Intune RBAC & Governance
A well-functioning Intune environment has three properties: admins can only touch what they own, policies land on the right devices, and the audit trail is clean. Most disorganized environments have the same root cause — everything deployed under a single scope, too many admins with full Intune Administrator rights, and no tagging taxonomy established before deployment began. This chapter addresses all three.
The Three-Layer Model
Intune delegation is built on three interlocking concepts. They must all be configured together — any one alone is incomplete.
| Layer | What It Controls | Configured In |
|---|---|---|
| Role | What actions an admin can perform (read, create, update, delete, remote actions) | Intune > Tenant administration > Roles |
| Role Assignment | Which admins get the role, and which scope tags they can see | Attached to each Role |
| Scope Tag | Which objects (devices, policies, apps) an admin can see and act on | Applied to each object |
The consequence: an admin with a role assignment scoped to Scope Tag: Finance can only see devices, policies, and apps tagged Finance — even if they have full permissions within that scope. A policy with no scope tag (or the default All Devices tag) is visible to every admin. A disorganized environment typically has most objects on All Devices and most admins at Intune Administrator — fix the tags first, then tighten the roles.
Scope Tag Taxonomy
Define the taxonomy before applying any tags. Retrofitting tags onto a live environment is possible but disruptive — policies reassigned to a new scope tag disappear from admins who had been managing them under All Devices.
Recommended Starting Taxonomy
| Scope Tag | Covers | Managed By |
|---|---|---|
All Devices (default) | Tenant-wide policies that apply to every device | Senior IT / Intune Owner |
IT-Operations | IT staff devices, admin workstations | IT Operations team |
Corporate-Standard | General workforce devices | Helpdesk / Level 2 |
Executives | Executive devices with tighter restrictions | Senior IT only |
Kiosk-Shared | Shared PC / kiosk devices | Helpdesk |
Adjust to match your organizational structure. The goal is that no scope tag covers more than one team's operational boundary — if two teams share a scope tag, one of them can accidentally modify or delete the other's work.
What Must Be Tagged
Every object that an admin manages must carry a scope tag. Objects with no explicit tag default to All Devices and are visible to all Intune-scoped admins. Work through this checklist after establishing your taxonomy:
| Object Type | Where to Apply Tags |
|---|---|
| Devices | Automatic via dynamic Entra group + scope tag assignment, or manual |
| Configuration profiles | Intune > Devices > Configuration > [profile] > Properties > Scope tags |
| Compliance policies | Intune > Devices > Compliance > [policy] > Properties > Scope tags |
| Apps (required and available) | Intune > Apps > All apps > [app] > Properties > Scope tags |
| Update rings | Intune > Devices > Windows > Update rings > [ring] > Properties > Scope tags |
| Scripts and remediations | Intune > Devices > Scripts > [script] > Properties > Scope tags |
Configuration profiles and compliance policies get tagged early; apps are often left on All Devices because they were deployed before the taxonomy existed. An Intune admin scoped to Corporate-Standard who cannot see the M365 Apps deployment cannot troubleshoot an app installation failure on a device they own. Audit app scope tags separately from policy scope tags.
Custom Roles
The built-in Intune Administrator role grants full read/write access across all devices, policies, and apps in the tenant. It is appropriate for the one or two people who own the Intune configuration — not for helpdesk staff or department-level admins. The three custom roles below cover the most common delegation scenarios.
Role: Helpdesk
Helpdesk staff need to remotely assist users and run device actions. They do not need to create or modify policies.
| Permission Category | Access |
|---|---|
| Managed devices | Read, Retire, Wipe, Sync, Reboot, Remote lock, Reset passcode, Update device category |
| Remote tasks | Remote lock, Sync, Reboot, Custom notifications |
| Apps | Read only |
| Policies / Configuration profiles | Read only |
| Reports | Read |
Role assignment scope: Corporate-Standard and Kiosk-Shared — not IT-Operations or Executives unless explicitly required.
Role: Policy Admin
Policy Admins own configuration profiles and compliance policies for their scope. They cannot deploy or modify apps and cannot perform device wipe or retire actions.
| Permission Category | Access |
|---|---|
| Managed devices | Read, Sync |
| Configuration profiles | Read, Create, Update, Delete, Assign |
| Compliance policies | Read, Create, Update, Delete, Assign |
| Scripts and remediations | Read, Create, Update, Delete, Assign |
| Apps | Read only |
| Remote tasks | Sync only |
Role: App Admin
App Admins manage the app catalog and deployment assignments. They cannot modify device compliance or configuration policies.
| Permission Category | Access |
|---|---|
| Apps | Read, Create, Update, Delete, Assign, Relate |
| App configurations | Read, Create, Update, Delete, Assign |
| App protection policies | Read, Create, Update, Delete, Assign |
| Managed devices | Read, Sync |
| Configuration profiles | Read only |
| Compliance policies | Read only |
Policy changes and app deployments affect every device in the assigned scope. Treat Policy Admin and App Admin as eligible roles in PIM rather than standing assignments — the same reasoning that applies to Entra roles applies here. Helpdesk is typically a standing assignment since remote actions need to happen without activation delays.
Scope Tags vs. Assignment Filters
These two features are frequently confused. They solve different problems and operate independently.
| Scope Tags | Assignment Filters | |
|---|---|---|
| Purpose | Controls admin visibility — which admins can see and manage an object | Controls policy targeting — which devices receive a policy |
| Applied to | The object (policy, app, device) | The policy assignment |
| Evaluated by | The Intune RBAC engine at admin login | The Intune policy evaluation engine at device check-in |
| Based on | Admin's role assignment | Device properties (OS, manufacturer, model, Entra group) |
| Effect if not set | Object visible to all admins (defaults to All Devices) | Policy targets every device in the assigned group |
In practice: Scope tags answer "who can manage this?" Assignment filters answer "which devices should get this?" A policy can have a scope tag of Corporate-Standard (only Corporate-Standard admins can edit it) and an assignment filter of device.manufacturer -eq "Microsoft" (only Surface devices receive it). These are orthogonal.
Common Filter Expressions
Assignment filters use OData-style syntax on device properties. Useful patterns:
| Use Case | Filter Rule |
|---|---|
| Target only Windows 11 | (device.osVersion -startsWith "10.0.22") |
| Exclude virtual machines | (device.model -ne "Virtual Machine") |
| Target a specific manufacturer | (device.manufacturer -eq "Microsoft") |
| Target Autopilot-enrolled devices | (device.enrollmentProfileName -eq "Autopilot-Corporate") |
| Combine conditions | (device.osVersion -startsWith "10.0.22") and (device.manufacturer -eq "Microsoft") |
A filter is applied on top of a group assignment — the device must be in the assigned group AND satisfy the filter. A filter that evaluates to false silently skips the assignment with no error in Intune. If a policy is not landing on a device, check both group membership and filter evaluation in the device's policy report.
Cleanup Checklist for Disorganized Environments
If scope tags were never established and most admins are at Intune Administrator, work through this sequence. Do not rush — reassigning scope tags on live policies causes temporary visibility gaps for affected admins.
-
Audit current admin roles. In Intune > Tenant administration > Roles > All roles > Assignments, list every admin and their current role. Identify anyone at Intune Administrator who should be at a narrower role.
-
Define your scope tag taxonomy. Agree on tags before creating any — changing a tag name after it is applied to 200 objects requires re-tagging all 200 objects manually.
-
Create the scope tags. Intune > Tenant administration > Roles > Scope (Tags) > Create.
-
Tag devices first. Assign scope tags to device groups using dynamic Entra groups where possible. Devices with no scope tag default to
All Devices. -
Tag policies, compliance policies, and update rings. Work through each profile in configuration, compliance, and update rings.
-
Tag apps. Audit the app catalog separately — apps are the most commonly missed.
-
Create custom roles using the permission sets above. Do not modify built-in roles; create new ones.
-
Create role assignments for each custom role, scoping each to the appropriate scope tags and admin groups.
-
Downgrade Intune Administrator standing assignments. Once custom roles are validated, convert full Intune Administrator grants to PIM-eligible assignments for the admins who genuinely need them, and remove the role from those who do not.
-
Validate. Sign in as a test account for each role and confirm the scope is correct — the right objects are visible, the right actions are available, and objects outside the scope are not visible.
📩 Don't Miss the Next Solution
Join the list to see the real-time solutions I'm delivering to my GCC High clients.