Today we are happy to announce new role-based access control (RBAC) capabilities in Microsoft Endpoint Manager. Starting in Configuration Manager version 2207, you can use Intune RBAC when interacting with tenant-attached devices from the Microsoft Endpoint Manager admin center.
What we heard
We heard quite a bit of feedback from organizations and the community when it comes to tenant attach. As we analyzed this feedback, we identified gaps, including the lack of RBAC within tenant attach. Specifically, when organizations enabled tenant attach, they noted that viewers had "too much access" and "too much control."
Why this matters
Based on diagnostic data, we know that roughly 35 million devices are tenant attached today. We also recognize that security is top of mind. Thus, we aim to enable more flexibility while increasing security as organizations consume and take steps to attach to the cloud. Based on your feedback, we took action to realize the "least privilege" pillar of Zero Trust for tenant attach functionality. This latest feature addition fully enables Azure Active Directory-only administrative users to manage tenant-attached endpoints from the Endpoint Manager admin center without any need for an on-premises AD account.
Enablement (get started)
We have added a few new settings to the Configuration Manager admin console as well as in the Endpoint Manager admin center to take advantage of the new security configurations for tenant attach device administrators. To get started, enable the configurations below:
In your Configuration Manager console, go to the Administration workspace.
Expand Cloud Services, select Cloud Attach, and open Properties for CoMgmtSettingsProd by selecting it and choosing Properties from the ribbon bar or the right-click context menu.
On the Configure upload page, enable the option in the Role-based Access Control section near the bottom to Enforce Configuration Manager RBA for cloud console requests that interact with Configuration Manager
Screenshot of how to configure role based access control
In the Endpoint Manager admin center, navigate to Home > Tenant admin > Connector and tokens. Select the purple banner to launch a flyout option that looks like the image below where you can enable the Intune RBAC capability. To jump straight to that page in the admin center, visit https://aka.ms/enablecloudrbac.
Screenshot of where to turn on the settings of RBAC
When you navigate to the Roles area of the Endpoint Manager admin center, there is a new section for Cloud attached devices. This section gives you some new options that allow you to maintain control over what data administrative users can view and execute on for tenant attach devices. Want to jump straight to this section of the admin center? Visit https://aka.ms/memroles.
Toggle options for turning on or off Cloud attached devices
We hope you enjoy this enhanced security for tenant attached devices. If you have questions, concerns, or feedback, please leave them in the Comments below.