Deep dive into Role Based Access Control (RBAC) in Microsoft Intune

Hey, everyone. I am Pallavi Joshi I am a program manager within Intune engineering team, and today we are here to do a deep dive of role-based access control in Intune, so let’s get started Today we’ll be talking briefly about what Microsoft Endpoint Manager is to set some context Then we’ll be looking at role-based access control and scope tags to understand what they are and how they work together to provide a complete access control solution We’ll then take a look at few scenarios, which will be very close to real-world examples, to demonstrate the use of Intune roles and permissions and scope tags so that you can get started by using them We’ll then focused on tenant-wide and delegated configurations in Intune to understand what they are and why they’re really important And in the last section, we look at how you can troubleshoot role-based access control in Intune using PowerShell So let’s get started Wherever you are in your cloud management journey, whether you are still thinking about using Intune or you’re using co-management, or you’ve moved to cloud completely, you need to start using Microsoft Endpoint Manager It is your hub to unify security apps and user experience, access and compliance across your entire technology state And because it can leverage Microsoft’s powerful dataset, it also delivers intelligence and analytics to help you keep running costs down and also run your organization very smoothly And we believe partners are key to success, and Endpoint Manager is also the integration point for the entire ecosystem So now that we have that context, let’s start talking about role-based access control or, in short, RBAC RBAC is a way to manage access to organization’s resources and also understand what can they do with those resources To break it down, RBAC answers these three questions: who can access resources, what resources can they access, and what can they do with those resources? You can start defining RBAC by answering these three questions, as an example For the first question, you want your help desk operators to access resources For the second question, you want your help desk operators to access devices And for the third question, you want your help desk operators to be able to read devices, perform remote management of devices, but not delete devices from Intune management So once these three questions are answered to identify that help desk operators can access devices and perform remote management on devices, all these can be defined using a role in Intune You can define permissions and assignments in a role that lets you bring all this information together So now let’s talk about scope tags We just talked about the three questions that RBAC answers Scope tag answers the question of which objects can admin see, and, hence, also which objects admins cannot see So going back to our previous example, we want help desk operators to be able to access devices of only finance department To achieve the same, we would define a scope tag named finance In the same role that we created earlier for the help desk operator, we would add the scope tag, and also we would add the scope tag to finance devices group This would help us in managing what our help desk operators can see or view, and, hence, using a role and a scope tag, we can make sure that the right admins have the right access and visibility to the right Intune objects Now let’s go to Endpoint Manager portal and see how this looks like I am logged in as an Intune admin in the Endpoint Manager And I’ll go to Devices, and then All devices If you see, I’m able to view a lot of devices, in fact, all the devices that are present in my tenant Now I’ll go to one of the devices in My_iPad, and I’m able to delete this device from Intune management But we do not want our help desk operators to be able to perform all these actions, so let me go back and log in as Hally, who’s the help desk operator So Hally will go to Endpoint Manager This is Hally’s view When Hally goes to All devices, you’ll notice that she’s able to view only one device instead of multiple devices that she was able to see earlier Her view is way more clean, and she can be really productive with what she needs to do This is because we are only showing devices that belong to finance department And if Hally goes to this device, you’ll notice that Delete is disabled for her This is because we do not want our help desk operators to be able to delete devices from Intune management

So when I work with large enterprises with thousands of devices, RBAC enables admins to scope down view to just a few hundred devices relevant for various departments like help desk, making it very secure and scalable to use This not only prevents malicious users from accessing data, it also prevents honest users from performing accidental leaks Now that we know what RBAC is and what scope tags are, let’s highlight a few business scenarios where we need them If you want a global organization with operations spread across geographies or regions or a company with various departments, then the policies applicable to a specific department or region might not be applicable to other regions or departments; hence, you need multiple admins in the organization so that you can delegate most of the differentiated tasks And the only way to delegate that securely such that your regions or departments do not access each other’s policies and data not applicable to them is using RBAC For all these scenarios, if you want your regional department admins to be productive by managing only the 100 apps applicable to them and not viewing 5,000 tabs in the organization, then that can be achieved using scope tags These scope tags would enable them to view relevant objects and hide the ones they should not be looking at And also to be able to scale a central unified solution across all your regions or departments for easy manageability and cost effectiveness, you would want to be able to scale it out to various geographies And, again, to enable you to achieve this delegation, you do need RBAC and scope tags, and, hence, there are multiple benefits in terms of security, productivity, and scalability when you start using role-based access control This slide lists the hierarchy of roles in Azure Active Directory Azure Active Directory provides multiple roles for users to perform various tasks It has a built in role for Intune admin that provides the ability to manage users, devices, and assign them to policies Similarly, the conditional access administrator has the ability to manage conditional access policies In addition to Azure AD roles, Intune provides various built in roles like policy manager, help desk operator, that can be used for managing various parts of Intune You can also create custom roles besides the ones already present The roles and scope tags that we just talked about and that we’ll be discussing in eventual sections all form a part of Intune roles and RBAC So now that we just talked about RBAC, scope tags, and why you need them, let’s discuss a few scenarios I’m taking an example of a fictitious hospital, but the scenarios are very close to real-world examples to see RBAC in action Contoso Healthcare is a private hospital catering to patients across various geographies It has hospitals in Germany and Scotland The hospitals in each country are independently managed by its admins to enable doctors and nurses and clinicians of their country They have a central IT to manage identities in office, and their role is to act as an enabler for country admins Another point to note is that both the countries share the same Microsoft 365 tenant So in the first scenario, the central IT at Contoso Healthcare needs to provide access to country admins to Microsoft Endpoint Manager The country admins should be able to manage enrollment, devices, and apps for users of their country, but they should not be able to manage these entities for the other country It means that if you have Germany admins, they should be able to perform device app management and enrollment only for Germany doctors and Germany nurses They should not be able to do that for Scotland doctors or Scotland nurses, and vice versa So let’s see how we can achieve this in Microsoft Endpoint Manager So right now I’m logged into Microsoft Endpoint Manager as an Intune admin To start creating roles, I need to go to Tenant administration, Roles, and All roles Start by clicking on Create and adding Name and Description, so let’s call it Contoso Healthcare, Country Admins And I like description as Ignite And the permissions, we need to provide permissions for enrollment profiles, so I’ll select these toggles to Yes Similarly, the country admin should also be able to perform device management, so I’ll set all these toggles to Yes, which is Delete, Read, Set primary user, Update, and View reports And, similarly, we want country admins to be able to perform complete app management as well, so I’ll create yes under Mobile apps We’ll also provide an additional Organization Read permissions to country admin so that they can view key information

Click on Next. I’ll not change anything here I’ll review this information so my country admins can perform a complete management of enrollment program profiles, managed devices, and mobile apps, and we click on Create So we have already created a role now Let’s now start creating scope tags I create the first scope tag as Germany for the Germany admins Under Assignments, I’ll select Germany devices What this does is all the devices that are part of this device group, that is Germany Devices, they get assigned the scope tag automatically, so the Germany scope tag will automatically get assigned to all the devices that are part of this device group We’ll review all this information and we click on Create Similarly, we need to create one more scope tag for Scotland And similar to the previous scope tag, I’ll select Scotland Devices here I’ll select Scotland Devices What this does, again, is all the devices that are part of Scotland Devices group, get assigned scope tag Scotland Review this information and click on Create So we’ve created scope tags We’ve created the role Now we need to do the most important part, which is adding assignments to this role So I’m going back to the role that we just created, and I click on Assign Let’s call it Germany Assignment Write the Name and Description Under Admin Groups, select Germany Admins What this does is the permissions that we provided as part of this of this Intune role, all these permissions are given to Germany admins, so the Germany admins will be able to manage enrollment programs profiles under that They’ll be able to manage devices and apps completely because those are the permissions we provided in this role In the next step, I’ll select Germany Doctors and Germany Nurses Now this is important What this does is that any apps or policies that Germany admin assigns, they can be assigned only to Germany Doctors and Germany Nurses Germany admins can not assign any apps or policies or profiles to any groups outside the ones defined here And in the third step, we can select the scope tag that we just created So adding scope tag here essentially does two things Firstly, Germany admins would be able to view any objects, whether devices or apps or policies or profiles, only when the scope tag Germany will not be able to view any objects which do not have the scope tag And, secondly, any new apps or any new policies or profiles that Germany admins create will automatically get the scope tag assigned to it And, hence, what we’re essentially doing here is that we are creating this bubble or boundary for Germany admins so that they can assign it only to a limited set of users, for Germany Doctors or Germany Nurses, or they can also assign or view policies and profiles which have the scope tag as Germany I’ll review this information for correctness, and we click on Create Very quickly I’ll create a similar assignment for Scotland The process is the same So we’ll select Scotland Admins here All the permissions that are defined in this role, Scotland Admins, will get those permissions And here, as you must have guessed by now, we’ll select Scotland Doctors and Scotland Nurses So any apps, policies, or profiles that Scotland admins need to assign, they can do it only for Scotland Doctors or Scotland Nurses And, finally, we’ll select the scope tag Scotland so any new objects that’s Scotland admins create or any objects that they need to view, whether they are apps, policies, or profiles, they need to have the scope tag Review this information, and we’ll click on Create So in this scenario, we saw the simple process of creating a role with assignments, permissions, and with scope tags to ensure that our country admins get access to Microsoft Endpoint Manager Now that Germany admins have access to Microsoft Endpoint Manager, we want them to enable access to their doctors and nurses

so they can enroll their iPads in Intune Also, the enrollment profile created by Germany admins should apply only to Germany doctors and nurses, not to Scotland doctors and nurses So let’s go back to Microsoft Endpoint Manager to see how Germany admins can achieve this So now we need to log in as Germany admins to provide access to Germany doctors and nurses I’ll go to my profile for Germany admins Garen is the Germany admin Garen logs into Endpoint Manager Now to create enrollment profiles for iOS devices, Garen will go to iOS and enrollment, and go to Enrollment types, and start off by creating enrollment type profile Enter Name and Description here We leave the settings as is, and then we’ll now add Assignments So, as you know, Garen is the Germany admin, but, mistakenly, Garen is selecting Scotland doctors and nurses to assign to the profile Click on Next and Create We see that the profile gets created, but there are errors, and you don’t have enough permissions to assign this profile to selected groups This is because in the role that we just defined under Assignments, we define that Germany admins can assign any sort of profiles or apps only to Germany doctors and nurses They can’t work outside the scope, and, hence, that assignment does not work fine So Garen realizes the mistake, looking at errors, and selects the Germany doctors and nurses instead of Scotland doctors and nurses, clicks on Save, and we notice that the profile gets saved The assignments are still there On the topic of enrollment, we also have sessions talking about managing Windows, Apple, and Android devices, Microsoft Endpoint Manager, so make sure you check them out as well Recently, as part of my engagement with one of the health care providers in the country, they were faced with a similar challenge The way this health care provider is organized is that they have various boards underneath them, and each board is responsible for performing device and app management for its end users During the outbreak of COVID-19 pandemic, there was a requirement by this health care provider to enable shared iPads for their doctors, nurses, and patients These shared iPads would be used by patients to connect to their families while in hospital, and they would be used by doctors to manage patient data These shared iPads were meant to be used only by a specific board and meant to have kiosk-type enrollment with only a few apps on the device To ensure that the iPads were configured as per the requirements of this board without impacting other boards under this health care provider, we had to rely on roles and scope tags heavily to achieve the desired result Scope groups provided us a way to reset the assignments of the profile for the doctors and patients part of the specific board and provided us strong security mechanisms in terms of access control So now let’s look at our last scenario The Germany doctors have now enrolled their iPads in Intune, but now they need OneDrive app on these iPads to upload patient-related documents; hence, this app needs to be uploaded by Garen for Germany doctors, but not to be pushed out to Scotland doctors since they use some other internal app for this purpose Let’s go back to Endpoint Manager So now Garen goes back to Microsoft Endpoint Manager, and since Garen needs to add OneDrive for iPads, you start off by searching App Store, click on Select, and search the app Store for OneDrive Once he clicks on Select, the app information is already there Now in the next step, we see that the scope tag Germany is automatically added for this app This is because as part of our role assignments, we had added the scope tags for Germany admins; hence, as we discussed at that time, any new apps that Germany admins add or any new profiles that they add, the scope tag automatically gets assigned, ensuring that they are still working in their boundary of the scope of Germany Similarly, if you try to assign this app to Scotland doctors, it cleared it out Also we have another session about deploying Microsoft 365 mobile apps securely,

so make sure you check that out for detailed information on this topic And so in this scenario, we were able to use the power of scope tags to ensure visibility of the right objects only to the right users As I was mentioning earlier about these scenarios, to enable shared iPads during COVID-19 for a health care provider, we were able to leverage automatic scope tag assignment for apps for these shared iPads And in these scenarios, we saw the simple process of defining a role with permissions and assignments and adding right scope tags We saw that these definitions can provide strong access control mechanisms and set you up with the right part for delegating various activities in a secure manner Now that we talked about how to use RBAC and scope tags to tighten your security and how permissions in a role can be used to delegate certain tasks for regional department admins, let’s talk about the tenant-wide and delegated configurations During my discussion with the health care provider that I mentioned earlier, the central IT was working towards delegating as many tasks as possible to the board admins, but there were certain configurations where scope tags did not apply because they were singular in nature, and these configurations also impacted the entire tenant Any configuration update would impact all the end users So there was a central meeting with representation across boards to finalize configurations, like device cleanup rules and app categories Each board had its own requirements, and based on mutual discussions and end-user testing, these configurations were finalized Since this was a central decision, it required a change management process to be put in place for any values to be updated for these configurations; hence, these configurations required the most diligence across the org, given their tenant-wide impact The list on this slide mentions all the configurations that have tenant-wide impact For example, the Apple MDM Push certificate, the managed Google Play account, or the Microsoft Store for Business account will impact all the Apple, Android, and Windows enrollments across the entire tenant for all your end users These configurations are the ones which require a consensus, hence, across all your admins So this slide talks about the fact that tenant-wide configurations apply across the entire tenant, and, hence, the rest of the configurations that do not apply across the entire tenant are delegated configurations, like the ones we discussed earlier: device compliance, policies, apps, configuration profiles, and so on, and these configurations can be delegated out to your regional admins And this figure indicates exactly the same So the important part is to identify tenant-wide configurations so they can be configured by central IT and to also identify the remaining configurations that can be delegated to your original admins So, as I said, all the remaining configurations which are not part of tenant-wide list form the delegated configurations I mentioned this list, but it’s not complete since it’s huge, but a few examples include security baselines, policy sets, and so on And in the previous sections, we saw how we can combine roles and scope tags to achieve this delegation for region and department admins So in this section, we talked about configurations that have tenant-wide impact and also those that can be delegated This differentiation would help you in getting started with your admins towards a successful deployment path In the last section, we use a Powershell script to identify all the groups and roles a user’s part of To help in troubleshooting various permissions, the script also displays the list of effective permissions across all the roles for the user So let’s go to PowerShell to run the script So I have opened the script RBAC_UserStatus for troubleshooting The script is already available on GitHub for you to download It starts off by requiring me to authenticate Once I do that, it will ask for User Principal Name, so we query it for Garen, who was the Germany admin in our scenarios So let’s see what all information does this script show It starts off by showing user principal details and Azure AD group memberships for Garen After that, it lists all the roles that are assigned to Garen Most of the times when we use RBAC and scope tags, there are two kinds of issues: either the user has too many permissions than they should have or they have very less permissions than required, and this is mostly because either their effective permissions have something extra or something less across various roles So using the script, we can identify all the roles,

all the admin groups, scope groups, and scope tags that are assigned as part of those roles to Garen So besides listing permissions across each role, the script also shows all the effective permissions for the user Once we do that, the user, the admins, can go back to the portal to make the required changes So that is pretty much about the various sections Let’s just do a quick recap of what we discussed We started off by talking about role-based access control and scope tags to understand what they are and why you really need them We then looked at a Microsoft 365 and Azure Active Directory roles We discussed a few scenarios where we started using role- based access control in Intune to see how you can use your roles, permissions, assignments, and scope tags effectively for security, productivity, and scalability After that, we looked at tenant-wide and delegated configurations to understand, again, what they mean and why they’re really important and require the most diligence And, finally, in the last section, we did troubleshooting using PowerShell to identify effective permissions for a user So from this session, I wanted to share two takeaways for you to remember Firstly, as we saw in the initial sections, RBAC and scope tags enable strong security productivity and scalability in your endpoint management journey And, secondly, identifying and implementing tenant-wide and delegated configurations would enable your regional IT to work independently Thank you for your time during this session This slide contains links to useful resources on the topic We mentioned so many other learnings, so make sure you check them out at the video hub And also if you missed Brad’s sessions, make sure you check them out as well There is lots to learn, a lot of information and resources Thanks a lot for your time during this session I hope you enjoyed it and you start using RBAC after this Bye