Recently we noticed in our tenant that a user with Global reader Azure AD role can perform many admin tasks like Retire, Restart, Wipe, Sync etc. for the devices in Intune.

We raised a ticket with Microsoft (Case #:33821025) and they said that "Global Reader role is equivalent to Intune Helpdesk Operator", that is why the user is able to perform those tasks. They also provided the URL : https://learn.microsoft.com/en-us/mem/intune/fundamentals/role-based-access-control#custom-roles

Upon checking we found that the user with Global Reader role was also member of Intune Helpdesk Operator role, and it was the reason he was eligible to perform many admin tasks. Once we removed the user from Intune Helpdesk Operator role assignment, all the option like Retire, Restart, Wipe, Sync got disabled.

I would request Microsoft to rectify the document as it will create confusion for many like us. 

GLOBAL READER ROLE IS NOT EQUIVALENT TO INTUNE HELPDESK OPERATOR.