Our customer has 60k entities in their AAD tenant and a single Microsoft contract. There are 5 operating companies (OpCo) under that umbrella. Admins in each OpCo needs to be able to manage just their users. I recall hearing about Administrative Units concept in AAD. Not sure if that helps with the InTune questions. Can anyone confirm or point me in the right direction. Best Regards, Tom
There are Role Based Access Controls in Intune that has great flexibility and control to ensure your administrators have the right permissions to perform their specific job and no more.
The RBAC includes at the top specific roles and role assignment with specific permissions, and one of the examples is the following URL Intune RBAC.
You can leverage the permissions with administrative units and central administrators to delegate permissions to regional administrators or to set policy at a granular level and is useful in organizations with independent teams/region/division.
For your organization, the first stage can be with Intune RBAC and after continue with AU administration.
Tip: Prepare a matrix for your admins, permissions required and list of roles they need and from this point, you will be able to provide the relevant delegation.