|
2 | 2 | title: Create and assign a custom role in Intune |
3 | 3 | description: Create and assign a custom role for a remote device manager. |
4 | 4 | services: microsoft-intune |
5 | | -author: BrenDuns |
| 5 | +author: brenduns |
6 | 6 | ms.author: brenduns |
7 | 7 | ms.topic: how-to |
8 | | -ms.date: 03/26/2019 |
| 8 | +ms.date: 10/16/2025 |
9 | 9 |
|
10 | 10 | ms.collection: |
11 | 11 | - M365-identity-device-management |
12 | 12 | --- |
13 | 13 |
|
14 | 14 | # Step 10: Create and assign a custom role |
15 | 15 |
|
16 | | -In this Intune topic, you'll create a custom role with specific permissions for a security operations department. Then you'll assign the role to a group of such operators. There are several default roles that you can use right away. But by creating custom roles like this one, you have precise access control to all parts of your mobile device management system. |
| 16 | +This article guides you through creating a custom role for Intune role-based access control (RBAC) that has specific permissions for a security operations department and assign the role to a group of such operators. When you assign Intune RBAC roles and follow the principles of least privilege access, your admins can perform tasks on only those users and devices that they should are empowered to manage. |
| 17 | + |
| 18 | +Although Intune includes several built-in RBAC roles that you can use right away, we recommend using the least-privileged role that can complete the task an administrator is expected to manage. This approach minimizes security risks and operational errors by avoiding over-privileged accounts like Global Administrator or Intune Administrator for routine work. |
17 | 19 |
|
18 | 20 | [!INCLUDE [intune-evaluate](../includes/intune-evaluate.md)] |
19 | 21 |
|
20 | 22 | If you don't have an Intune subscription, [sign up for a free trial account](free-trial-sign-up.md). |
21 | 23 |
|
22 | 24 | ## Prerequisites |
23 | 25 |
|
24 | | -- To complete this evaluation step, you must [create a group](quickstart-create-group.md). |
| 26 | +To complete this evaluation step, you must have a group with at least one user. Creating a group is covered in [Step 3 - Create a group](quickstart-create-group.md) of this evaluation guide. |
25 | 27 |
|
26 | 28 | ## Sign in to Intune |
27 | 29 |
|
28 | | -Sign in to the [Microsoft Intune admin center](https://go.microsoft.com/fwlink/?linkid=2109431) as the built-in **[Intune Administrator](/entra/identity/role-based-access-control/permissions-reference#intune-administrator)** Microsoft Entra role. |
| 30 | +Sign in to the [Microsoft Intune admin center](https://go.microsoft.com/fwlink/?linkid=2109431) using an account that is assigned the Microsoft Entra role of **[Intune Administrator](/entra/identity/role-based-access-control/permissions-reference#intune-administrator)**. |
29 | 31 |
|
30 | | -If you created an Intune Trial subscription, the account that created the subscription is a Microsoft Entra [Global Administrator](/entra/identity/role-based-access-control/permissions-reference#global-administrator). |
| 32 | +However, if this is a new trial subscription, sign in with the account that created the subscription, which is a Microsoft Entra [Global Administrator](/entra/identity/role-based-access-control/permissions-reference#global-administrator). |
31 | 33 |
|
32 | 34 | > [!CAUTION] |
33 | 35 | > [!INCLUDE [global-admin](../includes/global-admin.md)] |
34 | 36 |
|
35 | 37 | ## Create a custom role |
36 | 38 |
|
37 | | -When you create a custom role, you can set permissions for a wide range of actions. For the security operations role, we'll set a few Read permissions so that the operator can review a device's configurations and policies. |
| 39 | +When you create a custom role, you can set permissions for a wide range of actions. For the security operations role, you'll enable *Read* permissions for a few categories so that the operator can review a device's configurations and policies. |
| 40 | + |
| 41 | +1. In the Intune admin center, go to **Tenant administrator** > **Roles**, and select **Create**. From the drop-down box, select **Intune role**. The *Add Custom Role* workflow opens. |
| 42 | +  |
| 43 | + |
| 44 | +2. On the **Basics** page: |
| 45 | + - For Name, enter *Security operations*. |
| 46 | + - For **Description**, enter *This role lets a security operator monitor device configuration and compliance information.* |
| 47 | + Select **Next** to continue. |
| 48 | + |
| 49 | +3. On the **Permissions** page, expand the *Corporate device identifiers* category and set *Read* to **Yes**: |
| 50 | +  |
| 51 | + |
| 52 | + After configuring Read for Corporate device identifiers, expand the following additional categories, and make the same configuration; setting *Read* to **Yes**. |
| 53 | + |
| 54 | + - *Device compliance policies* |
| 55 | + - *Device configurations* |
| 56 | + - *Organization*. |
| 57 | + |
| 58 | + After the four categories are configured, select **Next** to continue. |
| 59 | + |
| 60 | +4. On **Scope tags**, select **Next**. You don't need to configure scope tags for this evaluation scenario. |
38 | 61 |
|
39 | | -1. In Intune, choose **Roles** > **All roles** > **Add**. |
40 | | - |
41 | | -2. Under **Add custom role**, in the **Name** box, enter *Security operations*. |
42 | | -3. In the **Description** box, enter *This role lets a security operator monitor device configuration and compliance information.* |
43 | | -4. Choose **Configure** > **Corporate device identifiers** > **Yes** next to **Read** > **OK**. |
44 | | - |
45 | | -5. Choose **Device compliance policies** > **Yes** next to **Read** > **OK**. |
46 | | -6. Choose **Device configurations** > **Yes** next to **Read** > **OK**. |
47 | | -7. Choose **Organization** > **Yes** next to **Read** > **OK**. |
48 | | -8. Choose **OK** > **Create**. |
| 62 | +5. On **Review + Create**, select *Create*. Intune creates the custom role, which now appears on the **Intune roles | All roles** page of the admin center, with a **Type** of *Custom Intune role*. |
49 | 63 |
|
50 | 64 | ## Assign the role to a group |
51 | 65 |
|
52 | | -Before your security operator can use the new permissions, you must assign the role to a group that contains the security user. |
| 66 | +1. Sign in to the Microsoft Intune admin center and go to **Tenant administration** > **Roles** > **All roles**. |
| 67 | + |
| 68 | +2. On the **Intune roles - All roles** page, select the custom role you created, **Security operations** to open the roles *Overview*. Select **Assignments** and then select **Assign**. |
| 69 | + |
| 70 | +  |
| 71 | + |
| 72 | +3. On the **Basics** page, for Name enter *Sec ops*, and then select **Next** to continue. |
| 73 | + |
| 74 | +4. On the **Admin Groups** page, select **Add groups** and then choose a group that contains the users you want to assign the roles permissions to. If you created the **Contoso Testers** group in [Step 3](quickstart-create-group.md) of this evaluation guide, select that group. |
| 75 | + |
| 76 | + After adding a group, choose **Select**, and then **Next** to continue to the next page of the workflow. |
| 77 | + |
| 78 | +5. On the **Scope Groups** page, select **Add groups** and then add the same group you added in the previous step. As before, choose **Select**, and then **Next** to continue to the next page of the workflow. |
| 79 | + |
| 80 | +6. On **Scope tags**, select **Next**. You don't need to configure scope tags for this evaluation scenario. |
| 81 | + |
| 82 | +7. On the **Review + Create** page, when you're done, select **Create**. |
53 | 83 |
|
54 | | -1. In Intune, choose **Roles** > **All roles** > **Security operations**. |
55 | | -2. Under **Intune roles**, choose **Assignments** > **Assign**. |
56 | | -3. In the **Assignment name** box, enter *Sec ops*. |
57 | | -4. Choose **Member (Groups)** > **Add**. |
58 | | -5. Choose the **Contoso Testers** group. |
59 | | -6. Choose **Select** > **OK**. |
60 | | -7. Choose **Scope (Groups)** > **Select groups to include** > **Contoso Testers**. |
61 | | -8. Choose **Select** > **OK** > **OK**. |
| 84 | + The new assignment is displayed in the list of assignments. |
62 | 85 |
|
63 | 86 | Now everyone in the group is a member of the *Security operations* role and can review the following information about a device: corporate device identifiers, device compliance policies, device configurations, and organization information. |
64 | 87 |
|
65 | 88 | ## Clean up resources |
66 | 89 |
|
67 | | -If you don't want to use the new custom role anymore, you can delete it. Choose **Roles** > **All roles** > choose the ellipses next to the role > **Delete**. |
| 90 | +If you don't want to use the new custom role anymore, you can delete it. In the admin center, got to **Tenant administration** > **Roles** > **All roles**, locate the role and select the ellipses (...) to the left of the roles description, and then select **Delete**. |
68 | 91 |
|
69 | 92 | ## Next steps |
70 | 93 |
|
71 | | -In this quickstart, you created a custom security operations role and assigned it to a group. For more information about roles in Intune, see [Role-based administration control (RBAC) with Microsoft Intune](role-based-access-control.md) |
| 94 | +In this evaluation step, you created a custom security operations role and assigned it to a group. For more information about roles in Intune, see [Role-based administration control (RBAC) with Microsoft Intune](role-based-access-control.md) |
72 | 95 |
|
73 | 96 | To continue to evaluate Microsoft Intune, go to the next step: |
74 | 97 |
|
|
0 commit comments