In-Depth Guide to Managing Roles and Compliance Policies in Microsoft Intune.

By /

In-Depth Guide to Managing Roles and Compliance Policies in Microsoft Intune

Key Takeaway

Use Intune’s Role-Based Access Control (RBAC) to give administrators only the rights they need and deploy compliance policies to ensure every device meets security rules before it accesses company resources.

1. Understanding RBAC in Intune

Role-Based Access Control (RBAC) is a way to manage permissions by assigning roles to people or groups. Each role bundles specific actions with defined scope. RBAC helps you:

  • Streamline access by grouping related permissions.
  • Apply least privilege, so users can only do what they must.
  • Simplify administration, making onboarding or changes faster by adjusting roles instead of individual rights.

1.1 Components of a Role

  1. Permissions
    • Define exact actions an admin can take (create, read, update, delete).
    • Permissions map to Intune operations such as deploying apps, configuring policies, or viewing reports.
  2. Scope Tags
    • Label resources (devices, users, configurations) with tags.
    • Roles can only manage resources matching their assigned tags.
    • Example: Tag Windows devices in “Europe” so Europe support can only see those.
  3. Assignments
    • Link a role to users or groups.
    • Each assigned group inherits the permissions and scope of the role.
    • You can assign multiple groups to one role or vice versa.

2. Types of Roles in Intune

2.1 Built-In Roles

Microsoft provides a set of fixed roles for common admin tasks. These cannot be changed but cover most scenarios:

  • Intune Administrator: Full control over all Intune features.
  • Policy and Profile Manager: Create and manage device configuration and compliance profiles.
  • Application Manager: Deploy and manage mobile apps and software updates.
  • Endpoint Security Manager: Configure and monitor security settings like firewall and antivirus.
  • Help Desk Operator: Wipe, lock, or reset device passwords; limited policy viewing.
  • Read-Only Operator: View all settings and reports without making changes.
  • School Administrator: Tailored for educational scenarios, with rights to manage student devices and apps.
  • Endpoint Privilege Manager: Control local admin rights and elevation for managed endpoints.

2.2 Custom Roles

When built-in roles don’t fit your needs, create custom roles:

  • Define only needed permissions to enforce least privilege.
  • Use scope tags to limit access by geography, department, or device type.
  • Fine-tune assignments so each team gets exactly the rights they require.

3. How to Assign Roles

  1. Sign in to the Intune Admin Center at https://intune.microsoft.com.
  2. In the left menu, select Tenant administration, then Roles and All roles.
  3. Click the role name (built-in or custom) you want to assign.
  4. Choose Assignments, then click + Assign. Basics page
    • Give the assignment a clear name and description.
    • This helps track why the role was granted.
    Admin Groups page
    • Click Add groups.
    • Select the Azure AD groups whose members receive the role.
    Scope (Groups) page
    • Add device or user groups the role can manage.
    • Ensures admins only see relevant objects.
    Scope (Tags) page
    • Choose scope tags to further restrict visibility.
  5. Review all settings and click Create.

This process ties specific people to a defined set of actions on a defined set of resources.

4. Creating a Custom Role

  1. Go to Tenant administration → Roles → All roles → Create.
  2. Basics page
    • Enter a name that reflects the function (e.g., “Mobile App Deployer”).
    • Type a description explaining the role’s purpose.
  3. Permissions page
    • Browse the list of granular permissions.
    • Check the boxes for only those tasks this role should do, such as:
      • Deploy apps
      • Read device compliance reports
      • Update device configurations
  4. Scope (Tags) page
    • Assign tags that mark which devices or users this role can touch.
    • Example: Tag “HR” for HR devices only.
  5. Review + Create
    • Confirm name, permissions, and tags.
    • Click Create to add the role to your tenant.

Custom roles help you align Intune access with your org’s structure and security policies.

5. Compliance Policies Overview

Compliance policies set rules a device must meet to be marked “compliant.” Compliant devices can access resources; noncompliant ones can be blocked or remediated.

5.1 Why Compliance Policies Matter

  • They protect corporate data by enforcing security baselines.
  • They trigger Conditional Access decisions in Entra ID.
  • They monitor device health and security posture.

5.2 Supported Platforms

  • Windows 10/11
  • macOS
  • iOS/iPadOS
  • Android Enterprise (fully managed, work profile, COPE)
  • Android Open Source Project (AOSP)
  • Linux distributions like Ubuntu and Red Hat

5.3 Common Compliance Settings

  • Password requirements (length, complexity, lockout)
  • Device encryption (BitLocker, FileVault)
  • Minimum OS version to patch vulnerabilities
  • Jailbreak/root detection to block compromised devices
  • Threat level via Defender for Endpoint or third-party MTD
  • Device health checks for firewall, antivirus, and security agents

6. Integration with Conditional Access

When a device reports as noncompliant, Conditional Access policies in Microsoft Entra ID can:

  • Block sign-in to email or apps.
  • Require a compliant device before granting access.
  • Combine with App Protection policies for added data loss prevention.
  • Invoke mobile threat defense to block high-risk devices.

This layered approach ensures only secure, healthy devices connect to corporate resources.

7. Creating and Assigning a Compliance Policy

  1. Sign in to https://intune.microsoft.com.
  2. In the left menu, select Devices, then choose a platform (e.g., Windows).
  3. Click Compliance policies, then + Create policy. Platform page
    • Pick the device OS (Windows, macOS, iOS, Android, or Linux).
    Settings page
    • Configure rules like:
      • Password length ≥ 6 characters, complexity on.
      • Encryption required.
      • OS version at least Windows 10 22H2.
      • No jailbroken or rooted devices.
      • Defender threat level low or none.
    Assignments page
    • Select user or device groups to target.
    Actions for noncompliance page
    • Define what happens when a device fails:
      • Send an email to the user.
      • Mark device noncompliant.
      • Lock device or retire it after a grace period.
  4. Review all settings, then click Create.

Once assigned, Intune evaluates devices against the policy and reports compliance status.

8. Exam Focus Points

  • Define compliance policy: Know its purpose and components.
  • List supported platforms: Windows, macOS, iOS, Android, Linux.
  • Show policy creation steps: From choosing platform to actions on noncompliance.
  • Explain RBAC: Describe roles, scope tags, assignments, and how they enforce least privilege.
  • Describe Conditional Access integration: How compliance feeds into access control.

This guide covers the depth you need to plan, implement, and manage roles and compliance in Intune.

LinkedInCopyPinterestRedditTelegram

Related Posts

Leave a Comment

Your email address will not be published. Required fields are marked *

Powered by
Necessary cookies enable essential site features like secure log-ins and consent preference adjustments. They do not store personal data.
None
Functional cookies support features like content sharing on social media, collecting feedback, and enabling third-party tools.
None
Analytical cookies track visitor interactions, providing insights on metrics like visitor count, bounce rate, and traffic sources.
None
Advertisement cookies deliver personalized ads based on your previous visits and analyze the effectiveness of ad campaigns.
None
Powered by
Scroll to Top