Oct 03 2018 03:07 PM
Hello,
Our customer has 60k entities in their AAD tenant and a single Microsoft contract. There are 5 operating companies (OpCo) under that umbrella. Admins in each OpCo needs to be able to manage just their users. I recall hearing about Administrative Units concept in AAD. Not sure if that helps with the InTune questions. Can anyone confirm or point me in the right direction.
Best Regards,
Tom
Oct 03 2018 03:33 PM
Hi Tom,
There are Role Based Access Controls in Intune that has great flexibility and control to ensure your administrators have the right permissions to perform their specific job and no more.
The RBAC includes at the top specific roles and role assignment with specific permissions, and one of the examples is the following URL Intune RBAC.
You can leverage the permissions with administrative units and central administrators to delegate permissions to regional administrators or to set policy at a granular level and is useful in organizations with independent teams/region/division.
For your organization, the first stage can be with Intune RBAC and after continue with AU administration.
Tip: Prepare a matrix for your admins, permissions required and list of roles they need and from this point, you will be able to provide the relevant delegation.
Eli.
Oct 03 2018 05:37 PM
Thank you. This is exactly what I was looking for.
Best Regards,
Tom
Oct 07 2018 01:40 PM
Adding to Eli's reply you can also use Scope Tags in Intune to filter which policies certain roles can see. https://docs.microsoft.com/en-us/intune/scope-tags