Direct Group Ownership Permissions for Nerdio Manager

Direct Group Ownership Permissions for Nerdio Manager

Note: This article does not cover the use of permissions in Nerdio Manager outside of the Unified Endpoint Management (UEM) feature.

Customers making use of Nerdio Manager's UEM feature may need the ability to restrict the groups to which Nerdio Manager has access. By default, group management activities in UEM make use of the permissions discussed below.

Manage/Edit Functions

These permissions are used to:

  • Create and manage groups for Intune deployment of Unified Application Management (UAM) applications.

  • View and edit the group membership of users and devices in UEM.

  • Assign AVD hosts to specific Entra ID groups as part of host creation.

Group.ReadWrite.All

Group.Member.ReadWrite.All

The above permissions are assigned by selecting Manage for the selectors shown below.

To assign Manage/Edit function permissions:

  1. Navigate to SettingsAzure environment.

  2. In the Intune (Unified Endpoint Management) tile, select the current status, either Disabled or Enabled, to manage the Intune settings.

  3. In the Configurable Features section, set the following to Manage:

    • Group membership

    • Intune Applications and App policies

  4. Once you have set the proper permissions, select Save.

Read Functions

These permissions are used to:

  • View the group membership of users and devices in UEM.

GroupMember.Read.All

The above permissions are assigned by selecting Read-only for the selectors shown below.

To assign Read function permissions:

  1. Navigate to SettingsAzure environment.

  2. In the Intune (Unified Endpoint Management) tile, select the current status, either Disabled or Enabled, to manage the Intune settings.

  3. In the Configurable Features section, set the following to Read-only:

    • Group membership

  4. Once you have set the proper permissions, select Save.

Restricting Entra ID Group Management Permissions - Overview

Customers who do not wish to grant the permissions listed above can still perform management activities against a set of specified groups by granting the Nerdio Manager application ownership permissions on the target groups. Nerdio Manager is then able to perform the activities shown below for any groups for which ownership has been assigned.

  • View and edit the group membership of users and devices in UEM.

  • Assign AVD hosts to specific Entra ID groups as part of host creation.

The following feature are not supported in this configuration:

  • Create and manage groups for Intune deployment of UAM applications.

How to Restrict Entra ID Group Management Permissions

The following steps allow you to restrict Entra ID group management permissions.

To assign ownership to the required Entra ID groups:

  1. From the Intune Admin center, select Groups and then select the desired group.

  2. In the Manage section, select Owners.

  3. In the central section, select Add Owners.

  4. In the pop-up, select Enterprise applications and then chose your Nerdio Manager application as the owner.

  5. Repeat this process for any groups for which Nerdio Manager should be assigned ownership.

    Notes:

    • This process may be performed separately directly in the Entra ID portal. Nerdio Manager can also be added as an owner during the Entra ID group creation process.

    • Enterprise applications can only be made owner of Entra ID security groups.

Was this article helpful?

0 out of 0 found this helpful
Have more questions? Submit a request

Comments (0 comments)

Please sign in to leave a comment.