One thing that is important when working with IT infrastructure is to set the right level of permissions for the right people. Principle of least privilege is a good rule of thumb to follow, also in Microsoft Endpoint Manager.
It’s quite easy to just say that “okay, all admins gets the administrator role” which make everyone equal. But is it a good idea? No.
Microsoft Endpoint Manager (MEM) has a quite extensive Role Based Access Control (RBAC) function built in, and there are also Azure roles which applies to MEM. There is also the possibility to create your own custom roles if you want to define the roles yourself, or if you want to limit one of the built in.
Why use RBAC?
There is a simple answer to this. Improve security. Granting admin permissions to everyone administrating the system isn’t necessary. Your level of permissions should be related to what task you are performing. A Help Desk operator does not have the same needs as a third level support engineer; hence they should not have the same level of access.
Aiming for the principle of least privilege when looking at how to administrate MEM is important and implementing it at an early stage so that you assign roles accordingly.
For certain scenarios, there might be a need for users to have additional levels of access, being able to elevate Intune admin for example through Privileged Identity Management (PIM) but having a less privileged access as their normal level. Please note however, that PIM is an Azure AD P2 feature which you will need to make sure you are licensed for (it’s included in EMS and M365 E5 license SKU, but not in the E3 SKU).
Quick and dirty setup
So how to get going? One efficient way of doing it, which I like, is to firstly identify what roles you have in your organization and then map out what roles they should have. I prefer doing this in Excel, just listing the roles and then look at what Azure AD roles are related to MEM and then add the built in MEM roles. Then just simply add an X on who should have what roles. As you see in the example down below, some operational roles have several X in their row.
This should be adopted towards your organization and roles named what you are calling them.
Update: You can find my example Excel here.
Can I use PIM?
Using PIM, especially for admin roles should be a default when you are setting this up. You will need additional licenses, but you will not need this for all users only your admin users.
For Azure AD you can use PIM without any hassle, it’s easy to setup and you can set it to automatic approvals. Have look at this Microsoft Docs article on how to do it!
I would suggest having PIM for all roles which are called admin, so for MEM specific roles that is the Intune Administrator role and the Azure AD Joined Device Local Administrator role, but there are additional roles related to this area.
When it comes to using PIM on MEM specific roles, this isn’t as straight forward. You will need to take a different approach. PIM for Intune roles could be argued how beneficial this is, but it does improve security and resilience. However, you need to use a preview feature for this called Privileged Access Groups which is a part of PIM, and you will need to make sure to enable your Azure AD group for role assignment when creating it (this can’t be added creating the group). The people over at MSEndpointManager.com have create a great guide about how to set this up.
But in short what you need to do is to create a group which is enabled for Azure AD roles assignment.
Then enable Privileged Access on the group you created to add it to PIM.
Then you can assign your role in MEM to this group.
In this example I’m assigning PIM to my Help Desk Operator role.
Doing this, you could potentially enable PIM for all your MEM roles. I would however not use PIM for roles which are read only roles.
There are a bunch of built-in roles in MEM which covers most scenarios. However, there might be instances where you need to tweak this a little bit. A good example of this is the Remote Help role which I wrote about in my previous post. Remote Help might be useful for people who are not working in Intune as part of their daily job, this could be application specific support personal for example who don’t need access in MEM but have the need to remotely support their users.
Getting RBAC in place at an early stage will simplify operations and getting the right permissions for everyone involved down the line, and you will decrease misshappenings. Or just simply shadow IT doing their own thing in your controlled environment without change control or the approvals from the governance forums.