Deep dive into Role Based Access Control (RBAC) in Intune

%3CLINGO-SUB%20id%3D%22lingo-sub-1688877%22%20slang%3D%22en-US%22%3EDeep%20dive%20into%20Role%20Based%20Access%20Control%20(RBAC)%20in%20Intune%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1688877%22%20slang%3D%22en-US%22%3EDo%20you%20have%20regional%20IT%20teams%20that%20work%20independently%3F%20This%20session%20talks%20about%20Role-based%20Access%20Control%20(RBAC)%2C%20scope%20tags%20and%20how%20to%20use%20them%20in%20real%20world%20scenarios.%20Build%20delegated%20admin%20model%20and%20identify%20Intune%20configurations%20that%20impact%20all%20the%20users.%20Use%20RBAC%20to%20enable%20security%2C%20productivity%20and%20scalability%20in%20your%20org.%3C%2FLINGO-BODY%3E%3CLINGO-LABS%20id%3D%22lingo-labs-1688877%22%20slang%3D%22en-US%22%3E%3CLINGO-LABEL%3EMicrosoft%20Endpoint%20Manager%3C%2FLINGO-LABEL%3E%3CLINGO-LABEL%3ESecurity%3C%2FLINGO-LABEL%3E%3C%2FLINGO-LABS%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1751161%22%20slang%3D%22en-US%22%3ERe%3A%20Deep%20dive%20into%20Role%20Based%20Access%20Control%20(RBAC)%20in%20Intune%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1751161%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F808020%22%20target%3D%22_blank%22%3E%40Tim_Wolf%3C%2FA%3E%26nbsp%3B-%20If%20you%20enable%20tenant%20attach%20in%20the%20ConfigMgr%20site%2C%20you%20can%20enable%20cloud%20sync%20for%20a%20collection.%20This%20will%20allow%20you%20to%20sync%20all%20hybrid-aad%20joined%20devices%20in%20that%20collection%20into%20an%20AAD%20security%20group.%20You%20can%20then%20assign%20an%20Intune%20scope%20tag%20to%20that%20security%20group.%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1749493%22%20slang%3D%22en-US%22%3ERe%3A%20Deep%20dive%20into%20Role%20Based%20Access%20Control%20(RBAC)%20in%20Intune%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1749493%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F456920%22%20target%3D%22_blank%22%3E%40Pallavi_Joshi%3C%2FA%3E%26nbsp%3Bwhere%20you%20able%20to%20reproduce%20the%20same%20results%20in%20a%20test%20tenant%20when%20giving%20a%20user%20delete%20permissions%20on%20devices%3F%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1720361%22%20slang%3D%22en-US%22%3ERe%3A%20Deep%20dive%20into%20Role%20Based%20Access%20Control%20(RBAC)%20in%20Intune%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1720361%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F803137%22%20target%3D%22_blank%22%3E%40hotdogh2o%3C%2FA%3E%26nbsp%3BThanks%20for%20going%20through%20the%20video%20and%20posting%20the%20query.%20As%20you%20mentioned%2C%20the%20configuring%20of%20device%20cleanup%20rules%20should%20be%20allowed%20only%20to%20specific%20admins%20given%20their%20tenant-wide%20impact.%20Let%20me%20check%20if%20there%20are%20specific%20permissions%20for%20allowing%2Fblocking%20its%20configuration.%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1710366%22%20slang%3D%22en-US%22%3ERe%3A%20Deep%20dive%20into%20Role%20Based%20Access%20Control%20(RBAC)%20in%20Intune%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1710366%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F803137%22%20target%3D%22_blank%22%3E%40hotdogh2o%3C%2FA%3E%26nbsp%3Bthanks.%26nbsp%3B%20we%20can%20use%20the%20second%20query.%26nbsp%3B%20Does%20that%20show%20up%20once%20a%20system%20is%20co-managed%3F%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1710106%22%20slang%3D%22en-US%22%3ERe%3A%20Deep%20dive%20into%20Role%20Based%20Access%20Control%20(RBAC)%20in%20Intune%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1710106%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F808020%22%20target%3D%22_blank%22%3E%40Tim_Wolf%3C%2FA%3E%26nbsp%3Byou%20have%20you%20tried%20making%20a%20dynamic%20group%20with%20organizational%20unit%3F%20or%20you%20could%20try%20display%20name%20if%20you%20have%20a%20naming%20convention%20for%20both%20sites.%3C%2FP%3E%3CP%3E%3CSPAN%3E(device.displayName%20-contains%20%22Site1-computer1%22)%20or%26nbsp%3B(device.organizationalUnit%20-contains%20%22OU%3D1stfloor%22)%3C%2FSPAN%3E%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1710069%22%20slang%3D%22en-US%22%3ERe%3A%20Deep%20dive%20into%20Role%20Based%20Access%20Control%20(RBAC)%20in%20Intune%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1710069%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F456920%22%20target%3D%22_blank%22%3E%40Pallavi_Joshi%3C%2FA%3E%26nbsp%3BWhat%20is%20the%20best%20way%20to%20dynamically%20add%20computers%20to%20Azure%20Device%20Groups%20that%20can%20be%20assigned%20to%20a%20scope%20tag.%26nbsp%3B%20At%20our%20University%20we%20have%20two%20Configuration%20Manager%20Sites%20that%20will%20joined%20to%20one%20tenant%20and%20are%20currently%20unsure%20if%20we%20can%20dynamically%20assign%20one%20Configuration%20Manager%20Site%20systems%20two%20one%20dynamic%20group%20and%20the%20other%20Configuration%20Manager%20Site%20systems%20to%20another%20dynamic%20group%20assigned%20to%20their%20own%20scope%20tags%20for%20RBAC%20permissions.%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1709062%22%20slang%3D%22en-US%22%3ERe%3A%20Deep%20dive%20into%20Role%20Based%20Access%20Control%20(RBAC)%20in%20Intune%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1709062%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F456920%22%20target%3D%22_blank%22%3E%40Pallavi_Joshi%3C%2FA%3E%26nbsp%3BI%20want%20to%20give%20admins%20that%20are%20scoped%20to%20certain%20devices%20the%20right%20to%20delete%20those%20devices.%3C%2FP%3E%3CP%3EAlthough%20when%20I%20apply%20Manged%20devices--%26gt%3Bdelete%20yes%2C%20this%20give%20that%20role%20the%20option%20to%20delete%20devices%2C%20but%20it%20also%20gives%20access%20to%20%22set%20device%20clean%20up%20rules%22%20for%20the%20whole%20tenant.%20Can%20the%20%22device%20clean-up%20rules%22%20be%20denied%20in%20some%20way%3F%3F%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-BODY%3E
Subject Matter Experts:
Microsoft
Do you have regional IT teams that work independently? This session talks about Role-based Access Control (RBAC), scope tags and how to use them in real world scenarios. Build delegated admin model and identify Intune configurations that impact all the users. Use RBAC to enable security, productivity and scalability in your org.
7 Replies

@Pallavi_Joshi I want to give admins that are scoped to certain devices the right to delete those devices.

Although when I apply Manged devices-->delete yes, this give that role the option to delete devices, but it also gives access to "set device clean up rules" for the whole tenant. Can the "device clean-up rules" be denied in some way?? 

@Pallavi_Joshi What is the best way to dynamically add computers to Azure Device Groups that can be assigned to a scope tag.  At our University we have two Configuration Manager Sites that will joined to one tenant and are currently unsure if we can dynamically assign one Configuration Manager Site systems two one dynamic group and the other Configuration Manager Site systems to another dynamic group assigned to their own scope tags for RBAC permissions.

@Tim_Wolf you have you tried making a dynamic group with organizational unit? or you could try display name if you have a naming convention for both sites.

(device.displayName -contains "Site1-computer1") or (device.organizationalUnit -contains "OU=1stfloor")

 

@hotdogh2o thanks.  we can use the second query.  Does that show up once a system is co-managed?

@hotdogh2o Thanks for going through the video and posting the query. As you mentioned, the configuring of device cleanup rules should be allowed only to specific admins given their tenant-wide impact. Let me check if there are specific permissions for allowing/blocking its configuration.

@Pallavi_Joshi where you able to reproduce the same results in a test tenant when giving a user delete permissions on devices? 

@Tim_Wolf - If you enable tenant attach in the ConfigMgr site, you can enable cloud sync for a collection. This will allow you to sync all hybrid-aad joined devices in that collection into an AAD security group. You can then assign an Intune scope tag to that security group.

Session Resources