authoring Update
Endpoint Privilege Management Policy Authoring View reports
Enrollment programs Read device
Enrollment programs Read profile
Filters Read
Intune data warehouse Read
Managed apps Read
Managed devices Delete
Managed devices Read
Managed devices Set primary user
Managed devices Update
Managed devices View reports
Managed devices Query
Microsoft Defender ATP Read
Microsoft Store For Business Read
Mobile apps Read
Mobile Threat Defense Modify
Mobile Threat Defense Read
Organization Read
Partner Device Management Read
Policy Sets Read
Remote assistance connectors Read
Remote assistance connectors View reports
Remote tasks Initiate Configuration Manager action
Remote tasks Get filevault key.
Remote tasks Reboot now
Remote tasks Remote lock
Remote tasks Rotate BitLockerKeys (preview)
Remote tasks Rotate filevault key.
Remote tasks Shut down
Remote tasks Sync devices.
Remote tasks Windows defender
Roles Read
Security baselines Assign
Security baselines Create
Security baselines Delete
Security baselines Read
Security baselines Update
Security baselines View reports
Security tasks Read
Security tasks Update
Telecom expenses Read
Terms and conditions Read
Windows Enterprise Certificate Read

Endpoint Privilege Manager

Endpoint Privilege Managers can manage Endpoint Privilege Management (EPM) policies in the Intune console.

Permission Action
Endpoint Privilege Management Policy Authoring Assign
Endpoint Privilege Management Policy Authoring Create
Endpoint Privilege Management Policy Authoring Delete
Endpoint Privilege Management Policy Authoring Read
Endpoint Privilege Management Policy Authoring Update
Endpoint Privilege Management Policy Authoring View reports
Organization Read

Read Only Operator

Read Only Operators view user, device, enrollment, configuration and application information and cannot make changes to Intune.

Permission Action
Android FOTA Read
Android for work Read
App Control for Business Read - (Added with the 2406 service release)
Attack surface reduction Read - (Added with the 2406 service release)
Audit data Read
Certificate Connector Read
Cloud attached devices View applications
Cloud attached devices View client details
Cloud attached devices View collections
Cloud attached devices View resource explorer
Cloud attached devices View scripts
Cloud attached devices View software updates
Cloud attached devices View timeline
Corporate device identifiers Read
Customization Read
Derived Credentials Read
Device compliance policies Read
Device compliance policies View reports
Device configurations Read
Device configurations View reports
Device enrollment managers Read
Endpoint Analytics Read
Endpoint detection and response Read - (Added with the 2406 service release)
Endpoint Privilege Management Policy Authoring Read
Endpoint Privilege Management Policy Authoring View reports
Endpoint protection reports Read
Enrollment programs Read device
Enrollment programs Read profile
Enrollment programs Read token
Filters Read
Managed apps Read
Managed devices Read
Managed devices View reports
Microsoft Defender ATP Read
Microsoft Store For Business Read
Mobile apps Read
Mobile Threat Defense Read
Organization Read
Organizational Messages Read
Partner Device Management Read
Policy Sets Read
Quiet Time policies Read
Quiet Time policies View reports
Remote assistance connectors Read
Remote assistance connectors View reports
Remote tasks Get filevault key.
Intune data warehouse Read
Roles Read
Security baselines Read
ServiceNow View Incidents
Telecom expenses Read
Terms and conditions Read
Windows Enterprise Certificate Read

Organizational Messages Manager

Organizational Messages Managers can manage organizational messages in Intune console.

Permission Action
Organization Read
Organizational Messages Assign
Organizational Messages Create
Organizational Messages Delete
Organizational Messages Read
Organizational Messages Update
Organizational Messages Update organizational message control

School Administrator

School Administrators can manage apps and settings for their groups. They can take remote actions on devices, including remotely locking them, restarting them, and retiring them from management.

Permission Action
Audit data Read
Certificate Connector Modify
Certificate Connector Read
Cloud attached devices Take application actions
Cloud attached devices View applications
Cloud attached devices View client details
Cloud attached devices Run CMPivot query
Cloud attached devices View collections
Cloud attached devices Enroll Now
Cloud attached devices View resource explorer
Cloud attached devices Run script
Cloud attached devices View scripts
Cloud attached devices View software updates
Cloud attached devices View timeline
Customization Assign
Customization Create
Customization Delete
Customization Read
Customization Update
Derived Credentials Read
Device configurations Assign
Device configurations Create
Device configurations Delete
Device configurations Read
Device configurations Update
Device enrollment managers Read
Device enrollment managers Update
Endpoint Analytics Create
Endpoint Analytics Delete
Endpoint Analytics Read
Endpoint Analytics Update
Enrollment programs Assign profile
Enrollment programs Create profile
Enrollment programs Delete device
Enrollment programs Delete profile
Enrollment programs Read device
Enrollment programs Read profile
Enrollment programs Sync device
Enrollment programs Update profile
Filters Create
Filters Delete
Filters Read
Filters Update
Enrollment programs Create token
Enrollment programs Delete token
Enrollment programs Read token
Enrollment programs Update token
Managed apps Create
Managed apps Delete
Managed apps Read
Managed apps Update
Managed devices Delete
Managed devices Read
Managed devices Set primary user
Managed devices Update
Microsoft Defender ATP Read
Microsoft Store For Business Modify
Microsoft Store For Business Read
Mobile apps Assign
Mobile apps Create
Mobile apps Delete
Mobile apps Read
Mobile apps Relate
Mobile apps Update
Mobile Threat Defense Read
Organization Read
Partner Device Management Read
Policy Sets Assign
Policy Sets Create
Policy Sets Delete
Policy Sets Read
Policy Sets Update
Remote assistance connectors Read
Remote assistance connectors Update
Remote assistance connectors View reports
Remote Help app Elevation
Remote Help app Take full control
Remote Help app View screen
Remote tasks Update cellular data plan
Remote tasks Clean PC
Remote tasks Initiate Configuration Manager action
Remote tasks Collect diagnostics
Remote tasks Disable lost mode
Remote tasks Enable lost mode
Remote tasks Recover MDM Key
Remote tasks Locate device
Remote tasks Run Remediation
Remote tasks Play sound to locate lost devices
Remote tasks Reboot now
Remote tasks Remote lock
Remote tasks Offer remote assistance
Remote tasks Reset passcode
Remote tasks Retire
Remote tasks Set device name
Remote tasks Sync devices.
Remote tasks Wipe
Intune data warehouse Read
ServiceNow View Incidents
Terms and conditions Assign
Terms and conditions Create
Terms and conditions Delete
Terms and conditions Read
Terms and conditions Update
Windows Enterprise Certificate Modify
Windows Enterprise Certificate Read

Policy and Profile manager

Policy and Profile Managers manage compliance policy, configuration profiles, Apple enrollment and corporate device identifiers.

Permission Action
Android FOTA Read
Android for work Read
Android for work Update app sync
Android for work Update onboarding
Audit data Read
Certificate Connector Read
Cloud attached devices View applications
Cloud attached devices View client details
Cloud attached devices View collections
Cloud attached devices View resource explorer
Cloud attached devices View scripts
Cloud attached devices View software updates
Cloud attached devices View timeline
Corporate device identifiers Create
Corporate device identifiers Delete
Corporate device identifiers Read
Corporate device identifiers Update
Derived Credentials Read
Device compliance policies Assign
Device compliance policies Create
Device compliance policies Delete
Device compliance policies Read
Device compliance policies Update
Device compliance policies View reports
Device configurations Assign
Device configurations Create
Device configurations Delete
Device configurations Read
Device configurations Update
Device configurations View reports
Enrollment programs Assign profile
Enrollment programs Create device
Enrollment programs Create token
Enrollment programs Create profile
Enrollment programs Delete device
Enrollment programs Delete profile
Enrollment programs Delete token
Enrollment programs Read device
Enrollment programs Read token
Enrollment programs Read profile
Enrollment programs Sync device
Enrollment programs Update token
Enrollment programs Update profile
Filters Create
Filters Delete
Filters Read
Filters Update
Managed apps Assign
Managed apps Create
Managed apps Delete
Managed apps Read
Managed apps Update
Microsoft Defender ATP Read
Mobile Threat Defense Read
Organization Read
Partner Device Management Read
Policy Sets Assign
Policy Sets Create
Policy Sets Delete
Policy Sets Read
Policy Sets Update
Quiet Time policies Assign
Quiet Time policies Create
Quiet Time policies Delete
Quiet Time policies Read
Quiet Time policies Update
Quiet Time policies View reports

Help Desk Operator

Help Desk Operators perform remote tasks on users and devices and can assign applications or policies to users or devices.

Permission Action
Android FOTA Read
Android for work Read
App Control for Business Read - (Added with the 2406 service release)
Attack surface reduction Read - (Added with the 2406 service release)
Audit data Read
Certificate Connector Read
Cloud attached devices Take application actions
Cloud attached devices View applications
Cloud attached devices View client details
Cloud attached devices Run CMPivot query
Cloud attached devices View collections
Cloud attached devices Enroll Now
Cloud attached devices View resource explorer
Cloud attached devices Run script
Cloud attached devices View scripts
Cloud attached devices View software updates
Cloud attached devices View timeline
Corporate device identifiers Read
Customization Read
Derived Credentials Read
Device compliance policies Read
Device compliance policies View reports
Device configurations Read
Device configurations View reports
Device enrollment managers Read
Endpoint Analytics Read
Endpoint detection and response Read - (Added with the 2406 service release)
Endpoint protection reports Read
Enrollment programs Read device
Enrollment programs Read profile
Enrollment programs Read token
Filters Read
Managed apps Assign
Managed apps Read
Managed apps Wipe
Managed devices Read
Managed devices Set primary user
Managed devices Update
Managed devices View reports
Microsoft Defender ATP Read
Microsoft Store For Business Read
Mobile apps Assign
Mobile apps Read
Mobile Threat Defense Read
Organization Read
Partner Device Management Read
Policy Sets Read
Remote assistance connectors Read
Remote Help app Elevation
Remote Help app Take full control
Remote Help app View screen
Remote tasks Update cellular data plan
Remote tasks Clean PC
Remote tasks Initiate Configuration Manager action
Remote tasks Send custom notifications
Remote tasks Collect diagnostics
Remote tasks Disable lost mode
Remote tasks Enable lost mode
Remote tasks Enable Windows IntuneAgent
Remote tasks Get filevault key.
Remote tasks Recover MDM Key
Remote tasks Locate device
Remote tasks Manage shared device users
Remote tasks Run Remediation
Remote tasks Play sound to locate lost devices
Remote tasks Reboot now
Remote tasks Remote lock
Remote tasks Offer remote assistance
Remote tasks Reset passcode
Remote tasks Retire
Remote tasks Revoke App Licenses
Remote tasks Rotate BitLockerKeys (preview)
Remote tasks Rotate filevault key.
Remote tasks Set device name
Remote tasks Shut down
Remote tasks Sync devices.
Remote tasks Update device account
Remote tasks Windows defender
Remote tasks Wipe
Roles Read
Security baselines Read
ServiceNow View Incidents
Telecom expenses Read
Terms and conditions Read
Windows Enterprise Certificate Read

Endpoint Privilege Reader

Organizational Messages Readers can view Endpoint Privilege Management (EPM) policies in the Intune console.

Permission Action
Endpoint Privilege Management Policy Authoring Read
Endpoint Privilege Management Policy Authoring View reports
Organization Read

Intune Role Administrator

Intune Role Administrators manage custom Intune roles and add assignments for built-in Intune roles. It is the only Intune role that can assign permissions to Administrators.

Permission Action
Organization Read
Roles Assign
Roles Create
Roles Delete
Roles Read
Roles Update